WinScanX - The safest way to retrieve Windows password hashes, LSA secrets, etc.

[Reed Arvin <reedarvin () gmail com>]

Using WinScanX to retrieve Windows password hashes, LSA secrets and MS
CACHE hashes without copying a single file to the remote host. Read
on...

Video and WinScanX (free) download link at:
http://windowsaudit.com/winscanx/retrieving-password-hashes-with-winscanx-y/

Retrieving password hashes, LSA secrets, and MS CACHE hashes from a
remote machine can end up in disaster if things don’t go exactly as
planned. Often times the LSASS.exe process dies and the machine is
forced into a reboot. Often times anti-virus gets in the way.

Say goodbye to all of these issues. With WinScanX (and the help of
Cain & Able | http://www.oxid.it/) you can retrieve the password
hashes, LSA secrets, and MS CACHE hashes from a remote machine without
copying a single file to the remote host. This way the LSASS.exe
process won’t be touched and anti-virus applications won’t have the
chance to interfere.


Saving the remote registry hives using WinScanX -y:

The first thing you need to do is ensure that you have administrative
access to the remote machine. Afterward, open the WinScanX GUI and
enter the remote host into the Target Host(s) field. Select the “Save
Remote Registry Hives” option and click Start Scan.

> From the command line you would run the following:

winscanx.exe -y <hostname> + +

When the scan has completed you should have three new files in the
root of the WinScanX directory (not the Reports directory):

<HOSTNAME>-SAM
<HOSTNAME>-SECURITY
<HOSTNAME>-SYSTEM


Extracting the passwords hashes, etc. using Cain:

Open Cain, click the Decoders tab, click LSA Secrets on the left and
click the blue plus sign at the top of the screen. Select the “Import
Secrets from Registry Hive files” radio button and point Cain to the
<HOSTNAME>-SYSTEM and <HOSTNAME>-SECURITY files that WinScanX
retrieved. Click Next to finish the process of retrieving the LSA
secrets.

The password hashes and MS CACHE hashes can be retrieved very
similarly. Click the Cracker tab, select the LM & NTLM Hashes or the
MS-Cache Hashes option on the left and click the blue plus sign at the
top of the screen. Point Cain to the appropriate files to complete the
process.


Still confused? Watch the video:

Sometimes seeing something in action can make the process more clear.
Feel free to watch the video of these actions being performed at:
http://windowsaudit.com/winscanx/retrieving-password-hashes-with-winscanx-y/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/