Re: Copying secret windows file

From: Marco Ivaldi (raptor@mediaservice.net)
Date: Thu Dec 27 2007 - 10:08:01 EST


Hi Clone,

On Fri, 21 Dec 2007, Clone wrote:

> Hello All
>
> What is the most sensitive file you could remotely copy from a Windows
> 2003 server in case you have a remote access available to entire file
> system through an exploit? I tried copying SAM file from windows system
> root but that isn't happening. It says being used by some other process.
> Is there any other way to get this file? The SAM repair file is old and
> doesn't have my domain password cached(well does that really happens?).

You may dump the current local/domain passwords using the following tools:

http://www.foofus.net/fizzgig/pwdump/
http://meshier.com/2007/03/08/auditing-cached-credentials-with-cachedump/
http://www.metasploit.com/projects/antiforensics/SamJuicer.zip
[and more]

If you can get RDP access or similar and need to recover an actual file
that has been locked by Windows (i.e. Exchange email DBs, etc.), you can
use the NTBACKUP.EXE utility shipped with modern Windows installations.
Just type "ntbackup" at the CMD prompt and follow the wizard...

Otherwise, you could write your own "backup" software using the Shadow
Copy (VSS) feature. For more information, take a look here:

http://en.wikipedia.org/wiki/Shadow_Copy
http://en.wikipedia.org/wiki/File_locking

Hope this helps;)

-- 
Marco Ivaldi, OPST
Chief Security Officer    Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:17 EDT