渗透测试之提权：利用抓包嗅探等提权

一、抓包嗅探

1、Windows

• Wireshark

• Omnipeek

• 下载（官网）：https://www.liveaction.com/
• OmniPeek_UserGuide：https://mypeek.liveaction.com/elements/mypeek_documentation/manuals/OmniPeek_UserGuide.pdf

• commview（早期XP上主要在用）

• Sniffpass

• 下载：https://www.nirsoft.net/toolsdownload/sniffpass.zip
•  Kali安装ftp：https://www.cnblogs.com/z9m8r8/articles/15864297.html
• 开启ftp服务：service pure-ftpd start

2、Linux

• Tcpdump

• Wireshark

• Dsniff

• 和Sniffpass差不多，可以自己安装：apt-get install dsniff

示例：

root@kali:~# dsniff -h
Version: 2.4
Usage: dsniff [-cdmn] [-i interface | -p pcapfile] [-s snaplen]
              [-f services] [-t trigger[,...]] [-r|-w savefile]
              [expression]
root@kali:~# dsniff -i eth0
dsniff: listening on eth0
-----------------
02/14/22 01:17:19 tcp 10.10.10.131.1071 -> kali.21 (ftp)
USER anonymous
PASS IEUser@

-----------------
02/14/22 01:17:25 tcp 10.10.10.131.1072 -> kali.21 (ftp)
USER anonymous
PASS IEUser@


-----------------
02/14/22 01:18:55 tcp 10.10.10.131.1074 -> kali.21 (ftp)
USER user
PASS 123456

二、键盘记录

1、Keylogger

　　参见：https://www.cnblogs.com/z9m8r8/articles/15864297.html

2、木马窃取

示例（以DarkComet-RAT-5.3.1为例）

 

 如remote desktop：

三、本地缓存密码

1、浏览器缓存的密码

• IE浏览器

• Firefox（Exdit->Prefence）

示例：

2、网络密码

3、无线密码

4、密码还原工具

　　工具集： https://www.nirsoft.net/password_recovery_tools.html

5、Dump SAM

• Pwdump（可远程执行，通过参数指定相应IP，username等即可）

• /usr/share/windows-binaries/fgdump/

help：

C:\>PwDump.exe -h

pwdump6 Version 2.0.0-beta-2 by fizzgig and the mighty group at foofus.net
** THIS IS A BETA VERSION! YOU HAVE BEEN WARNED. **
Copyright 2009 foofus.net

This program is free software under the GNU General Public License Version 2 (GNU GPL), you can redistribute it and/or modify it under the terms of the GNU GPL, as published by the Free Software Foundation.  NO WARRANTY, EXPRESSED OR IMPLIED, IS GRANTED WITH THISPROGRAM.  Please see the COPYING file included with this program and the GNU GPL for further details.

Usage: PwDump.exe [-x][-n][-h][-o output_file][-u user][-p password][-s share] machineName
  where -h prints this usage message and exits
  where -o specifies a file to which to write the output
  where -u specifies the user name used to connect to the target
  where -p specifies the password used to connect to the target
  where -s specifies the share to be used on the target, rather than searching for one
  where -n skips password histories
  where -x targets a 64-bit host

示例：

　　Windows下password加密方式为LM-Hash（如：44EF……4EE）与NTLM-Hash（如：32ED……8D4），LM，NTML，NET-NTLM2理解及hash破解：https://www.cnblogs.com/junsec/p/11810703.html

 　　将用户名，密文复制下来，单独存个.pwdump文件，利用Kali中的解密工具解密。