CN114448614A - Weak password detection method, device, system and storage medium - Google Patents
Weak password detection method, device, system and storage medium Download PDFInfo
- Publication number
- CN114448614A CN114448614A CN202111577825.6A CN202111577825A CN114448614A CN 114448614 A CN114448614 A CN 114448614A CN 202111577825 A CN202111577825 A CN 202111577825A CN 114448614 A CN114448614 A CN 114448614A
- Authority
- CN
- China
- Prior art keywords
- password
- file
- weak password
- detection
- weak
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 223
- 238000000034 method Methods 0.000 claims abstract description 38
- 238000012795 verification Methods 0.000 claims abstract description 21
- 230000010365 information processing Effects 0.000 claims description 11
- 238000012545 processing Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 7
- 230000008859 change Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 5
- 238000004590 computer program Methods 0.000 description 4
- 239000002699 waste material Substances 0.000 description 4
- 230000005856 abnormality Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000005336 cracking Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000004083 survival effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3239—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a weak password detection method, equipment, a system and a storage medium, wherein the method comprises the following steps: receiving a weak password detection instruction; if the weak password detection instruction is determined to pass legal verification, acquiring a user name of a target user and a corresponding NTLM (network management Module) hash value through the SAM (sample access memory) file; retrieving the NTLM hash value from a shared password dictionary, wherein the shared password dictionary is used for storing the weak password encrypted in the NTLM hash mode; determining a first detection result according to the retrieval result, and outputting the first detection result; if the search result is that the NTLM hash value is searched, the first detection result is that the password of the target user is a weak password; if the search result is that the NTLM hash value is not searched, the first detection result is that the password of the target user is not a weak password. Therefore, the invention improves the detection speed of the weak password.
Description
Technical Field
The invention relates to the technical field of computer network security, in particular to a weak password detection method, equipment, a system and a storage medium.
Background
Weak passwords (passwords) are generally considered to be weak passwords that are easily guessed by others or broken by cracking tools.
At present, aiming at the detection method of the weak password of the Windows system, one method is to install a specific weak password scanning tool in a user host, a user executes a scanning command, a cracking tool reads the information of a user name and a login password required by login from a user name dictionary and a password dictionary in sequence, and an exhaustion method is utilized to perform simulated login attempt on the Windows system to be detected; the other method is that a weak password detection tool is deployed at a server side, and the Windows system to be detected is remotely simulated to log in a remote login mode.
However, the number of weak passwords of a general password dictionary is few, and tens of thousands of weak passwords are hundreds of thousands or even millions of weak passwords, all weak passwords in the password dictionary need to be tried once for one user name, and if the user name dictionary is also large, all possible situations need to be tried once, which takes several hours or even longer time.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method, an apparatus, a system, and a storage medium for detecting a weak password, so as to solve the problem of slow detection speed of the weak password.
According to a first aspect, an embodiment of the present invention provides a weak password detection method, including:
receiving a weak password detection instruction;
if the weak password detection instruction is determined to pass legal verification, acquiring a user name of a target user and a corresponding password verification NTLM hash value through a Secure Account Manager (SAM) file;
searching the NTLM hash value in a shared password dictionary, wherein the shared password dictionary is used for storing the weak password encrypted in an NTLM hash mode;
determining a first detection result according to the retrieval result, and outputting the first detection result;
if the search result is that the NTLM hash value is searched, the first detection result is that the password of the target user is a weak password; if the search result is that the NTLM hash value is not searched, the first detection result indicates that the password of the target user is not a weak password.
In the embodiment of the application, after a weak password detection instruction is received, the user name of a target user and the corresponding NTLM hash value can be acquired through the SAM file, the NTLM hash value is retrieved in the shared password dictionary, the first detection result is determined according to the retrieval result, and the first detection result is output, so that the weak password detection is performed through the NTLM hash value, the weak password detection speed is shortened to the second level, and the weak password detection speed is improved.
With reference to the first aspect, in a second implementation manner of the first aspect, the obtaining a user name of a target user and a corresponding NTLM hash value through a SAM file includes:
obtaining an SQLite file of a local database;
judging whether the SAM file is changed or not according to the SQLite file;
and if the SAM file is determined to be changed, clearing the detection result information stored in the SQLite file, re-reading and analyzing the changed SAM file, and acquiring the user name of the target user and the corresponding NTLM hash value from the SAM in the changed SAM file.
In the embodiment of the application, whether the SAM file changes or not can be judged according to the SQLite file, when the SAM file is determined to change, the detection result information stored in the SQLite file can be cleared, the changed SAM file is read and analyzed again, the user name of the target user and the corresponding NTLM hash value are obtained, and then the NTLM hash value is retrieved from the shared password dictionary, so that the dependence on the network is reduced to the maximum extent, and the condition that the detection efficiency is affected due to network abnormity is avoided.
