From: Iván Arce (ivan.arce@coresecurity.com)
Date: Wed Sep 21 2005 - 20:51:08 EDT
Warning: Commercial plug follows
All the functionality described below is part of CORE IMPACT.
What you can do in that case is:
1. Exploit box using a suitable remote exploit (gives you remote Windows
API function call access to the box)
2. If you did not obtain privileged access (SYSTEM) on the box:
Use a suitable Local exploit for Windows to elevate privileges
3. Inject a Windows API function call agent into the LSASS.exe process
4. Remotely dump the SAM hashes using the agent from step 3
5. Export the dumped hashes to an LCP/lophcrack compatible file
All this can be done with point & click and without uploading any
additional files or tools to the target system.
J. Theriault wrote:
> DokFLeed wrote:
>
>> Hey,
>> I am looking for a way to dump the SAM hashes by USER account. assume
>> the box doesn't have CD or Floppy to boot from. No repair files , or
>> Registry SAM hashes available.
>>
>> any tools to dump the hashes for user from a cmd console
>> or should we start coding one !
>>
>> DokFLeed
>
>
> As I don't know of any tools that would allow you to do this, why not
> just combine pwdump with an exploit into one package?
>
>
> I've used the package method a few times, along the lines of:
> BATCH file calls EXPLOIT;
> EXPLOIT gives access as SYSTEM;
> SYSTEM then executes PWDUMP;
> PWDUMP dumps passwords to FILE;
> FILE is immediately sent to a remote email server via BMAIL;
> BATCH executes a second BATCH(2);
> BATCH(2) fills all other files with garbage, deletes them(;), and
> (optional)
> calls AT;
> AT deletes BATCH(2) and removes the directory.
>
>
> If you put that package as a self-extracting silent zip package that
> auto-executes the first batch file silently and call it via a
> download-and-execute exploit just as with the JPEG GDI+ vuln, then it
> can be instigated automatically.
>
> The compressed package is about ~90KB when self-extracting.
>
>
>
> J. Theriault
> administrator@maginetworks.com
>
> ------------------------------------------------------------------------------
>
> Audit your website security with Acunetix Web Vulnerability Scanner:
> Hackers are concentrating their efforts on attacking applications on
> your website. Up to 75% of cyber attacks are launched on shopping carts,
> forms, login pages, dynamic content etc. Firewalls, SSL and locked-down
> servers are futile against web application hacking. Check your website
> for vulnerabilities to SQL injection, Cross site scripting and other web
> attacks before hackers do! Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------
>
>
-- --- To strive, to seek, to find, and not to yield. - Alfred, Lord Tennyson Ulysses,1842 Ivan Arce CTO CORE SECURITY TECHNOLOGIES 46 Farnsworth Street Boston, MA 02210 Ph: 617-399-6980 Fax: 617-399-6987 ivan.arce@coresecurity.com www.coresecurity.com PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:58 EDT