RE: How to safely obtain windows hashes remotely
- From: "Scott Ramsdell" <Scott.Ramsdell@xxxxxxxxxxx>
- Date: Wed, 16 May 2007 08:19:07 -0400
Jose,
What about backups of the domain controllers or other servers? Are they secured? It would be fairly straight forward to drop a copy of the SAMs, or AD, or HKLM\secured\cache somewhere and crack the passwords offline. What about dropping a copy of the email server somewhere?
We need more info about your environment to offer quality assistance. Are your passwords stored using reversible encryption? If so, john will crack them very fast. Make sure you have the patch for john to accommodate mscache. Even if they aren't stored using reversible encryption, john should crack some fairly fast. You didn't mention cachedump, any admin could grab all the other admins passwords stored in the local cache from a server and crack them offline.
What about using a linux boot disk to grab the SAM or change the local admin password? Several are available, and they would leave no trace on the file system. Granted, the server would appear offline during this time.
If you're in a switched environment (assumed), did you span the port you were running Ettercap on? Did you allow Cain to run on the segment you have SQL servers on (assuming)? You'll grab those passwords, as they're passed in the clear.
Passwords though, are a small part of security. Are workstations locking? What about servers? How do the users feel about the need for security? Are you using a stand alone print server? What does it log show you about what the execs are printing? Etc, etc.
Kind Regards,
Scott Ramsdell
CISSP, CCNA, MCSE
Security Network Engineer
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Jose Mendoza
Sent: Tuesday, May 15, 2007 3:39 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: How to safely obtain windows hashes remotely
I'm doing an PenTest/Proof of Concept in my LAN, but to date I'm quite sure everything is OK and Up-to-Date in terms of password hardening and security techniques in place.
I've tested CAIN, tried to exploit using Meterpreter, used EtterCap, PWDump and something else using an spoofed machine with no success at all! Hurray!
Nevertheless, my boss still doesn't believe our network is completely safe -from a technical point of view.
Does anybody knows how to perform a password dump from a WinXP and/or Win2003 box remotely without a trace?
All client boxes are running XPSP2 and all servers W2003.
Thanks,
Jose Mendoza
Caracas, Venezuela
----------------------------------------------------------------------
Finally - A spam blocker that actually works.
http://www.bluebottle.com
- References:
- How to safely obtain windows hashes remotely
- From: Jose Mendoza
- How to safely obtain windows hashes remotely
- Prev by Date: Modifications to CISSP(r) Experience Requirements Beginning 1 October 2007
- Next by Date: RE: Value of certifications
- Previous by thread: Re: How to safely obtain windows hashes remotely
- Next by thread: Re: RE: How to safely obtain windows hashes remotely
- Index(es):
Relevant Pages
|
