[go: up one dir, main page]

CN115442097B - Weak password identification method and related equipment - Google Patents

Weak password identification method and related equipment Download PDF

Info

Publication number
CN115442097B
CN115442097B CN202211028425.4A CN202211028425A CN115442097B CN 115442097 B CN115442097 B CN 115442097B CN 202211028425 A CN202211028425 A CN 202211028425A CN 115442097 B CN115442097 B CN 115442097B
Authority
CN
China
Prior art keywords
target computer
password
computer
net
account information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211028425.4A
Other languages
Chinese (zh)
Other versions
CN115442097A (en
Inventor
刘晓鸣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Abt Networks Co ltd
Original Assignee
Beijing Abt Networks Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Abt Networks Co ltd filed Critical Beijing Abt Networks Co ltd
Priority to CN202211028425.4A priority Critical patent/CN115442097B/en
Publication of CN115442097A publication Critical patent/CN115442097A/en
Application granted granted Critical
Publication of CN115442097B publication Critical patent/CN115442097B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the application provides a weak password identification method, which comprises the steps of identifying a communication protocol of a network to which a target computer belongs, acquiring a login password of the target computer through a flow acquisition technology under the condition that the communication protocol is an SMB protocol, acquiring Net-NTLMHash information corresponding to the login password of the target computer, and determining the password strength of the target computer through a built-in weak password set and the Net-NTLMHash information corresponding to the login password of the target computer. In this way, through carrying out flow collection on the computer in the domain server, acquiring corresponding Net-NTLM Hash information based on the collected login password information, determining the password strength of the target computer according to the matching condition of the built-in weak password set and the Net-NTLM Hash information corresponding to the login password of the target computer, simplifying the data collection operation, realizing the password strength verification in an offline state, reducing the influence on the server in the weak password identification process and improving the identification efficiency.