With reference to the second embodiment of the first aspect, in a third embodiment of the first aspect, the method further includes:
and if the SAM file is determined not to be changed and a second detection result for indicating whether the password of the target user is a weak password is not stored in the SQLite file, reading and analyzing the SAM file to obtain the user name of the target user and the corresponding NTLM hash value.
In the embodiment of the application, when it is determined that the SAM file is not changed and the second detection result indicating whether the password of the target user is a weak password is not stored in the SQLite file, the SAM file is read and analyzed to obtain the user name of the target user and the corresponding NTLM hash value, so that the dependency on the network is reduced to the greatest extent, and the situation that the detection efficiency is affected due to network abnormality is avoided.
With reference to the second embodiment of the first aspect or the third embodiment of the first aspect, in a fourth embodiment of the first aspect, the method further includes:
and storing the first detection result into the SQLite file.
In the embodiment of the application, after the password of the target user is determined to be the weak password, the first detection result of the weak password detection can be stored in the SQLite file, and the first detection result can be directly output if the SAM file is not changed in the next weak password detection, so that the efficiency of the weak password detection is further improved.
With reference to the second embodiment of the first aspect, in a fifth embodiment of the first aspect, the method further includes:
and if the SAM file is determined not to be changed and a second detection result for indicating whether the password of the target user is a weak password is stored in the SQLite file, outputting the second detection result.
In the embodiment of the application, when the SAM file is determined not to be changed and the SQLite file stores the second detection result for indicating whether the password of the target user is the weak password, the second detection result can be directly obtained, so that the efficiency of detecting the weak password is improved, and the resource waste is also avoided.
With reference to the second implementation manner of the first aspect, the third implementation manner of the first aspect, or the fifth implementation manner of the fifth aspect, in a sixth implementation manner of the first aspect, the determining whether the SAM file is changed according to the SQLite file includes:
judging whether the information digest algorithm MD5 value and the secure hash algorithm SHA256 value of the SAM file are changed or not according to the SQLite file;
if the MD5 value and/or the SHA256 value are/is changed, determining that the SAM file is changed;
if neither the MD5 value nor the SHA256 value has changed, then it is determined that the SAM file has not changed.
In the embodiment of the application, whether the SAM file is changed or not can be judged by whether MD5 and SHA256 are changed or not, so that the efficiency of judging whether the SAM file is changed or not can be improved.
With reference to the first aspect, in an embodiment of the first aspect, the method further includes:
and if the weak password detection instruction is determined not to pass legal verification, discarding the weak password detection instruction.
In the embodiment of the application, the weak password detection instruction can be discarded when the weak password detection instruction is determined not to pass legal verification, so that resource waste is avoided, and the resource utilization rate is improved.
According to a second aspect, an embodiment of the present invention provides an electronic device, including: a memory and a processor, the memory and the processor being communicatively connected to each other, the memory storing computer instructions, and the processor executing the computer instructions to perform the weak password detection method according to the first aspect or any one of the embodiments of the first aspect.
According to a third aspect, an embodiment of the present invention provides a computer-readable storage medium storing computer instructions for causing a computer to execute the weak password detection method described in the first aspect or any one of the implementation manners of the first aspect.
According to a fourth aspect, an embodiment of the present invention provides a weak password detection system, including: the system comprises electronic equipment, a shared password dictionary module, a unified management platform, an information processing module and a socket module;
the electronic device is configured to execute the first aspect or the weak password detection method described in any one of the implementation manners of the first aspect;
the shared password dictionary module is used for storing the weak password encrypted in the NTLM hash mode;
the unified management platform is used for receiving a weak password detection instruction, displaying a weak password detection result and updating a password dictionary;
the socket module is used for forwarding instructions between the unified management platform and the electronic equipment;
and the information processing module is used for summarizing and processing the weak password detection result and then sending the weak password detection result to the unified management platform.
Drawings
The features and advantages of the present invention will be more clearly understood by reference to the accompanying drawings, which are illustrative and not to be construed as limiting the invention in any way, and in which:
fig. 1 shows a method flow diagram of a weak password detection method.
Fig. 2 shows an architecture diagram of a weak password detection system.
FIG. 3 illustrates another method flow diagram of a weak password detection method.
Fig. 4 shows a schematic structural diagram of an electronic device.
Fig. 5 shows another schematic structural diagram of an electronic device.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without inventive step based on the embodiments of the present invention, are within the scope of protection of the present invention.
Fig. 1 shows a method flowchart of a weak password detection method, which can be used in an electronic device for weak password detection, such as: windows host. For another example: the weak password detection is carried out on the large-scale Windows system cloud host in the public cloud and the private cloud, so that the safety problem of the cloud host caused by the weak password can be reduced. As shown in fig. 1, the weak password detection method includes:
Specifically, after receiving a weak password detection instruction, firstly, whether the weak password detection instruction is legal or not is judged, illegal discarding is performed, and a next instruction is circularly waited, and if the weak password detection instruction is legal, a detection task is executed.
