Re: Copying secret windows file

From: Marco Ivaldi <raptor@xxxxxxxxxxxxxxxx>
Date: Thu, 27 Dec 2007 16:08:01 +0100 (ora solare Europa occidentale)

Hi Clone,

On Fri, 21 Dec 2007, Clone wrote:

Hello All

What is the most sensitive file you could remotely copy from a Windows 2003 server in case you have a remote access available to entire file system through an exploit? I tried copying SAM file from windows system root but that isn't happening. It says being used by some other process. Is there any other way to get this file? The SAM repair file is old and doesn't have my domain password cached(well does that really happens?).

You may dump the current local/domain passwords using the following tools:

http://www.foofus.net/fizzgig/pwdump/
http://meshier.com/2007/03/08/auditing-cached-credentials-with-cachedump/
http://www.metasploit.com/projects/antiforensics/SamJuicer.zip
[and more]

If you can get RDP access or similar and need to recover an actual file that has been locked by Windows (i.e. Exchange email DBs, etc.), you can use the NTBACKUP.EXE utility shipped with modern Windows installations. Just type "ntbackup" at the CMD prompt and follow the wizard...

Otherwise, you could write your own "backup" software using the Shadow Copy (VSS) feature. For more information, take a look here:

http://en.wikipedia.org/wiki/Shadow_Copy
http://en.wikipedia.org/wiki/File_locking

Hope this helps;)

--
Marco Ivaldi, OPST
Chief Security Officer Data Security Division
@ Mediaservice.net Srl http://mediaservice.net/

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

References:
- Copying secret windows file
  - From: Clone

Prev by Date: Re: WPA-PSK audit
Next by Date: RE: Skype
Previous by thread: Re: Copying secret windows file
Next by thread: Re: Copying secret windows file
Index(es):
- Date
- Thread

Relevant Pages

SecurityFocus Microsoft Newsletter #228
... RaidenHTTPD Remote File Disclosure Vulnerability ... Microsoft Outlook Web Access Login Form Remote URI Redirecti... ... Microsoft Windows Hyperlink Object Library Buffer Overflow V... ...
(Focus-Microsoft)
SecurityFocus Microsoft Newsletter #212
... MICROSOFT VULNERABILITY SUMMARY ... ARJ Software UNARJ Remote Directory Traversal Vulnerability ... Microsoft Windows XP WAV File Handler Denial Of Service Vuln... ...
(Focus-Microsoft)
SecurityFocus Microsoft Newsletter #229
... Windows NTFS Alternate Data Streams ... MICROSOFT VULNERABILITY SUMMARY ... VBulletin Forumdisplay.PHP Remote Command Execution Vulnerab... ... AWStats Debug Remote Information Disclosure Vulnerability ...
(Focus-Microsoft)
SecurityFocus Microsoft Newsletter #232
... Windows Firewalls Lacking ... MICROSOFT VULNERABILITY SUMMARY ... Gene6 FTP Server Remote Default Install Code Execution Vulne... ... Relevant URL: http://www.securityfocus.com/bid/12736 ...
(Focus-Microsoft)
SecurityFocus Microsoft Newsletter #182
... Introducing the world's first and only complete Internal Security Gateway: ... Microsoft Windows XP Explorer.EXE Remote Denial of Service V... ... Apache Error Log Escape Sequence Injection Vulnerability ...
(Focus-Microsoft)