Hi Clone,
On Fri, 21 Dec 2007, Clone wrote:
Hello All
What is the most sensitive file you could remotely copy from a Windows
2003 server in case you have a remote access available to entire file
system through an exploit? I tried copying SAM file from windows system
root but that isn't happening. It says being used by some other process.
Is there any other way to get this file? The SAM repair file is old and
doesn't have my domain password cached(well does that really happens?).
You may dump the current local/domain passwords using the following tools:
http://www.foofus.net/fizzgig/pwdump/
http://meshier.com/2007/03/08/auditing-cached-credentials-with-cachedump/
http://www.metasploit.com/projects/antiforensics/SamJuicer.zip
[and more]
If you can get RDP access or similar and need to recover an actual file
that has been locked by Windows (i.e. Exchange email DBs, etc.), you can
use the NTBACKUP.EXE utility shipped with modern Windows installations.
Just type "ntbackup" at the CMD prompt and follow the wizard...
Otherwise, you could write your own "backup" software using the Shadow
Copy (VSS) feature. For more information, take a look here:
http://en.wikipedia.org/wiki/Shadow_Copy
http://en.wikipedia.org/wiki/File_locking
Hope this helps;)
--
Marco Ivaldi, OPST
Chief Security Officer Data Security Division
@ Mediaservice.net Srl http://mediaservice.net/
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
