Penetration Testing mailing list archives

Re: Sam File via IIS flaw

From: David Cravshaw <david.cravshaw () gmail com>
Date: Thu, 30 Jun 2005 12:11:54 -0500

I recently ran into a similar issue.  Since the browser doesn't
interpret the sam file particularly well, you'll need something else
to pull it down.  wget worked just fine in my case.  Also note, that
due to syskey (enabled by default on win2000+), you will need to pull
down /winnt/repair/system and use something like SAMInside that Jerome
mentioned to extract the hashes from the sam using the syskey in the
system file.

Then you have the hashes in l0pht-able, or more preferably,
rainbowcrack-able format!

On 28 Jun 2005 19:02:54 -0000, nordicsmak () yahoo com
<nordicsmak () yahoo com> wrote:

During a recent penetration test I've discovered a flaw in the IIS server that allows me to browse to and view any 
file on the system.

I'm able to browse to the /winnt/repair/sam file, but it obviously is unusable in the format that's presented in the 
browser.

Any way to get this file in a format that can be used in L0pht?

Thanks,
Chris

Current thread:

Sam File via IIS flaw nordicsmak (Jun 30)
- Re: Sam File via IIS flaw Jerome Athias (Jun 30)
- RE: Sam File via IIS flaw Prashant Meswani (Jun 30)
- Re: Sam File via IIS flaw Peter Wood (Jun 30)
- Re: Sam File via IIS flaw Alex Gottschalk (Jun 30)
- Re: Sam File via IIS flaw David Cravshaw (Jun 30)
- Re: Sam File via IIS flaw chillman (Jun 30)
- <Possible follow-ups>
- Re: Sam File via IIS flaw skill2die4 (Jun 30)