Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SAM user dump

From: Iván Arce <ivan.arce () coresecurity com>
Date: Wed, 21 Sep 2005 21:51:08 -0300
Warning: Commercial plug follows

All the functionality described below is part of CORE IMPACT.
What you can do in that case is:
1. Exploit box using a suitable remote exploit (gives you remote Windows
API function call access to the box)
2. If you did not obtain privileged access (SYSTEM) on the box:
   Use a suitable Local exploit for Windows to elevate privileges
3. Inject a Windows API function call agent into the LSASS.exe process
4. Remotely dump the SAM hashes using the agent from step 3
5. Export the dumped hashes to an LCP/lophcrack compatible file

All this can be done with point & click and without uploading any
additional files or tools to the target system.


J. Theriault wrote:

DokFLeed wrote:


Hey,
I am looking for a way to dump the SAM hashes by USER account. assume
the box doesn't have CD or Floppy to boot from. No repair files , or
Registry SAM hashes available.

any tools to dump the hashes for user from a cmd console
or should we start coding one !

DokFLeed



As I don't know of any tools that would allow you to do this, why not
just combine pwdump with an exploit into one package?


I've used the package method a few times, along the lines of:
BATCH file calls EXPLOIT;
EXPLOIT gives access as SYSTEM;
SYSTEM then executes PWDUMP;
PWDUMP dumps passwords to FILE;
FILE is immediately sent to a remote email server via BMAIL;
BATCH executes a second BATCH(2);
BATCH(2) fills all other files with garbage, deletes them(;), and
(optional)
calls AT;
AT deletes BATCH(2) and removes the directory.


If you put that package as a self-extracting silent zip package that
auto-executes the first batch file silently and call it via a
download-and-execute exploit just as with the JPEG GDI+ vuln, then it
can be instigated automatically.

The compressed package is about ~90KB when self-extracting.



J. Theriault
administrator () maginetworks com

------------------------------------------------------------------------------

Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on
your website. Up to 75% of cyber attacks are launched on shopping carts,
forms, login pages, dynamic content etc. Firewalls, SSL and locked-down
servers are futile against web application hacking. Check your website
for vulnerabilities to SQL injection, Cross site scripting and other web
attacks before hackers do! Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------




-- 
---
To strive, to seek, to find, and not to yield.
- Alfred, Lord Tennyson Ulysses,1842

Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES

46 Farnsworth Street
Boston, MA 02210
Ph: 617-399-6980
Fax: 617-399-6987
ivan.arce () coresecurity com
www.coresecurity.com

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: