本文深入探讨了在针对特定目标的网络攻击中,利用哈希泄露技术进行远程机器访问的方法,包括读取注册表信息来获取Windows凭证。文中详细介绍了两种关键的访问方式,并提出了防范策略,旨在阻止未经授权的进程访问敏感信息。
In many targeted attack case, harvesting windows credential play an important
role in later movement phase. Hacker can use psexec to remote access machine
with password hash directly. Hash dump technique and source code is public
availble, and maight be customised for attacks.
One of hash dump method is reading the sam information from registry.
Two keys accessed:
1 HKLM\SAM\SAM\Domains\Account\Users\
2 HKLM\System\CurrentControlSet\Control\Lsa
The first key can only be accessed with system privelege. Block it if it
accessed by un-trust process.
More reference:
http://media.blackhat.com/bh-us-
.rb
role in later movement phase. Hacker can use psexec to remote access machine
with password hash directly. Hash dump technique and source code is public
availble, and maight be customised for attacks.
One of hash dump method is reading the sam information from registry.
Two keys accessed:
1 HKLM\SAM\SAM\Domains\Account\Users\
2 HKLM\System\CurrentControlSet\Control\Lsa
The first key can only be accessed with system privelege. Block it if it
accessed by un-trust process.
More reference:
http://media.blackhat.com/bh-us-
12/Briefings/Reynolds/BH_US_12_Reynods_Stamp_Out_Hash_WP.pdf
.rb
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
