Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: SAM user dump

from [Stephan] Network Security [Permanent Link]
Subject: Re: SAM user dump
Date: Fri, 23 Sep 2005 17:14:03 -0700 
DokFLeed,

You check out "Sam Juicer" from the the Metasploit Anti-Forensics
Project, which dumps the hashes from the SAM . It's similar to pwdump
but it doesn't ever hit disk.

http://metasploit.com/projects/antiforensics/

The website says it's coming soon, so I'm not sure when it's actually
going to be released.

-SC


On 9/21/05, Iván Arce <ivan.arce@coresecurity.com> wrote:

Warning: Commercial plug follows

All the functionality described below is part of CORE IMPACT.
What you can do in that case is:
1. Exploit box using a suitable remote exploit (gives you remote Windows
API function call access to the box)
2. If you did not obtain privileged access (SYSTEM) on the box:
   Use a suitable Local exploit for Windows to elevate privileges
3. Inject a Windows API function call agent into the LSASS.exe process
4. Remotely dump the SAM hashes using the agent from step 3
5. Export the dumped hashes to an LCP/lophcrack compatible file

All this can be done with point & click and without uploading any
additional files or tools to the target system.


J. Theriault wrote:

DokFLeed wrote:


Hey,
I am looking for a way to dump the SAM hashes by USER account. assume
the box doesn't have CD or Floppy to boot from. No repair files , or
Registry SAM hashes available.

any tools to dump the hashes for user from a cmd console
or should we start coding one !

DokFLeed



As I don't know of any tools that would allow you to do this, why not
just combine pwdump with an exploit into one package?


I've used the package method a few times, along the lines of:
BATCH file calls EXPLOIT;
EXPLOIT gives access as SYSTEM;
SYSTEM then executes PWDUMP;
PWDUMP dumps passwords to FILE;
FILE is immediately sent to a remote email server via BMAIL;
BATCH executes a second BATCH(2);
BATCH(2) fills all other files with garbage, deletes them(;), and
(optional)
calls AT;
AT deletes BATCH(2) and removes the directory.


If you put that package as a self-extracting silent zip package that
auto-executes the first batch file silently and call it via a
download-and-execute exploit just as with the JPEG GDI+ vuln, then it
can be instigated automatically.

The compressed package is about ~90KB when self-extracting.



J. Theriault
administrator@maginetworks.com

------------------------------------------------------------------------------

Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on
your website. Up to 75% of cyber attacks are launched on shopping carts,
forms, login pages, dynamic content etc. Firewalls, SSL and locked-down
servers are futile against web application hacking. Check your website
for vulnerabilities to SQL injection, Cross site scripting and other web
attacks before hackers do! Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------




--
---
To strive, to seek, to find, and not to yield.
- Alfred, Lord Tennyson Ulysses,1842

Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES

46 Farnsworth Street
Boston, MA 02210
Ph: 617-399-6980
Fax: 617-399-6987
ivan.arce@coresecurity.com
www.coresecurity.com

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers 
do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------




------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: PT Activity duration/time, Miller, Joseph A
Next by Date:  Re: Passwords with Lan Manager (LM) under Windows, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Previous by Thread:  Re: SAM user dump, Iván Arce
Next by Thread:  RE: SAM user dump, Roni Bachar
Indexes:  [Date] [Thread] [Top] [All Lists]