Security Basics mailing list archives

RE: How to safely obtain windows hashes remotely

From: "Scott Ramsdell" <Scott.Ramsdell () cellnet com>
Date: Wed, 16 May 2007 08:19:07 -0400

Jose,

What about backups of the domain controllers or other servers?  Are they secured?  It would be fairly straight forward 
to drop a copy of the SAMs, or AD, or HKLM\secured\cache somewhere and crack the passwords offline.  What about 
dropping a copy of the email server somewhere?

We need more info about your environment to offer quality assistance.  Are your passwords stored using reversible 
encryption?  If so, john will crack them very fast.  Make sure you have the patch for john to accommodate mscache.  
Even if they aren't stored using reversible encryption, john should crack some fairly fast.  You didn't mention 
cachedump, any admin could grab all the other admins passwords stored in the local cache from a server and crack them 
offline.

What about using a linux boot disk to grab the SAM or change the local admin password?  Several are available, and they 
would leave no trace on the file system.  Granted, the server would appear offline during this time.

If you're in a switched environment (assumed), did you span the port you were running Ettercap on?  Did you allow Cain 
to run on the segment you have SQL servers on (assuming)?  You'll grab those passwords, as they're passed in the clear.

Passwords though, are a small part of security.  Are workstations locking?  What about servers?  How do the users feel 
about the need for security?  Are you using a stand alone print server?  What does it log show you about what the execs 
are printing?  Etc, etc.

Kind Regards,
 
Scott Ramsdell
CISSP, CCNA, MCSE
Security Network Engineer


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Jose Mendoza
Sent: Tuesday, May 15, 2007 3:39 PM
To: security-basics () securityfocus com
Subject: How to safely obtain windows hashes remotely

I'm doing an PenTest/Proof of Concept in my LAN, but to date I'm quite sure everything is OK and Up-to-Date in terms of 
password hardening and security techniques in place.

I've tested CAIN, tried to exploit using Meterpreter, used EtterCap, PWDump and something else using an spoofed machine 
with no success at all! Hurray!

Nevertheless, my boss still doesn't believe our network is completely safe -from a technical point of view.

Does anybody knows how to perform a password dump from a WinXP and/or Win2003 box remotely without a trace?

All client boxes are running XPSP2 and all servers W2003.

Thanks,

Jose Mendoza
Caracas, Venezuela

----------------------------------------------------------------------
Finally - A spam blocker that actually works.
http://www.bluebottle.com

Current thread:

How to safely obtain windows hashes remotely Jose Mendoza (May 15)
- Re: How to safely obtain windows hashes remotely Pranay Kanwar (May 16)
- RE: How to safely obtain windows hashes remotely Scott Ramsdell (May 16)
- <Possible follow-ups>
- Re: RE: How to safely obtain windows hashes remotely chris (May 22)