Penetration Testing mailing list archives
Re: SAM user dump
From: Iván Arce <ivan.arce () coresecurity com>
Date: Wed, 21 Sep 2005 21:51:08 -0300
Warning: Commercial plug follows All the functionality described below is part of CORE IMPACT. What you can do in that case is: 1. Exploit box using a suitable remote exploit (gives you remote Windows API function call access to the box) 2. If you did not obtain privileged access (SYSTEM) on the box: Use a suitable Local exploit for Windows to elevate privileges 3. Inject a Windows API function call agent into the LSASS.exe process 4. Remotely dump the SAM hashes using the agent from step 3 5. Export the dumped hashes to an LCP/lophcrack compatible file All this can be done with point & click and without uploading any additional files or tools to the target system. J. Theriault wrote:
DokFLeed wrote:Hey, I am looking for a way to dump the SAM hashes by USER account. assume the box doesn't have CD or Floppy to boot from. No repair files , or Registry SAM hashes available. any tools to dump the hashes for user from a cmd console or should we start coding one ! DokFLeedAs I don't know of any tools that would allow you to do this, why not just combine pwdump with an exploit into one package? I've used the package method a few times, along the lines of: BATCH file calls EXPLOIT; EXPLOIT gives access as SYSTEM; SYSTEM then executes PWDUMP; PWDUMP dumps passwords to FILE; FILE is immediately sent to a remote email server via BMAIL; BATCH executes a second BATCH(2); BATCH(2) fills all other files with garbage, deletes them(;), and (optional) calls AT; AT deletes BATCH(2) and removes the directory. If you put that package as a self-extracting silent zip package that auto-executes the first batch file silently and call it via a download-and-execute exploit just as with the JPEG GDI+ vuln, then it can be instigated automatically. The compressed package is about ~90KB when self-extracting. J. Theriault administrator () maginetworks com ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
-- --- To strive, to seek, to find, and not to yield. - Alfred, Lord Tennyson Ulysses,1842 Ivan Arce CTO CORE SECURITY TECHNOLOGIES 46 Farnsworth Street Boston, MA 02210 Ph: 617-399-6980 Fax: 617-399-6987 ivan.arce () coresecurity com www.coresecurity.com PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- database server audit tools paavan shah (Sep 11)
- Re: database server audit tools Peter Wood (Sep 12)
- SAM user dump DokFLeed (Sep 16)
- Re: SAM user dump J. Theriault (Sep 18)
- Re: SAM user dump Iván Arce (Sep 22)
- Re: SAM user dump Stephan (Sep 24)
- SAM user dump DokFLeed (Sep 16)
- RE: SAM user dump Roni Bachar (Sep 18)
- Re: SAM user dump frank boldewin (Sep 18)
- RE: SAM user dump dave kleiman (Sep 18)
- Re: database server audit tools Peter Wood (Sep 12)
- <Possible follow-ups>
- RE: database server audit tools Bénoni MARTIN (Sep 12)
- Re: database server audit tools Steve.Cummings (Sep 12)
- RE: database server audit tools Security Focus (Sep 14)
- RE: database server audit tools Evans, Arian (Sep 14)
- Re: database server audit tools Christian Martorella (Sep 14)