Re: Re: Copying secret windows file

From: cwright@bdosyd.com.au
Date: Thu Dec 27 2007 - 14:06:01 EST

Next message: Morgan Reed: "Re: RFID cloning and overall security"
Previous message: Jason M. Beauford: "RE: Skype"
Maybe in reply to: Marco Ivaldi: "Re: Copying secret windows file"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

('binary' encoding is not supported, stored as-is) Hi,
Sorry to destroy your sense of insecurity, but this is not the case.

There are a number of methods that may be used to dump SAM in memory. Any user with Debug privilages has effectively full access to memory and many system are set this way). On top of this, there are means to obtain access without authorisation.

Take Meterpreter for instance. This toolset comes with "Sam Juicer". Sam Juicer "slides" over a memory channel as a direct memory injection that leaves no disk or registry evidence (hence my push on memory forensics).

Any memory/LSASS, services channel, direct disk or registry hole can be used to get the SAM. The SAM Juicer uses the first. There are other tools for all the other levels.

Regards,
Dr Craig Wright (GSE-Compliance)

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Next message: Morgan Reed: "Re: RFID cloning and overall security"
Previous message: Jason M. Beauford: "RE: Skype"
Maybe in reply to: Marco Ivaldi: "Re: Copying secret windows file"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:17 EDT