When the detection task is executed, the detection task is executed aiming at the target user. The target users can be all users saved on the Windows host. The number of target users may be 1 or more. Aiming at any target user, the user name of the target user and the corresponding NTLM hash value can be obtained through the SAM file, then the NTLM hash value is searched in the shared password dictionary, and the weak password detection result corresponding to each target user is determined according to the search result.
And 103, retrieving the NTLM hash value from a shared password dictionary, wherein the shared password dictionary is used for storing the weak password encrypted in the NTLM hash mode.
Specifically, the shared password dictionary is not stored in a text form, but in a database form. The database is deployed in a mode of a main mode of a relational database management system (MySQL) and a survival detection mechanism (keepalive), information stored in the MySQL is a weak password encrypted in an NTLM Hash (Hash) mode, and the shared password dictionary is shared by all Windows cloud hosts in the same resource pool.
Searching an NTLM (network management language) hash value in a shared password dictionary, and if the NTLM hash value is searched, indicating that the password of the target user is a weak password; if the NTLM hash value is not searched, the password of the target user is not a weak password, so that the weak password detection is carried out through the NTLM hash value, the weak password detection speed is shortened to the second level, and the weak password detection speed is improved.
It is worth pointing out that the shared password dictionary is shared by all Windows cloud hosts in the same resource pool, that is: a resource pool is provided with a set of MySQL master mode and keepalive for sharing by all hosts in the resource pool, so that high availability of the shared password dictionary is guaranteed, and maintenance work of the shared password dictionary is simplified.
The weak password in the shared password dictionary may be user-set. Such as: and a user logs in the unified management platform, enters the password dictionary updating functional area, drags the plaintext password file to the designated area in a file dragging mode, transmits the content of the password file to the shared password dictionary module, encrypts the password file in an NTLM Hash (Hash) mode and stores the encrypted password file in the MySQL cluster of the shared password dictionary module.
And 104, determining a first detection result according to the retrieval result, and outputting the first detection result. If the search result is that the NTLM hash value is searched, the first detection result is that the password of the target user is a weak password; if the search result is that the NTLM hash value is not searched, the first detection result indicates that the password of the target user is not a weak password.
In the embodiment of the application, after a weak password detection instruction is received, the user name of a target user and the corresponding NTLM hash value can be acquired through the SAM file, the NTLM hash value is retrieved from the shared password dictionary, if the NTLM hash value is retrieved, the password of the target user is determined to be the weak password, a first detection result for indicating that the password of the target user is the weak password is output, and therefore weak password detection is performed through the NTLM hash value, the weak password detection speed is shortened to the second level, and the weak password detection speed is improved.
In an optional embodiment, when the user name and the corresponding NTLM hash value of the target user are obtained through the SAM file in step 102, the following implementation manners may be adopted:
1-1, acquiring a local database (SQLite) file;
1-2, judging whether the SAM file is changed or not according to the SQLite file;
1-3, if the SAM file is determined to be changed, clearing the detection result information stored in the SQLite file, re-reading and analyzing the changed SAM file, and acquiring the user name of the target user and the corresponding NTLM hash value from the changed SAM file.
Specifically, in performing the above 1-2, the following three cases may occur:
the first situation is as follows: the SAM file changes.
Case two: the SAM file is not changed, and a second detection result indicating whether the password of the target user is a weak password is not stored in the SQLite file.
A third situation: and determining that the SAM file is not changed, and saving a second detection result for indicating whether the password of the target user is a weak password in the SQLite file.
In the first situation, the detection result information stored in the SQLite file can be cleared, the changed SAM file can be read and analyzed again, the user name of the target user and the corresponding NTLM hash value can be obtained, and then the NTLM hash value can be retrieved from the shared password dictionary.
Among them, SQLite is a lightweight database. The SQLite is used to store the detection result information of the weak password detection and the information Digest Algorithm (MD 5) value and the Secure Hash Algorithm (SHA) 256 value corresponding to the SAM file.
Whether the SAM file is changed or not refers to whether the SAM file required to be used in the weak password detection at this time is the same as the SAM file used in the last weak password detection recorded by the SQLite file. If the two are the same, the two are not changed; if different, a change occurs.
The MD5 value and SHA256 value corresponding to the SAM file may be used to determine whether the SAM file has changed (i.e., updated).
It should be noted that the MD5 algorithm is a cryptographic hash function that generates a 128-bit (16-byte) hash value (hash value) to ensure the integrity of the message transmission. The SHA256 algorithm uses a hash value of 256 bits in length.