Description

Weak password identification method and related equipment
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a weak password identification method and related devices.
Background
The weak password is a password which is easy to be deciphered, and is mostly a simple number combination, the same number combination as an account number, an adjacent key on a keyboard or a common name, and the like. When a weak password exists in the domain server, this means that security in the domain server is reduced and risk of information leakage is greatly increased.
The current weak password identification method needs to derive a SAM file from a domain server, generate a weak password hash library identical to a domain control password algorithm, perform password detection based on the weak password hash library, and need to obtain administrator rights.
Disclosure of Invention
The invention provides a weak password identification method, which aims to solve the problems that the current weak password identification method needs to acquire administrator rights and derives SAM files from a domain server, so that the detection flow is complex, the operation is complicated and the time cost is high.
In a first aspect, the present invention provides a weak password identification method, including:
identifying a communication protocol of a network to which the target computer belongs;
under the condition that the communication protocol is an SMB protocol, acquiring a login password of the target computer through a flow acquisition technology;
Acquiring Net-NTLM Hash information corresponding to a login password of the target computer;
And determining the password strength of the target computer through the Net-NTLM Hash information corresponding to the login password of the target computer by the built-in weak password set.
Optionally, the method further comprises:
Acquiring account information of the target computer;
Acquiring a server account robustness list of a network to which the target computer belongs;
In the case that the account information in the server account robustness list comprises the account information of the target computer, acquiring the remaining effective time of the account information in the server account robustness list;
and under the condition that the remaining effective time is greater than or equal to the preset time, determining that the password strength corresponding to the account information is the password strength of the target computer.
Optionally, the method further comprises:
And sending out an alarm message under the condition that the login password of the target computer is a weak password.
Optionally, the method further comprises:
Determining the residual effective time of the account information of the target computer based on the password strength of the target computer under the condition that the account information in the server account robustness list does not comprise the account information of the target computer;
And storing the account information of the target computer, the password strength of the target computer and the remaining effective time of the account information of the target computer to the server account robustness list.
Optionally, the method further comprises:
and sending out a prompt message under the condition that the communication protocol is not the SMB protocol.
Optionally, the acquiring the Net-NTLM Hash information corresponding to the login password of the target computer includes:
acquiring version information of the SMB protocol;
Based on the version information and the login password of the target computer, acquiring Net-NTLM Hash information of the login password of the target computer corresponding to the version information.
Optionally, the determining, by using the Net-NTLM Hash information corresponding to the login password of the target computer with the built-in weak password set, the password strength of the target computer includes:
Storing Net-NTLM Hash information corresponding to the login password of the target computer;
Decoding Net-NTLM Hash information corresponding to the login password of the target computer based on the built-in weak password set through hashcat;
and under the condition that the cracking is successful, determining that the login password of the target computer is a weak password.
In a second aspect, the present invention further provides a weak password identification device, including:
The identification module is used for identifying a communication protocol of a network to which the target computer belongs;
The acquisition module is used for acquiring the login password of the target computer through a flow acquisition technology under the condition that the communication protocol is an SMB protocol;
the acquisition module is used for acquiring the Net-NTLM Hash information corresponding to the login password of the target computer;
And the determining module is used for determining the password strength of the target computer through the Net-NTLM Hash information corresponding to the login password of the target computer by the built-in weak password set.
In a third aspect, the present invention also provides an electronic device, comprising a memory, a processor, the processor being configured to implement the steps of the weak password identification method according to any one of the first aspects above when executing a computer program stored in the memory.
In a fourth aspect, the present invention also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the weak password identification method of any of the first aspects.
