Re: [PEN-TEST] Hard-coded passwords in WINNT directory?

["Loschiavo, Dave" <DLoschiavo () FRCC CC CA US>]

One of these days I'm going to learn how to ask what I mean... ;-)

I already have the %systemroot%\repair\system._. I've expanded it and looked
at it using a text editor. Next I will use the "Load Hive" command in
regedt32 to get a better look. However, any accounts that are using
impersonation will store their passwords in an encrypted format, right? What
I am looking for is a way to determine the (ExAdmin or ArcServe) passwords
for services that running in impersonation, and that are domain admins.

No VNC on this one.

-----Original Message-----
From: Davidson,Sam
To: PEN-TEST () SECURITYFOCUS COM
Sent: 11/28/00 10:33 AM
Subject: Re: [PEN-TEST] Hard-coded passwords in WINNT directory?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

With RDS, you can rdisk.exe /s the system, then issue a command to
copy the repaired sam to the www_root directory, then download it.

OR

Using RDS, enter echo commands to create an FTP script to upload the
SAMto an FTP host. That same FTP script can also be used to get
Netcat or any other just as suitable ( I prefer the NT SSH server )
and configure your listenting port, and execute commands as you
desire.

- -----Original Message-----
From: Loschiavo, Dave [mailto:DLoschiavo () FRCC CC CA US]
Sent: Tuesday, November 28, 2000 09:27
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] Hard-coded passwords in WINNT directory?


How about in cases where null session enumeration isn't possible
(firewall,
RestrictAnonymous, etc) but where you can get to c:\winnt\repair (via
RDS,
Unicode, etc) and the sytem is running a FAT partition?

How would you go about sifting the registry for account names and
passwords
where services are using impersonation?