Security Basics mailing list archives
RE: How to safely obtain windows hashes remotely
From: "Scott Ramsdell" <Scott.Ramsdell () cellnet com>
Date: Wed, 16 May 2007 08:19:07 -0400
Jose, What about backups of the domain controllers or other servers? Are they secured? It would be fairly straight forward to drop a copy of the SAMs, or AD, or HKLM\secured\cache somewhere and crack the passwords offline. What about dropping a copy of the email server somewhere? We need more info about your environment to offer quality assistance. Are your passwords stored using reversible encryption? If so, john will crack them very fast. Make sure you have the patch for john to accommodate mscache. Even if they aren't stored using reversible encryption, john should crack some fairly fast. You didn't mention cachedump, any admin could grab all the other admins passwords stored in the local cache from a server and crack them offline. What about using a linux boot disk to grab the SAM or change the local admin password? Several are available, and they would leave no trace on the file system. Granted, the server would appear offline during this time. If you're in a switched environment (assumed), did you span the port you were running Ettercap on? Did you allow Cain to run on the segment you have SQL servers on (assuming)? You'll grab those passwords, as they're passed in the clear. Passwords though, are a small part of security. Are workstations locking? What about servers? How do the users feel about the need for security? Are you using a stand alone print server? What does it log show you about what the execs are printing? Etc, etc. Kind Regards, Scott Ramsdell CISSP, CCNA, MCSE Security Network Engineer -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Jose Mendoza Sent: Tuesday, May 15, 2007 3:39 PM To: security-basics () securityfocus com Subject: How to safely obtain windows hashes remotely I'm doing an PenTest/Proof of Concept in my LAN, but to date I'm quite sure everything is OK and Up-to-Date in terms of password hardening and security techniques in place. I've tested CAIN, tried to exploit using Meterpreter, used EtterCap, PWDump and something else using an spoofed machine with no success at all! Hurray! Nevertheless, my boss still doesn't believe our network is completely safe -from a technical point of view. Does anybody knows how to perform a password dump from a WinXP and/or Win2003 box remotely without a trace? All client boxes are running XPSP2 and all servers W2003. Thanks, Jose Mendoza Caracas, Venezuela ---------------------------------------------------------------------- Finally - A spam blocker that actually works. http://www.bluebottle.com
Current thread:
- How to safely obtain windows hashes remotely Jose Mendoza (May 15)
- Re: How to safely obtain windows hashes remotely Pranay Kanwar (May 16)
- RE: How to safely obtain windows hashes remotely Scott Ramsdell (May 16)
- <Possible follow-ups>
- Re: RE: How to safely obtain windows hashes remotely chris (May 22)