In the embodiment of the application, whether the SAM file changes or not can be judged according to the SQLite file, when the SAM file is determined to change, the detection result information stored in the SQLite file can be cleared, the changed SAM file is read and analyzed again, the user name of the target user and the corresponding NTLM hash value are obtained, and then the NTLM hash value is retrieved from the shared password dictionary, so that the dependence on the network is reduced to the maximum extent, and the condition that the detection efficiency is affected due to network abnormity is avoided.
In an optional embodiment, the weak password detection method may further include:
and if the SAM file is determined not to be changed and a second detection result for indicating whether the password of the target user is a weak password is not stored in the SQLite file, reading and analyzing the SAM file to obtain the user name of the target user and the corresponding NTLM hash value.
Specifically, in performing the above 1-2, the following three cases may occur:
the first situation is as follows: the SAM file changes.
Case two: the SAM file is not changed, and a second detection result indicating whether the password of the target user is a weak password is not stored in the SQLite file.
Case three: and determining that the SAM file is not changed, and saving a second detection result for indicating whether the password of the target user is a weak password in the SQLite file.
For the second situation, the SAM file also needs to be read and analyzed to obtain the user name of the target user and the corresponding NTLM hash value, and then the NTLM hash value is retrieved from the shared password dictionary.
In the embodiment of the application, when the SAM file is determined not to be changed and the second detection result for indicating whether the password of the target user is a weak password is not stored in the SQLite file, the SAM file is read and analyzed to obtain the user name of the target user and the corresponding NTLM hash value, so that the dependence on the network is reduced to the maximum extent, and the situation that the detection efficiency is affected due to network abnormality is avoided.
In an optional embodiment, for the first case and the second case, the weak password detection method may further include:
and saving the first detection result into an SQLite file.
Specifically, in addition to saving the first detection result in the SQLite file, the MD5 value and SHA256 value corresponding to the SAM file used in the weak password detection may be saved in the SQLite file, which is used to determine whether the SAM file has changed (i.e., whether an update has occurred) at the time of the next weak password detection.
In the embodiment of the application, after the password of the target user is determined to be the weak password, the first detection result of the weak password detection can be stored in the SQLite file, and the first detection result can be directly output if the SAM file is not changed in the next weak password detection, so that the efficiency of the weak password detection is further improved.
In an optional embodiment, the weak password detection method may further include:
and if the SAM file is determined not to be changed and a second detection result for indicating whether the password of the target user is a weak password is stored in the SQLite file, outputting the second detection result.
Specifically, in performing the above 1-2, the following three cases may occur:
the first situation is as follows: the SAM file changes.
Case two: the SAM file is not changed, and a second detection result indicating whether the password of the target user is a weak password is not saved in the SQLite file.
Case three: and determining that the SAM file is not changed, and saving a second detection result for indicating whether the password of the target user is a weak password in the SQLite file.
For the third case, the second detection result indicating whether the password of the target user is a weak password may be directly output.
In the embodiment of the application, when the SAM file is determined not to be changed and the second detection result for indicating whether the password of the target user is a weak password is stored in the SQLite file, the second detection result can be directly obtained, so that the efficiency of detecting the weak password is improved, and the resource waste is avoided.
In an alternative embodiment, when performing 1-2 above, the following implementations may be adopted, but are not limited to:
judging whether the MD5 value and the SHA256 value of the SAM file are changed or not according to the SQLite file;
if the MD5 value and/or the SHA256 value are/is changed, the SAM file is determined to be changed;
if the MD5 value and the SHA256 value are not changed, the SAM file is determined to be unchanged.
Specifically, each time the weak password is detected, the MD5 value and the SHA256 value corresponding to the SAM file to be used are recorded in the SQLite file. During the next weak password detection, the MD5 value and the SHA256 value corresponding to the SAM file to be used are recalculated, so that whether the SAM is changed can be determined by comparing whether the MD5 and the SHA256 are changed twice before and after.
Wherein if at least one of MD5 and SHA256 changes twice, the SAM is determined to be changed; if neither MD5 nor SHA256 changed before or after the change, it is determined that the SAM did not change.
In the embodiment of the present application, whether the SAM file is changed or not can be determined by whether the MD5 and the SHA256 are changed or not, so that the efficiency of determining whether the SAM file is changed or not can be improved.
In an optional embodiment, after performing step 101, the method may further include:
and if the weak password detection instruction is determined not to pass legal verification, discarding the weak password detection instruction.
Specifically, there are many ways to legally verify the weak password detection instruction, and the present invention is not limited to this way.
In the embodiment of the application, the weak password detection instruction can be discarded when the weak password detection instruction is determined not to pass legal verification, so that resource waste is avoided, and the resource utilization rate is improved.
The following describes a specific implementation process of the weak cipher detection by using two specific examples.
Example one: a weak password detection system of Windows based on cloud services, as shown in fig. 2. The system comprises: the system comprises an agent detection module, a password dictionary module, a unified management platform, an information processing module, a socket module and the like.
1) Agent detection module
The agent detection module is installed in the host of the tenant Windows system and is used for reading and analyzing the SAM file in the Windows system and acquiring the system user name and the NTLM hash value from the SAM file. After all user information in the system is acquired, the shared password dictionary module is accessed one by one, the current NTLM hash value can be searched in the shared password dictionary, and the user password is a weak password. And after the NTLM hash values corresponding to all users are searched, recording the final detection result and the MD5 and SHA256 corresponding to the SAM file in the local SQLite file, and when the detection task is executed again, if the MD5 and the SHA256 values of the SAM file are not changed and the detection result exists, directly returning the detection result without repeating the detection task.
2) Shared password dictionary module
And the password dictionary module provides a password dictionary sharing service in the same resource pool. The module is built by adopting a MySQL master mode and a survival detection mechanism (keepalive) mode. And providing a uniform access Internet Protocol (IP) address and port for the outside, and storing the weak password encrypted in the NTLM hash mode in MySQL.
3) Unified management platform
And the unified management platform is used for visually managing the cloud host under the tenant name and providing the operations of issuing the detection command, displaying the result and updating the password dictionary base.
4) Information processing module
The detection information of the cloud host in the resource pool is collected and processed, and the processed information is stored in a database so that the unified management platform can obtain related data when the WEB side shows the detection information to a user.
5) Socket module
The socket module is a command forwarding module, a user performs unified management on the cloud hosts under the account number through a unified management platform, and when weak password detection is performed on one or more cloud hosts, the socket module is responsible for forwarding corresponding commands to the corresponding cloud hosts.
Example two: the weak password detection process of the cloud service-based Windows system is shown in fig. 3.
1) A user logs in a unified management platform, enters a password dictionary updating function area, drags a plaintext password file to a designated area in a file dragging mode, transmits the content of the password file to a shared password dictionary module, encrypts the password file in an NTLM Hash (Hash) mode and stores the encrypted password file in a MySQL cluster.
2) And after the user updates the password dictionary, appointing one or more Windows hosts to carry out system weak password detection.
3) After an agent (agent) in the Windows host receives a weak password detection instruction, whether the weak password detection instruction is legal or not is judged firstly, illegal discarding is carried out, the agent circularly waits for the next instruction, and a detection task is executed if the agent is legal.
4) When the detection is executed, the local SQLite file is read firstly, if the MD5 and SHA256 of the SAM file of the system are not changed and the detection result is available, the information of the system user is not changed, and the last detection result is directly read and sent.
5) If the SAM file is changed, clearing the detection result recorded in the local SQLite file, resetting the MD5 and SHA256 values of the SAM file, reading and analyzing the SAM file again, acquiring all users and corresponding NTLM Hash values, searching in the shared password dictionary one by one, checking whether the NTLM-Hash value of the current user is contained in the password dictionary, and if so, indicating that the password of the current user is a weak password
6) And after the detection of all the users is finished, storing the detection result into a local SQLite file, and sending the detection result to an information processing module.
7) The information processing module processes the received detection result and stores the processed detection result into a database, and the unified management platform interface acquires information from the database and displays the information to a user on the unified management platform interface.
As can be seen from the above embodiments, the advantages and beneficial effects of the present invention are:
a. the CPU resource is less: the weak password detection method of the Windows system provided by the invention does not need to adopt an enumeration mode, carries out repeated simulated login attempts on the detected host according to the user name dictionary and the password dictionary, can complete weak password detection only by simple file information extraction and database retrieval operations, and greatly reduces the condition that CPU resources are occupied for a long time due to the traditional weak password detection mode.
b. The detection speed is high: the method provided by the invention does not try all combinations in the user dictionary and the password dictionary one by one, but reads and analyzes the SAM file of the Windows system, extracts the user name information and the corresponding NTLM hash value from the SAM file, and then searches whether the NTLM hash value exists in the shared password dictionary library to judge whether the current user sets a weak password. Thus, it takes tens of minutes or even hours to shorten the conventional test to the second level.
c. Network independent: the Windows weak password detection method provided by the invention analyzes the SAM file of the Windows system in the detected host, and retrieves the current NTLM hash value by accessing the shared password dictionary library after the analysis is finished, thereby greatly reducing the influence on the detection efficiency caused by network abnormality.
d. And sharing the password dictionary: in the method provided by the invention, the plaintext password is stored in the MySQL cluster after being encrypted by the NTLM hash value, and one resource pool is provided with a set of MySQL master mode and keepalive for sharing by all hosts in the resource pool, so that the high availability of the password dictionary database is ensured, and the maintenance work of the password dictionary is simplified.