According to the technical scheme, the embodiment of the application provides a weak password identification method, which comprises the steps of identifying a communication protocol of a network to which a target computer belongs, acquiring a login password of the target computer through a flow acquisition technology under the condition that the communication protocol is an SMB protocol, acquiring Net-NTLM (network-to-network) Hash information corresponding to the login password of the target computer, and determining the password strength of the target computer through the built-in weak password set and the Net-NTLM Hash information corresponding to the login password of the target computer. The current weak password identification method needs to derive SAM files from a domain server, generate a weak password hash library identical to a domain control password algorithm, detect passwords based on the weak password hash library, acquire administrator rights, have complex detection flow, complex operation and higher time cost, and the weak password hash library has the timeliness, possibly has the risk of low detection success rate after being used for a period of time, and further can influence the security of the domain server. In the embodiment of the application, the flow collection is carried out on the computer in the domain server, the corresponding Net-NTLM Hash information is obtained based on the collected login password information, and the password strength of the target computer is determined according to the matching condition of the built-in weak password set and the Net-NTLM Hash information corresponding to the login password of the target computer. Therefore, the data acquisition operation can be simplified, the verification of the password strength condition can be realized in an off-line state, the influence on the server in the weak password identification process is reduced, and the identification efficiency is improved.
Drawings
In order to more clearly illustrate the technical solution of the present application, the drawings that are needed in the embodiments will be briefly described below, and it will be obvious to those skilled in the art that other drawings can be obtained from these drawings without inventive effort.
FIG. 1 is a schematic flow chart of a weak password identification method according to an embodiment of the present application;
Fig. 2 is a schematic block diagram of a weak password identification device according to an embodiment of the present application;
Fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present application;
fig. 4 is a schematic block diagram of a computer-readable storage medium according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to the embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The embodiments described in the examples below do not represent all embodiments consistent with the application. Merely exemplary of systems and methods consistent with aspects of the application as set forth in the claims. In the several embodiments provided in the present embodiments, it should be understood that the disclosed apparatus and method may be implemented in other manners, and the apparatus embodiments described below are merely exemplary.
The weak password identification method provided by the application, as shown in figure 1, comprises the following steps:
Step S110, identifying the communication protocol of the network to which the target computer belongs.
Step S120, collecting the login password of the target computer through a flow collection technology under the condition that the communication protocol is an SMB protocol.
The traffic collection technique may be, for example, a sniffer that grabs data packets and monitors the status of the network, the data flow, and the information transmitted over the network.
And step S130, acquiring the Net-NTLM Hash information corresponding to the login password of the target computer.
And step 140, determining the password strength of the target computer through the Net-NTLM Hash information corresponding to the login password of the target computer by the built-in weak password set.
The built-in weak password set may be set by a manager, or may be a weak password dictionary directly obtained from the internet.
The method comprises the steps of acquiring flow of a computer in a domain server, acquiring corresponding Net-NTLM Hash information based on acquired login password information, and determining the password strength of a target computer according to the matching condition of a built-in weak password set and the Net-NTLM Hash information corresponding to the login password of the target computer. The method can simplify the data acquisition operation, realize the verification of the password strength in an off-line state, reduce the influence on the server in the weak password identification process and improve the identification efficiency.
According to some embodiments, the above method further comprises:
acquiring account information of the target computer;
Acquiring a server account robustness list of a network to which the target computer belongs;
Acquiring the remaining valid time of the account information in the server account robustness list under the condition that the account information in the server account robustness list comprises the account information of the target computer;
And under the condition that the remaining effective time is greater than or equal to the preset time, determining the password strength corresponding to the account information as the password strength of the target computer.
Illustratively, the server account robustness list includes at least server IP information, operating system information, user name information, weak password condition information, and remaining expiration date. The account information of the target computer is account information determined based on the server IP information, the operating system information, and the user name information. The preset time may be set by a manager, may be determined based on a history change period of the server account robustness list, or may be formed by manually importing a SAM file of the server, detecting based on the SAM file, and collecting the detected results.
By matching the account information of the target computer with the server account robustness list of the network to which the target computer belongs, the strong and weak periods of the login passwords of the target computer can be acquired under the condition that the information is matched, and the strong and weak conditions of the login passwords of the target computer can be directly determined under the condition that the current matching time is within the strong and weak periods, so that the identification operation can be simplified, and the identification efficiency can be improved.
According to some embodiments, the above method further comprises:
and sending out an alarm message under the condition that the login password of the target computer has weak password risk.
For example, the alert message may include a weak password risk condition of the login password, account information of the target computer, and an identification time of the weak password. The alarm message may be sent through mail, syslog, weChat, etc. In the preset period of sending out the alarm message, the access function of the target computer can be stopped, and the access function can be recovered after the manager finishes the password upgrading.
