Re: Re: Copying secret windows file

[cwright () bdosyd com au]

Hi,
Sorry to destroy your sense of insecurity, but this is not the case.

There are a number of methods that may be used to dump SAM in memory. Any user with Debug privilages has effectively 
full access to memory and many system are set this way). On top of this, there are means to obtain access without 
authorisation.

Take Meterpreter for instance. This toolset comes with "Sam Juicer". Sam Juicer "slides" over a memory channel as a 
direct memory injection that leaves no disk or registry evidence (hence my push on memory forensics).

Any memory/LSASS, services channel, direct disk or registry hole can be used to get the SAM. The SAM Juicer uses the 
first. There are other tools for all the other levels.

Regards,
Dr Craig Wright (GSE-Compliance)

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------