Fig. 4 shows a schematic structural diagram of an electronic device. The electronic device may be a device for weak password detection. Such as: windows host. For another example: the weak password detection is carried out on the large-scale Windows system cloud host in the public cloud and the private cloud, so that the safety problem of the cloud host caused by the weak password can be reduced. As shown in fig. 4, the electronic device may include:
a receiving module 41, configured to receive a weak password detection instruction;
an obtaining module 42, configured to, if it is determined that the weak password detection instruction passes legal verification, obtain, through a secure account manager SAM file, a user name of a target user and a corresponding password verification NTLM hash value;
a retrieving module 43, configured to retrieve the NTLM hash value from a shared password dictionary, where the shared password dictionary is used to store a weak password encrypted in an NTLM hash manner;
a first output module 44, configured to determine a first detection result according to the search result, and output the first detection result; if the search result is that the NTLM hash value is searched, the first detection result is that the password of the target user is a weak password; if the search result is that the NTLM hash value is not searched, the first detection result indicates that the password of the target user is not a weak password.
In one possible implementation manner, the obtaining module 42 includes:
the first acquisition submodule is used for acquiring an SQLite file of a local database;
the judgment submodule is used for judging whether the SAM file changes or not according to the SQLite file;
and the second acquisition sub-module is used for clearing the detection result information stored in the SQLite file if the SAM file is determined to be changed, re-reading and analyzing the changed SAM file, and acquiring the user name of the target user and the corresponding NTLM hash value from the SAM in the changed SAM file.
In a possible implementation manner, the obtaining module 42 further includes:
and a third obtaining sub-module, configured to, if it is determined that the SAM file is not changed and a second detection result indicating whether the password of the target user is a weak password is not stored in the SQLite file, read and analyze the SAM file to obtain a user name of the target user and a corresponding NTLM hash value.
In one possible implementation manner, the method further includes:
and the storage module is used for storing the first detection result into the SQLite file.
In one possible implementation manner, the method further includes:
and the second output module is used for outputting a second detection result if the SAM file is determined not to be changed and the SQLite file stores the second detection result used for indicating whether the password of the target user is a weak password or not.
In a possible implementation manner, the determining sub-module is specifically configured to:
judging whether the information digest algorithm MD5 value and the secure hash algorithm SHA256 value of the SAM file are changed or not according to the SQLite file;
if the MD5 value and/or the SHA256 value are/is changed, determining that the SAM file is changed;
if neither the MD5 value nor the SHA256 value has changed, then it is determined that the SAM file has not changed.
In one possible implementation manner, the method further includes:
and the discarding module is used for discarding the weak password detection instruction if the weak password detection instruction is determined not to pass legal verification.
It should be noted that the electronic device provided in the embodiment of the present application can implement all the method steps implemented by the above method embodiment, and can achieve the same technical effect, and detailed descriptions of the same parts and beneficial effects as those of the method embodiment in this embodiment are not repeated herein.
Fig. 5 shows another schematic structural diagram of an electronic device. As shown in fig. 5, the electronic device may include: a processor (processor)510, a communication Interface (Communications Interface)520, a memory (memory)530 and a communication bus 540, wherein the processor 510, the communication Interface 520 and the memory 530 communicate with each other via the communication bus 540. Processor 510 may invoke logic instructions in memory 530 to perform a weak password detection method comprising:
receiving a weak password detection instruction;
if the weak password detection instruction is determined to pass legal verification, acquiring a user name of a target user and a corresponding password verification NTLM (network management module) hash value through a SAM (secure application manager) file;
searching the NTLM hash value in a shared password dictionary, wherein the shared password dictionary is used for storing the weak password encrypted in an NTLM hash mode;
determining a first detection result according to the retrieval result, and outputting the first detection result;
if the retrieval result is that the NTLM hash value is retrieved, the first detection result is that the password of the target user is a weak password; if the search result is that the NTLM hash value is not searched, the first detection result indicates that the password of the target user is not a weak password.
Furthermore, the logic instructions in the memory 530 may be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
It should be noted that the electronic device provided in the embodiment of the present application can implement all the method steps implemented by the above method embodiment, and can achieve the same technical effect, and detailed descriptions of the same parts and beneficial effects as those of the method embodiment in this embodiment are not repeated herein.
In another aspect, the present invention also provides a computer program product comprising a computer program stored on a non-transitory computer-readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform the weak password detection method provided by the above methods, the method comprising:
receiving a weak password detection instruction;
if the weak password detection instruction is determined to pass legal verification, acquiring a user name of a target user and a corresponding password verification NTLM hash value through a Secure Account Manager (SAM) file;
searching the NTLM hash value in a shared password dictionary, wherein the shared password dictionary is used for storing the weak password encrypted in an NTLM hash mode;
determining a first detection result according to the retrieval result, and outputting the first detection result;
if the search result is that the NTLM hash value is searched, the first detection result is that the password of the target user is a weak password; if the search result is that the NTLM hash value is not searched, the first detection result indicates that the password of the target user is not a weak password.