And under the condition that the login password of the target computer has weak password risk, sending out an alarm message, so that the supervision efficiency of management personnel can be improved, and the safety risk that the domain server is invaded is reduced.
According to some embodiments, the above method further comprises:
Determining the remaining effective time of the account information of the target computer based on the password strength of the target computer under the condition that the account information in the server account robustness list does not comprise the account information of the target computer;
and storing the account information of the target computer, the password strength of the target computer and the remaining effective time of the account information of the target computer into the server account robustness list.
For example, a mapping table may be established based on the strength of the password and the remaining effective time of the account information of the target computer, and in the case of occurrence of new account information, the remaining effective time of the condition of the strength of the password of the new account may be obtained by directly looking up a table.
Under the condition that the account information in the server account robustness list does not comprise the account information of the target computer, the remaining effective time of the current password of the target computer can be determined, the server account robustness list is updated based on the remaining effective time, the password identification operation steps can be simplified in a period, and the identification efficiency is improved.
According to some embodiments, the above method further comprises:
and sending out a prompt message under the condition that the communication protocol is not the SMB protocol.
For example, the prompt information may include a communication protocol of a network to which the target computer belongs and account information of the target computer. The prompting message can be sent through a mail channel, a syslog channel, a WeChat channel and the like.
In the case that the communication protocol is not the SMB protocol, it is indicated that the weak password identification method is not suitable for the target computer, so that prompt messages need to be sent timely to inform an administrator to identify the strength of the password in other ways as soon as possible, thereby improving the security degree of the domain server.
According to some embodiments, the obtaining Net-NTLM Hash information corresponding to the login password of the target computer includes:
acquiring version information of the SMB protocol;
Based on the version information and the login password of the target computer, acquiring Net-NTLM Hash information of the login password of the target computer corresponding to the version information.
Illustratively, according to version information of the SMB protocol, a response protocol in the NTLM authentication process may be determined, and based on the response protocol, a target extraction field of the login password, a format of Net-NTLM Hash information, and a challenge format may be determined.
For example, when the response protocol is NTLMv2, a request is transmitted to a server of a network to which the target computer belongs through the target computer, a 16-bit challenge is generated after the server receives the request, the challenge is transmitted to the target computer, the challenge is encrypted by the target computer based on a login password of the target computer, and the encrypted challenge is transmitted as a response to the server for verification. The format of the Net-NTLM Hash is usernames, domains, namely challenge, HMAC-MD5 and blob, wherein the usernames are user names of the target computers, the domains are IP information or host names of the target computers in the data packet, the challenge is a NTProofStr field in the NTLM SERVER CHALLENGE, HMAC-MD5 data packet, and the blob is reponse-NTProofStr.
The method has the advantages that the Net-NTLM Hash information of the login password of the target computer can be accurately determined based on the version information of the SMB protocol, the acquisition steps of the Net-NTLM Hash information can be reduced, the determination of the Net-NTLM Hash information through all versions corresponding to the SMB protocol is avoided, the operation steps of password identification are simplified, the complexity of identification information is reduced, and the identification efficiency of the password intensity is improved.
According to some embodiments, the determining, by using the Net-NTLM Hash information corresponding to the login password of the target computer with the built-in weak password set, the password strength of the target computer includes:
storing Net-NTLM Hash information corresponding to the login password of the target computer;
Decoding the Net-NTLM Hash information corresponding to the login password of the target computer based on the built-in weak password set through hashcat;
and under the condition that the cracking is successful, determining the login password of the target computer as a weak password.
For example, the response protocol in the NTLM authentication process may be determined based on version information of the SMB protocol, and the hash type information-m specified in hashcat may be determined based on the type of the response protocol. For example, when the response protocol is NTLMv2, the value corresponding to-m is 5600. And running a password cracking program based on the information in the built-in weak password set through hashcat, wherein the password cracking program can comprise merging the information in the built-in weak password set, and cracking the Net-NTLM Hash information corresponding to the login password of the target computer.
The method can also obtain the Net-NTLM Hash information corresponding to the built-in weak password set, and can match the Net-NTLM Hash information corresponding to the login password of the target computer with the Net-NTLM Hash information corresponding to the built-in weak password set, and under the condition that the information matching is successful, the login password of the target computer is determined to be the weak password.
