Re: RE: How to safely obtain windows hashes remotely

I'm doing an PenTest/Proof of Concept in my LAN, but to date I'm quite sure everything is OK and Up-to-Date in terms of password hardening and security techniques in place.

The first thing you need to do it take a look at security policies in place (and supposed to be in place) on your LAN. Scott gave you some good tips and places to start. Do workstations lock after inactivity, are you using AD, are users segregated into groups based on minimal level of access required or is everyone a local admin on their account, how is the LAN set up with firewall and IDS, what's the baseline user machines (how do you lock them down), patching procedures, etc.

I've tested CAIN, tried to exploit using Meterpreter, used EtterCap, PWDump and something else using an spoofed machine with no success at all! Hurray!

The above is far from a complete test of a network. Just because you cant pop a shell with metasploit doesnt mean your network is secure, far from it. I would START with a nessus scan of the network and go from there. If your security policy isnt implemented properly on some boxes, nessus may help you locate the rogue ones.

Nevertheless, my boss still doesn't believe our network is completely safe -from a technical point of view.

Good, he shouldn't be.

Does anybody knows how to perform a password dump from a WinXP and/or Win2003 box remotely without a trace?

try fgdump from

All client boxes are running XPSP2 and all servers W2003.

Scott also pointed you in the right direction on passwords and how are they stored in your environment. I did an article on rainbowtables/rainbowcrack. Down at the bottom of the article it has tips for protections against password attacks, maybe something to bounce off of your security policy.

hope that helps



Chris Gates, CISSP
GCIH, C|EH, CPTS, MCP 2003, A+, Network+, Security+


Learn Security Online, Inc.

* Security Games * Simulators
* Challenge Servers * Courses
* Mentor Led Training * Hacklab Access

Relevant Pages

  • IT Security Administrator in Bend, OR
    ... workstations as well as physical security for I/T systems. ... manages network security software and hardware. ... Extensive experience with Windows 2000/2003 servers and Exchange ... Two years experience configuring, installing and implementing VMWare ...
  • Re: How to access I/O port directly in VC6.0?
    ... As soon as you have standalone machines, ... Their "security" as far as servers was a joke; ... discovered the internal wireless network was completely unencrypted. ...
  • Re: Pen testing Fiber Channel
    ... If direct access to the network is available, ... Subject: Re: Pen testing Fiber Channel ... > server to another on a different higher security network. ... SAN servers are usually on isolated ...
  • SecurityFocus Microsoft Newsletter #50
    ... Subject: SecurityFocus Microsoft Newsletter #50 ... Specialist in Microsoft's Security Services Partner Program, ... Network Monitoring for Intrusion Detection ... Relevant URL: ...
  • RE: [fw-wiz] Security Audit and Priorities
    ... Learn your network. ... - Linux Security Cookbook ... Building Secure Servers with Linux ... It's one thing to be a firewall admin and write ...