From: cwright@bdosyd.com.au
Date: Thu Dec 27 2007 - 14:06:01 EST
There are a number of methods that may be used to dump SAM in memory. Any user with Debug privilages has effectively full access to memory and many system are set this way). On top of this, there are means to obtain access without authorisation.
Take Meterpreter for instance. This toolset comes with "Sam Juicer". Sam Juicer "slides" over a memory channel as a direct memory injection that leaves no disk or registry evidence (hence my push on memory forensics).
Any memory/LSASS, services channel, direct disk or registry hole can be used to get the SAM. The SAM Juicer uses the first. There are other tools for all the other levels.
Regards,
Dr Craig Wright (GSE-Compliance)
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:17 EDT