На презентации я хочу показать утилитку, написанную мной для упрощения проведения пентестов. Она доводит легкость выполнения PtH-атак до маразма "большой красной кнопки". Утилитка, так сказать, из внутренней кухни и никогда не планировалась ко всеобщему обозрению. Однако если общество сочтет ее полезной, то почему бы и нет. Собственно, именно это я и хочу выяснить. Под катом - описание утилиты из рабочей документации и примеры ее использования. Да, разумеется, она написана для запуска под UNIX-based ОС. Ознакомьтесь и выскажите свое мнение. Я снова изобретал велосипед?
<a></a>
PtH-Pwner is a script which gives you ability to automate the power of Pass-the-Hash tools. Useful when performing pentest on huge subnets. Why scan/attack by hands when you can script it?
Possible usage scenario:
You perform pentest of a big subnet, and somehow you obtain a password hash of domain admin account, or local administrator account from some boxes. You would like to try it on all wind0ze boxes in the local net, wouldn't you? Pass-the-hash tools will help you to do it without even knowing the password (e.g. it's not necessary to decrypt the hash). And this script will help you to do it automatically. Just run it on /24 or /16 and grep affected machines ;)
EXAMPLE (HOWTO):
1. Set up a local tftp-server with a bunch of cool tools:
2. Get LM/NTLM hash somehow (hack/sniff/ask politely) and try it on the whole subnet:
3. Type commands you want to execute remotely in a file one by one:
In this case we're going to dump LM/NTLM credentials from current sesions, dump all local password hashes and finally add local user with administrative privileges. E.g. it means T0tal Pwn4ge ;)
Note: you can put commands in file directly without using bat-file but some commands like dir, type, etc doesn't work while being executed directly. So we use bat-file as workaround
4. Run the evil one:
5. Get more LM/NTLM hashes and go to step 3. Repeating it possibly gives you more and more boxes every iteration ;)
6. Please note the special way to create huge activity with huge possibility to reach success - "try-them-all" mode. If you have got a number of accounts with gsecdump.exe utility, just pass it to pth-pwner with -g switch:
In this case, every single account found in gsecdump.log will be tried to every machine on the subnet. No wonder if file.txt contains directives to run gsecdump.exe on hacked machines, just redirect output to gsecdump.log and you will get more and more hacked accounts - thus, more and more chances for T0tal Pwn4ge ;).
Have fun!
![Unity游戏开发背景知识[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)