The Net-NTLM Hash information corresponding to the login password of the target computer is subjected to offline blasting through hashcat, so that automation and batch identification of the password intensity can be realized, and the efficiency and practicability of the password intensity identification are improved.
Fig. 2 is a schematic block diagram of a weak password identification device according to an embodiment of the present application, as shown in fig. 2.
The embodiment of the application provides a weak password identification device 200, which comprises:
an identification module 201, configured to identify a communication protocol of a network to which the target computer belongs;
The acquisition module 202 is configured to acquire a login password of the target computer by using a flow acquisition technology when the communication protocol is an SMB protocol;
an obtaining module 203, configured to obtain Net-NTLM Hash information corresponding to a login password of the target computer;
and the determining module 204 is configured to determine the password strength of the target computer according to the Net-NTLM Hash information corresponding to the login password of the target computer by using the built-in weak password set.
The weak password identification device 200 can implement each process implemented in the method embodiment of fig. 1, and in order to avoid repetition, a description thereof will be omitted.
As shown in fig. 3, fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
The embodiment of the application provides an electronic device 300, which comprises a memory 310, a processor 320 and a computer program 311 stored in the memory 310 and capable of running on the processor 320, wherein the processor 320 executes the computer program 311 to realize the following steps:
identifying a communication protocol of a network to which the target computer belongs;
under the condition that the communication protocol is an SMB protocol, acquiring a login password of the target computer through a flow acquisition technology;
acquiring Net-NTLM Hash information corresponding to the login password of the target computer;
And determining the password strength of the target computer according to the Net-NTLM Hash information corresponding to the login password of the target computer by the built-in weak password set.
In a specific implementation, when the processor 320 executes the computer program 311, any implementation manner of the embodiment corresponding to fig. 1 may be implemented.
Since the electronic device described in this embodiment is a device for implementing an apparatus in this embodiment of the present application, based on the method described in this embodiment of the present application, those skilled in the art can understand the specific implementation of the electronic device in this embodiment and various modifications thereof, so how the electronic device implements the method in this embodiment of the present application will not be described in detail herein, and as long as those skilled in the art implement the device for implementing the method in this embodiment of the present application, all devices are within the scope of the application to be protected.
As shown in fig. 4, fig. 4 is a schematic structural diagram of a computer-readable storage medium according to an embodiment of the present application.
The present embodiment provides a computer readable storage medium 400 having stored thereon a computer program 411, which computer program 411 when executed by a processor realizes the steps of:
identifying a communication protocol of a network to which the target computer belongs;
under the condition that the communication protocol is an SMB protocol, acquiring a login password of the target computer through a flow acquisition technology;
acquiring Net-NTLM Hash information corresponding to the login password of the target computer;
And determining the password strength of the target computer according to the Net-NTLM Hash information corresponding to the login password of the target computer by the built-in weak password set.
In the foregoing embodiments, the descriptions of the embodiments are focused on, and for those portions of one embodiment that are not described in detail, reference may be made to the related descriptions of other embodiments.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Embodiments of the present application also provide a computer program product comprising computer software instructions which, when run on a processing device, cause the processing device to perform a flow in a weak password identification method as in the corresponding embodiment of fig. 1.
The computer program product described above includes one or more computer instructions. When the above-described computer program instructions are loaded and executed on a computer, the processes or functions described above according to embodiments of the present application are produced in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, from one website, computer, server, or data center by wired (e.g., coaxial cable, fiber optic, digital subscriber line (digital subscriber line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer readable storage medium may be any available medium that can be stored by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
In the several embodiments provided in the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the above-described division of units is merely a logical function division, and there may be another division manner in actual implementation, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described above as separate components may or may not be physically separate, and components shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units described above, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the above-described method of the various embodiments of the present application. The storage medium includes a U disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, an optical disk, or other various media capable of storing program codes.
In summary, the foregoing embodiments are merely for illustrating the technical solution of the present application, and not for limiting the same, and although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those skilled in the art that the technical solution described in the foregoing embodiments may be modified or some of the technical features may be substituted for those described in detail, and that these modifications or substitutions do not depart from the spirit and scope of the technical solution of the embodiments of the present application.

