Re: RE: How to safely obtain windows hashes remotely

I'm doing an PenTest/Proof of Concept in my LAN, but to date I'm quite sure everything is OK and Up-to-Date in terms of password hardening and security techniques in place.

The first thing you need to do it take a look at security policies in place (and supposed to be in place) on your LAN. Scott gave you some good tips and places to start. Do workstations lock after inactivity, are you using AD, are users segregated into groups based on minimal level of access required or is everyone a local admin on their account, how is the LAN set up with firewall and IDS, what's the baseline user machines (how do you lock them down), patching procedures, etc.

I've tested CAIN, tried to exploit using Meterpreter, used EtterCap, PWDump and something else using an spoofed machine with no success at all! Hurray!

The above is far from a complete test of a network. Just because you cant pop a shell with metasploit doesnt mean your network is secure, far from it. I would START with a nessus scan of the network and go from there. If your security policy isnt implemented properly on some boxes, nessus may help you locate the rogue ones.

Nevertheless, my boss still doesn't believe our network is completely safe -from a technical point of view.

Good, he shouldn't be.

Does anybody knows how to perform a password dump from a WinXP and/or Win2003 box remotely without a trace?

try fgdump from

All client boxes are running XPSP2 and all servers W2003.

Scott also pointed you in the right direction on passwords and how are they stored in your environment. I did an article on rainbowtables/rainbowcrack. Down at the bottom of the article it has tips for protections against password attacks, maybe something to bounce off of your security policy.

hope that helps



Chris Gates, CISSP
GCIH, C|EH, CPTS, MCP 2003, A+, Network+, Security+


Learn Security Online, Inc.

* Security Games * Simulators
* Challenge Servers * Courses
* Mentor Led Training * Hacklab Access