Re: SAM user dump

From: Iván Arce (ivan.arce_at_coresecurity.com)
Date: 09/22/05

  • Next message: Craig Wright: "RE: Whitespace in passwords - From Security focus" 
    Date: Wed, 21 Sep 2005 21:51:08 -0300
To: pen-test@securityfocus.com

    Warning: Commercial plug follows

    All the functionality described below is part of CORE IMPACT.
    What you can do in that case is:
    1. Exploit box using a suitable remote exploit (gives you remote Windows
    API function call access to the box)
    2. If you did not obtain privileged access (SYSTEM) on the box:
       Use a suitable Local exploit for Windows to elevate privileges
    3. Inject a Windows API function call agent into the LSASS.exe process
    4. Remotely dump the SAM hashes using the agent from step 3
    5. Export the dumped hashes to an LCP/lophcrack compatible file

    All this can be done with point & click and without uploading any
    additional files or tools to the target system.

    J. Theriault wrote:
    > DokFLeed wrote:
    >
    >> Hey,
    >> I am looking for a way to dump the SAM hashes by USER account. assume
    >> the box doesn't have CD or Floppy to boot from. No repair files , or
    >> Registry SAM hashes available.
    >>
    >> any tools to dump the hashes for user from a cmd console
    >> or should we start coding one !
    >>
    >> DokFLeed
    >
    >
    > As I don't know of any tools that would allow you to do this, why not
    > just combine pwdump with an exploit into one package?
    >
    >
    > I've used the package method a few times, along the lines of:
    > BATCH file calls EXPLOIT;
    > EXPLOIT gives access as SYSTEM;
    > SYSTEM then executes PWDUMP;
    > PWDUMP dumps passwords to FILE;
    > FILE is immediately sent to a remote email server via BMAIL;
    > BATCH executes a second BATCH(2);
    > BATCH(2) fills all other files with garbage, deletes them(;), and
    > (optional)
    > calls AT;
    > AT deletes BATCH(2) and removes the directory.
    >
    >
    > If you put that package as a self-extracting silent zip package that
    > auto-executes the first batch file silently and call it via a
    > download-and-execute exploit just as with the JPEG GDI+ vuln, then it
    > can be instigated automatically.
    >
    > The compressed package is about ~90KB when self-extracting.
    >
    >
    >
    > J. Theriault
    > administrator@maginetworks.com
    >
    > ------------------------------------------------------------------------------
    >
    > Audit your website security with Acunetix Web Vulnerability Scanner:
    > Hackers are concentrating their efforts on attacking applications on
    > your website. Up to 75% of cyber attacks are launched on shopping carts,
    > forms, login pages, dynamic content etc. Firewalls, SSL and locked-down
    > servers are futile against web application hacking. Check your website
    > for vulnerabilities to SQL injection, Cross site scripting and other web
    > attacks before hackers do! Download Trial at:
    >
    > http://www.securityfocus.com/sponsor/pen-test_050831
    > -------------------------------------------------------------------------------
    >
    > 

    -- 
---
To strive, to seek, to find, and not to yield.
- Alfred, Lord Tennyson Ulysses,1842
Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES
46 Farnsworth Street
Boston, MA 02210
Ph: 617-399-6980
Fax: 617-399-6987
ivan.arce@coresecurity.com
www.coresecurity.com
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
  • Next message: Craig Wright: "RE: Whitespace in passwords - From Security focus"

    Relevant Pages

    • RE: SAM user dump
      ... I am looking for a way to dump the SAM hashes by USER account. ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
      (Pen-Test)
    • RE: SAM user dump
      ... > I am looking for a way to dump the SAM hashes by USER account. ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are ...
      (Pen-Test)
    • RE: Pre-Scanning for Marketing
      ... installer there were some Security issue, ... vulnerabilities are easily and efficiently identified. ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, ...
      (Pen-Test)
    • Re: Hacking to Xp box
      ... I think there was a misunderstanding in the firewall point: ... you need to find some vulnerability that could be ... > restricts most of the attacks that use anonymous connections. ... > Audit your website security with Acunetix Web Vulnerability ...
      (Pen-Test)
    • Re: Whitespace in passwords
      ... input password is alphanumeric + special characters -- chances are strong ... >> Hackers are concentrating their efforts on attacking applications on ... Up to 75% of cyber attacks are launched on shopping ... >> your website for vulnerabilities to SQL injection, ...
      (Pen-Test)