In yet another aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, is implemented to perform the weak password detection methods provided above, the method comprising:
receiving a weak password detection instruction;
if the weak password detection instruction is determined to pass legal verification, acquiring a user name of a target user and a corresponding password verification NTLM hash value through a Secure Account Manager (SAM) file;
searching the NTLM hash value in a shared password dictionary, wherein the shared password dictionary is used for storing the weak password encrypted in an NTLM hash mode;
determining a first detection result according to the retrieval result, and outputting the first detection result;
if the search result is that the NTLM hash value is searched, the first detection result is that the password of the target user is a weak password; if the search result is that the NTLM hash value is not searched, the first detection result indicates that the password of the target user is not a weak password.
In another aspect, the present invention further provides a weak password detection system, including: an electronic device (such as a cloud host in fig. 2), a shared password dictionary module (such as the shared password dictionary module in fig. 2), a unified management platform (such as the unified management platform in fig. 2), an information processing module (such as the information processing module in fig. 2), and a socket module (such as the socket module in fig. 2);
the electronic equipment is used for executing the weak password detection method in the embodiment;
the shared password dictionary module is used for storing the weak password encrypted in the NTLM hash mode;
the unified management platform is used for receiving a weak password detection instruction, displaying a weak password detection result and updating a password dictionary;
the socket module is used for forwarding instructions between the unified management platform and the electronic equipment;
and the information processing module is used for summarizing and processing the weak password detection result and then sending the weak password detection result to the unified management platform.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A weak password detection method, comprising:
receiving a weak password detection instruction;
if the weak password detection instruction is determined to pass legal verification, acquiring a user name of a target user and a corresponding password verification NTLM hash value through a Secure Account Manager (SAM) file;
searching the NTLM hash value in a shared password dictionary, wherein the shared password dictionary is used for storing the weak password encrypted in an NTLM hash mode;
determining a first detection result according to the retrieval result, and outputting the first detection result;
if the search result is that the NTLM hash value is searched, the first detection result is that the password of the target user is a weak password; if the search result is that the NTLM hash value is not searched, the first detection result indicates that the password of the target user is not a weak password.
2. The method according to claim 1, wherein the obtaining the user name and the corresponding NTLM hash value of the target user through the SAM file comprises:
obtaining an SQLite file of a local database;
judging whether the SAM file is changed or not according to the SQLite file;
and if the SAM file is determined to be changed, clearing the detection result information stored in the SQLite file, re-reading and analyzing the changed SAM file, and acquiring the user name of the target user and the corresponding NTLM hash value from the SAM in the changed SAM file.
3. The method of claim 2, further comprising:
and if the SAM file is determined not to be changed and a second detection result for indicating whether the password of the target user is a weak password is not stored in the SQLite file, reading and analyzing the SAM file to obtain the user name of the target user and the corresponding NTLM hash value.
4. The method of claim 2 or 3, further comprising:
and storing the first detection result into the SQLite file.
5. The method of claim 2, further comprising:
and if the SAM file is determined not to be changed and a second detection result used for indicating whether the password of the target user is a weak password is stored in the SQLite file, outputting the second detection result.
6. The method according to claim 2, 3 or 5, wherein the determining whether the SAM file is changed according to the SQLite file comprises:
judging whether the information digest algorithm MD5 value and the secure hash algorithm SHA256 value of the SAM file are changed or not according to the SQLite file;
if the MD5 value and/or the SHA256 value are/is changed, determining that the SAM file is changed;
if neither the MD5 value nor the SHA256 value has changed, then it is determined that the SAM file has not changed.
7. The method of claim 1, further comprising:
and if the weak password detection instruction is determined not to pass legal verification, discarding the weak password detection instruction.
8. An electronic device, comprising: a memory and a processor, the memory and the processor being communicatively connected to each other, the memory having stored therein computer instructions, the processor executing the computer instructions to perform the weak password detection method of any one of claims 1 to 7.
9. A weak password detection system, the system comprising: the system comprises electronic equipment, a shared password dictionary module, a unified management platform, an information processing module and a socket module;
wherein the electronic device is configured to perform the weak password detection method of any one of claims 1 to 7;
the shared password dictionary module is used for storing the weak password encrypted in the NTLM hash mode;
the unified management platform is used for receiving a weak password detection instruction, displaying a weak password detection result and updating a password dictionary;
the socket module is used for forwarding instructions between the unified management platform and the electronic equipment;
and the information processing module is used for summarizing and processing the weak password detection result and then sending the weak password detection result to the unified management platform.
10. A computer-readable storage medium storing computer instructions for causing a computer to perform the weak password detection method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111577825.6A CN114448614A (en) | 2021-12-22 | 2021-12-22 | Weak password detection method, device, system and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111577825.6A CN114448614A (en) | 2021-12-22 | 2021-12-22 | Weak password detection method, device, system and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114448614A true CN114448614A (en) | 2022-05-06 |
Family
ID=81363566
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111577825.6A Pending CN114448614A (en) | 2021-12-22 | 2021-12-22 | Weak password detection method, device, system and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114448614A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117499147A (en) * | 2023-11-24 | 2024-02-02 | 北京亚康万玮信息技术股份有限公司 | Multi-protocol-adaptive remote connection security management method and system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1574929A1 (en) * | 2004-03-05 | 2005-09-14 | Sap Ag | Technique for evaluating computer system passwords |
| CN105184146A (en) * | 2015-06-05 | 2015-12-23 | 北京北信源软件股份有限公司 | Method and system for checking weak password of operating system |
| CN107437022A (en) * | 2016-05-27 | 2017-12-05 | 北京神州泰岳软件股份有限公司 | A kind of weak passwurd check method and device |
| CN107451467A (en) * | 2016-05-30 | 2017-12-08 | 中国移动通信集团辽宁有限公司 | A kind of weak passwurd check method and device |
| CN110929253A (en) * | 2019-11-28 | 2020-03-27 | 深圳昂楷科技有限公司 | Weak password detection method and device and intelligent equipment |
| CN111859368A (en) * | 2020-07-28 | 2020-10-30 | 深圳竹云科技有限公司 | Weak password generation method, password detection method, device and electronic equipment |
-
2021
- 2021-12-22 CN CN202111577825.6A patent/CN114448614A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1574929A1 (en) * | 2004-03-05 | 2005-09-14 | Sap Ag | Technique for evaluating computer system passwords |
| CN105184146A (en) * | 2015-06-05 | 2015-12-23 | 北京北信源软件股份有限公司 | Method and system for checking weak password of operating system |
| CN107437022A (en) * | 2016-05-27 | 2017-12-05 | 北京神州泰岳软件股份有限公司 | A kind of weak passwurd check method and device |
| CN107451467A (en) * | 2016-05-30 | 2017-12-08 | 中国移动通信集团辽宁有限公司 | A kind of weak passwurd check method and device |
| CN110929253A (en) * | 2019-11-28 | 2020-03-27 | 深圳昂楷科技有限公司 | Weak password detection method and device and intelligent equipment |
| CN111859368A (en) * | 2020-07-28 | 2020-10-30 | 深圳竹云科技有限公司 | Weak password generation method, password detection method, device and electronic equipment |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117499147A (en) * | 2023-11-24 | 2024-02-02 | 北京亚康万玮信息技术股份有限公司 | Multi-protocol-adaptive remote connection security management method and system |
| CN117499147B (en) * | 2023-11-24 | 2024-04-05 | 北京亚康万玮信息技术股份有限公司 | Multi-protocol-adaptive remote connection security management method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11924246B2 (en) | Uniform resource locator classifier and visual comparison platform for malicious site detection preliminary | |
| CN112866023B (en) | Network detection method, model training method, device, equipment and storage medium | |
| CN113656807B (en) | Vulnerability management method, device, equipment and storage medium | |
| EP3547121B1 (en) | Combining device, combining method and combining program | |
| JP2018005818A (en) | Abnormality detection system and abnormality detection method | |
| WO2015141665A1 (en) | Website information extraction device, system, website information extraction method, and website information extraction program | |
| CN111416811A (en) | Unauthorized vulnerability detection method, system, equipment and storage medium | |
| CN111431753A (en) | Asset information updating method, device, equipment and storage medium | |
| CN111104579A (en) | Identification method and device for public network assets and storage medium | |
| CN112134897B (en) | Network attack data processing method and device | |
| CN112242984A (en) | Method, electronic device and computer program product for detecting abnormal network requests | |
| CN111787018A (en) | Method, device, electronic equipment and medium for identifying network attack behaviors | |
| US20210176274A1 (en) | System and method for blocking phishing attempts in computer networks | |
| CN110572399A (en) | vulnerability detection processing method, device, equipment and storage medium | |
| CN113055399A (en) | Attack success detection method, system and related device for injection attack | |
| US20160205118A1 (en) | Cyber black box system and method thereof | |
| CN114448614A (en) | Weak password detection method, device, system and storage medium | |
| WO2023034145A1 (en) | Session management system | |
| CN115062293A (en) | Weak password detection method and device, storage medium, electronic equipment and computer program product | |
| JPWO2019043804A1 (en) | Log analysis device, log analysis method and program | |
| CN114461864A (en) | Alarm tracing method and device | |
| CN116089985A (en) | Encryption storage method, device, equipment and medium for distributed log | |
| CN116032581A (en) | Network equipment security management method and electronic equipment | |
| CN115643044A (en) | Data processing method, device, server and storage medium | |
| WO2018131200A1 (en) | Analysis device, analysis method and analysis program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |