RE: windows 2003 server

Yea if you used pwdump you need admin privledges to dump the hashes. If
you manage to get a reverse shell you can ftp the sam from the repair
folder and the system part of the registry. Then import them into L0pht
or LCP. If I am not mistaken, the sam file is sysked at level 1 by
default for 2k3? Could someone verify that for me?

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Vinay_Dwarakanath
Sent: Wednesday, March 21, 2007 12:58 AM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: RE: windows 2003 server

Just wondering... Heard that the security in 2003 is been strengthened.
How does one dump the passwords from the SAM file. Is it via pwdump
utility or are there any better suggestions.

Vinay


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of John Babio
Sent: Tuesday, March 20, 2007 7:21 PM
To: Salvador.Manaois@xxxxxxxxxxxx; chris_parker@xxxxxxxxxxxx;
pen-test@xxxxxxxxxxxxxxxxx
Subject: RE: windows 2003 server

Here is a question. Without physical access the most you can do is dump
the hashes. Is it possible to obtain the \windows\repair\sam file while
the machine is up and running? Kind of ftp it to another location?

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Salvador.Manaois@xxxxxxxxxxxx
Sent: Monday, March 19, 2007 7:45 AM
To: chris_parker@xxxxxxxxxxxx; pen-test@xxxxxxxxxxxxxxxxx
Subject: RE: windows 2003 server

If your main goal is to gauge the "strength" of your organization's
password policy and _not_ how to break into the win2003 server, then you
should try to dump a copy of the SAM file onto a password-cracker.
Remotely checking the password strength may require you to try
brute-forcing a session to the server (but then again, if the invalid
login threshold setting and the account lockout policy are defined, you
may find this exercise frustratingly time-consuming). =)

...badz...
Salvador Manaois III

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Chris Parker
Sent: Saturday, March 17, 2007 7:16 AM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Re: windows 2003 server

Nicolas RUFF wrote:
I have a win2003 server that I have been asked to test its password
policy. I am new to this and was wondering what would be the best
approach to gain access? It is in my local network and will be
segregated from the rest of the network for testing. I would be
using a remote machine to log in and not locally. What would be your
suggestions?

Password policy can be found in Administrative Tools/[Local | Domain]
Security Policy.

What do you mean by "testing password policy" ?

Why do you need to gain access ? You'd better ask for an
administrative account and dump the SAM file into a password cracker
(like LCP).

Given the default security policy of W2003 (anonymous account
enumeration blocked, password length over 7 and mixed characters
required), your chances to break in remotely without any additional
information are near zero.

Regards,
- Nicolas RUFF

First, we are trying to lock down our servers. I came into this after
they had these server up for a few years, so you can see my work is cut
out for me. I just wanted the best ways to test to make sure most users
cannot get where they are not suppose to be. Current password policy is
8 characters, upper lower number.

thanks
Chris Parker

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
------------------------------------------------------------------------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
------------------------------------------------------------------------


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
------------------------------------------------------------------------




DISCLAIMER:
This email (including any attachments) is intended for the sole use of
the intended recipient/s and may contain material that is CONFIDENTIAL
AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or
copying or distribution or forwarding of any or all of the contents in
this message is STRICTLY PROHIBITED. If you are not the intended
recipient, please contact the sender by email and delete all copies;
your cooperation in this regard is appreciated.


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
------------------------------------------------------------------------


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

Relevant Pages

  • RE: windows 2003 server
    ... Subject: windows 2003 server ... should try to dump a copy of the SAM file onto a password-cracker. ... Password policy can be found in Administrative Tools/ ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)
  • RE: windows 2003 server
    ... How does one dump the passwords from the SAM file. ... Subject: windows 2003 server ... Password policy can be found in Administrative Tools/ ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)
  • Re: cracking Y2k DC Admin password
    ... cracking Y2k DC Admin password ... use cachedump to dump cached credentials on that server, ... Cenzic Hailstorm finds vulnerabilities fast. ... Click the link to buy it, try it or download Hailstorm for FREE. ...
    (Pen-Test)
  • RE: [SPAM] - RE: windows 2003 server - Bayesian Filter detected s pam
    ... If the purpose of the exercise is to Audit the Password Policy, ... To gain a copy of the SAM file from the repair disk on a Win2003 Server via ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)
  • Re: Windows XP / 2K3 Default Users
    ... I'm totally with you on grabbing the SAM from a running system that you ... That's what I was on about- while I think rainbow tables are neat, ... Since NT4 SP3 the password hashes in the SAM file have been ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)