Claims (8)

1.一种弱密码识别方法,其特征在于,包括:1. A method for identifying weak passwords, comprising: 识别目标计算机所属网络的通讯协议;Identify the communication protocol of the network to which the target computer belongs; 在所述通讯协议为SMB协议的情况下,通过流量采集技术采集所述目标计算机的登录密码;In the case where the communication protocol is the SMB protocol, collecting the login password of the target computer through traffic collection technology; 获取与所述目标计算机的登录密码对应的Net-NTLM Hash信息;Obtain Net-NTLM Hash information corresponding to the login password of the target computer; 通过内置的弱密码集与所述目标计算机的登录密码对应的Net-NTLM Hash信息确定所述目标计算机的密码强弱情况;Determine the password strength of the target computer through the built-in weak password set and the Net-NTLM Hash information corresponding to the login password of the target computer; 获取所述目标计算机的账户信息;Obtaining account information of the target computer; 获取所述目标计算机所属网络的服务器账户健壮性列表;Obtaining a server account robustness list of the network to which the target computer belongs; 在所述服务器账户健壮性列表中的账户信息包括所述目标计算机的账户信息的情况下,在所述服务器账户健壮性列表中获取所述账户信息的剩余有效时间;In a case where the account information in the server account robustness list includes the account information of the target computer, obtaining the remaining validity time of the account information in the server account robustness list; 在所述剩余有效时间大于或等于预设时间的情况下,确定所述账户信息对应的密码强弱情况为所述目标计算机的密码强弱情况;When the remaining valid time is greater than or equal to the preset time, determining the password strength corresponding to the account information as the password strength of the target computer; 在所述服务器账户健壮性列表中的账户信息不包括所述目标计算机的账户信息的情况下,基于所述目标计算机的密码强弱情况,确定所述目标计算机的账户信息的剩余有效时间;In a case where the account information in the server account robustness list does not include the account information of the target computer, determining the remaining validity time of the account information of the target computer based on the password strength of the target computer; 将所述目标计算机的账户信息、所述目标计算机的密码强弱情况和所述目标计算机的账户信息的剩余有效时间存储至所述服务器账户健壮性列表。The target computer's account information, the target computer's password strength, and the remaining validity time of the target computer's account information are stored in the server account robustness list. 2.如权利要求1所述的方法,其特征在于,还包括:2. The method according to claim 1, further comprising: 在所述目标计算机的登录密码为弱密码的情况下,发出告警消息。When the login password of the target computer is a weak password, a warning message is issued. 3.如权利要求1所述的方法,其特征在于,还包括:3. The method according to claim 1, further comprising: 在所述通讯协议不为SMB协议的情况下,发出提示消息。When the communication protocol is not the SMB protocol, a prompt message is issued. 4.如权利要求1所述的方法,其特征在于,所述获取与所述目标计算机的登录密码对应的Net-NTLM Hash信息,包括:4. The method according to claim 1, wherein obtaining Net-NTLM Hash information corresponding to the login password of the target computer comprises: 获取所述SMB协议的版本信息;Obtaining version information of the SMB protocol; 基于所述版本信息和所述目标计算机的登录密码,获取与所述版本信息对应的所述目标计算机的登录密码的Net-NTLM Hash信息。Based on the version information and the login password of the target computer, Net-NTLM Hash information of the login password of the target computer corresponding to the version information is acquired. 5.如权利要求1所述的方法,其特征在于,所述通过内置的弱密码集与所述目标计算机的登录密码对应的Net-NTLM Hash信息确定所述目标计算机的密码强弱情况,包括:5. The method according to claim 1, wherein determining the password strength of the target computer by using the Net-NTLM Hash information corresponding to the built-in weak password set and the login password of the target computer comprises: 保存所述目标计算机的登录密码对应的Net-NTLM Hash信息;Save the Net-NTLM Hash information corresponding to the login password of the target computer; 通过hashcat基于所述内置的弱密码集对所述目标计算机的登录密码对应的Net-NTLMHash信息进行破解;Using hashcat to crack the Net-NTLMHash information corresponding to the login password of the target computer based on the built-in weak password set; 在破解成功的情况下,确定所述目标计算机的登录密码为弱密码。In the case of successful cracking, it is determined that the login password of the target computer is a weak password. 6.一种弱密码识别装置,其特征在于,包括:6. A weak password identification device, comprising: 识别模块,用于识别目标计算机所属网络的通讯协议;An identification module, used to identify the communication protocol of the network to which the target computer belongs; 采集模块,用于在所述通讯协议为SMB协议的情况下,通过流量采集技术采集所述目标计算机的登录密码;A collection module, used for collecting the login password of the target computer through traffic collection technology when the communication protocol is the SMB protocol; 获取模块,用于获取与所述目标计算机的登录密码对应的Net-NTLM Hash信息;An acquisition module, used for acquiring Net-NTLM Hash information corresponding to the login password of the target computer; 确定模块,用于通过内置的弱密码集与所述目标计算机的登录密码对应的Net-NTLMHash信息确定所述目标计算机的密码强弱情况;A determination module, used to determine the password strength of the target computer through the Net-NTLMHash information corresponding to the built-in weak password set and the login password of the target computer; 获取所述目标计算机的账户信息;Obtaining account information of the target computer; 获取所述目标计算机所属网络的服务器账户健壮性列表;Obtaining a server account robustness list of the network to which the target computer belongs; 在所述服务器账户健壮性列表中的账户信息包括所述目标计算机的账户信息的情况下,在所述服务器账户健壮性列表中获取所述账户信息的剩余有效时间;In a case where the account information in the server account robustness list includes the account information of the target computer, obtaining the remaining validity time of the account information in the server account robustness list; 在所述剩余有效时间大于或等于预设时间的情况下,确定所述账户信息对应的密码强弱情况为所述目标计算机的密码强弱情况;When the remaining valid time is greater than or equal to the preset time, determining the password strength corresponding to the account information as the password strength of the target computer; 在所述服务器账户健壮性列表中的账户信息不包括所述目标计算机的账户信息的情况下,基于所述目标计算机的密码强弱情况,确定所述目标计算机的账户信息的剩余有效时间;In a case where the account information in the server account robustness list does not include the account information of the target computer, determining the remaining validity time of the account information of the target computer based on the password strength of the target computer; 将所述目标计算机的账户信息、所述目标计算机的密码强弱情况和所述目标计算机的账户信息的剩余有效时间存储至所述服务器账户健壮性列表。The target computer's account information, the target computer's password strength, and the remaining validity time of the target computer's account information are stored in the server account robustness list. 7.一种电子设备,包括存储器、处理器,其特征在于,所述处理器用于执行存储器中存储的计算机程序时实现如权利要求1至5中任一项所述的弱密码识别方法的步骤。7. An electronic device comprising a memory and a processor, wherein the processor is used to implement the steps of the weak password identification method as described in any one of claims 1 to 5 when executing a computer program stored in the memory. 8.一种计算机可读存储介质,其上存储有计算机程序,其特征在于:所述计算机程序被处理器执行时实现如权利要求1至5中任一项所述的弱密码识别方法的步骤。8. A computer-readable storage medium having a computer program stored thereon, wherein when the computer program is executed by a processor, the steps of the weak password identification method according to any one of claims 1 to 5 are implemented.
CN202211028425.4A 2022-08-25 2022-08-25 Weak password identification method and related equipment Active CN115442097B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211028425.4A CN115442097B (en) 2022-08-25 2022-08-25 Weak password identification method and related equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211028425.4A CN115442097B (en) 2022-08-25 2022-08-25 Weak password identification method and related equipment

Publications (2)

Publication Number Publication Date
CN115442097A CN115442097A (en) 2022-12-06
CN115442097B true CN115442097B (en) 2024-12-17

Family

ID=84244406

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211028425.4A Active CN115442097B (en) 2022-08-25 2022-08-25 Weak password identification method and related equipment

Country Status (1)

Country Link
CN (1) CN115442097B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108737094A (en) * 2017-04-21 2018-11-02 腾讯科技(深圳)有限公司 A kind of method and relevant device of the detection of domain cipher safety

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7581245B2 (en) * 2004-03-05 2009-08-25 Sap Ag Technique for evaluating computer system passwords
US9424407B2 (en) * 2008-12-30 2016-08-23 International Business Machines Corporation Weak password support in a multi-user environment
CN101795268B (en) * 2010-01-20 2014-11-05 中兴通讯股份有限公司 Method and device for enhancing security of user-based security model
US10091188B2 (en) * 2015-03-30 2018-10-02 Qualcomm Incorporated Accelerated passphrase verification
US10270801B2 (en) * 2016-01-25 2019-04-23 Oath Inc. Compromised password detection based on abuse and attempted abuse
CN109246111A (en) * 2018-09-18 2019-01-18 郑州云海信息技术有限公司 A kind of detection method and device of network equipment telnet weak passwurd
CN110633565A (en) * 2019-09-27 2019-12-31 上海赛可出行科技服务有限公司 Domain user weak password detection method based on hash collision
CN112948815A (en) * 2021-04-16 2021-06-11 厦门腾云信安科技有限公司 Off-line weak password checking method and device based on Hash matching
CN113783851B (en) * 2021-08-27 2023-06-30 西安胡门网络技术有限公司 Baseline checking and reinforcing method and system for NTLM protocol attack
CN114448614B (en) * 2021-12-22 2024-11-26 天翼云科技有限公司 Weak password detection method, device, system and storage medium

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108737094A (en) * 2017-04-21 2018-11-02 腾讯科技(深圳)有限公司 A kind of method and relevant device of the detection of domain cipher safety

Also Published As

Publication number Publication date
CN115442097A (en) 2022-12-06

Similar Documents

Publication Publication Date Title
US9866566B2 (en) Systems and methods for detecting and reacting to malicious activity in computer networks
US10057282B2 (en) Detecting and reacting to malicious activity in decrypted application data
US10142343B2 (en) Unauthorized access detecting system and unauthorized access detecting method
JP6200101B2 (en) Analysis apparatus, analysis system, analysis method, and analysis program
CN111143808B (en) System security authentication method and device, computing equipment and storage medium
US11916953B2 (en) Method and mechanism for detection of pass-the-hash attacks
Mohammadmoradi et al. Making whitelisting-based defense work against badusb
CN110213232B (en) fingerprint feature and key double verification method and device
CN112583789B (en) Method, device and equipment for determining illegally logged-in login interface
CN115442097B (en) Weak password identification method and related equipment
CN111917760A (en) Network collaborative manufacturing cross-domain fusion trust management and control method based on identification analysis
CN207442908U (en) A network identity authentication device and a login device
CN115118504B (en) Knowledge base updating method and device, electronic equipment and storage medium
CN114915442B (en) Advanced persistent threat attack detection method and device
CN107911500B (en) Method, equipment and device for positioning user based on situation awareness and storage medium
CN110493200A (en) A kind of industrial control system risk quantification analysis method based on threat map
CN113938314A (en) Encrypted flow detection method and device and storage medium
CN112020058B (en) Verification method, medium, server and system based on device fingerprint
CN111628987B (en) Authentication method, device, system, electronic equipment and computer readable storage medium
KR20140059403A (en) Linked network security system and method based on virtualization in the separate network environment
CN114844683A (en) Internet of things scanning control method and device based on authorization mechanism
CN113221081A (en) Double-factor identity authentication method and related device
CN115118456B (en) A method and device for determining unknown attacks on intranet web applications
CN105825124A (en) Server illegal operation monitoring method and monitoring system
CN114650175B (en) A verification method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant