Re: SAM user dump

From: Stephan (schenette@gmail.com)
Date: Fri Sep 23 2005 - 20:14:03 EDT


DokFLeed,

You check out "Sam Juicer" from the the Metasploit Anti-Forensics
Project, which dumps the hashes from the SAM . It's similar to pwdump
but it doesn't ever hit disk.

http://metasploit.com/projects/antiforensics/

The website says it's coming soon, so I'm not sure when it's actually
going to be released.

-SC

On 9/21/05, Iván Arce <ivan.arce@coresecurity.com> wrote:
> Warning: Commercial plug follows
>
> All the functionality described below is part of CORE IMPACT.
> What you can do in that case is:
> 1. Exploit box using a suitable remote exploit (gives you remote Windows
> API function call access to the box)
> 2. If you did not obtain privileged access (SYSTEM) on the box:
> Use a suitable Local exploit for Windows to elevate privileges
> 3. Inject a Windows API function call agent into the LSASS.exe process
> 4. Remotely dump the SAM hashes using the agent from step 3
> 5. Export the dumped hashes to an LCP/lophcrack compatible file
>
> All this can be done with point & click and without uploading any
> additional files or tools to the target system.
>
>
> J. Theriault wrote:
> > DokFLeed wrote:
> >
> >> Hey,
> >> I am looking for a way to dump the SAM hashes by USER account. assume
> >> the box doesn't have CD or Floppy to boot from. No repair files , or
> >> Registry SAM hashes available.
> >>
> >> any tools to dump the hashes for user from a cmd console
> >> or should we start coding one !
> >>
> >> DokFLeed
> >
> >
> > As I don't know of any tools that would allow you to do this, why not
> > just combine pwdump with an exploit into one package?
> >
> >
> > I've used the package method a few times, along the lines of:
> > BATCH file calls EXPLOIT;
> > EXPLOIT gives access as SYSTEM;
> > SYSTEM then executes PWDUMP;
> > PWDUMP dumps passwords to FILE;
> > FILE is immediately sent to a remote email server via BMAIL;
> > BATCH executes a second BATCH(2);
> > BATCH(2) fills all other files with garbage, deletes them(;), and
> > (optional)
> > calls AT;
> > AT deletes BATCH(2) and removes the directory.
> >
> >
> > If you put that package as a self-extracting silent zip package that
> > auto-executes the first batch file silently and call it via a
> > download-and-execute exploit just as with the JPEG GDI+ vuln, then it
> > can be instigated automatically.
> >
> > The compressed package is about ~90KB when self-extracting.
> >
> >
> >
> > J. Theriault
> > administrator@maginetworks.com
> >
> > ------------------------------------------------------------------------------
> >
> > Audit your website security with Acunetix Web Vulnerability Scanner:
> > Hackers are concentrating their efforts on attacking applications on
> > your website. Up to 75% of cyber attacks are launched on shopping carts,
> > forms, login pages, dynamic content etc. Firewalls, SSL and locked-down
> > servers are futile against web application hacking. Check your website
> > for vulnerabilities to SQL injection, Cross site scripting and other web
> > attacks before hackers do! Download Trial at:
> >
> > http://www.securityfocus.com/sponsor/pen-test_050831
> > -------------------------------------------------------------------------------
> >
> >
>
> --
> ---
> To strive, to seek, to find, and not to yield.
> - Alfred, Lord Tennyson Ulysses,1842
>
> Ivan Arce
> CTO
> CORE SECURITY TECHNOLOGIES
>
> 46 Farnsworth Street
> Boston, MA 02210
> Ph: 617-399-6980
> Fax: 617-399-6987
> ivan.arce@coresecurity.com
> www.coresecurity.com
>
> PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A
>
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
> futile against web application hacking. Check your website for vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------
>
>

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:59 EDT