Over the last few days, I have been playing with WinScanX, a free command-line tool for querying Windows service information over SMB. WinScanX combines many of the essential tools used during a penetration test into a single utility. One of the more interesting features is the "-y" flag, which instructs WinScanX to save a copy of the remote registry hives for SAM, SECURITY, and SYSTEM. These three hives can be used in conjunction with Cain and Abel or creddump to dump the LANMAN/NTLM hashes, view cached credentials, and decrypt LSA secrets. All very useful pieces of data for a penetration test.
The traditional way to obtain this information is by injecting a thread into the LSASS.exe process, calling various undocumented Windows APIs, and exporting the decrypted data back out. The problem with this method is that process injection is not necessarily reliable, especially when third-party security products interfere with the injection code. Any crash in the LSASS.exe process will force the OS to halt or reboot
Read »
don't forget to vote if you find something useful!!
1 year 6 weeks ago
1 year 6 weeks ago
1 year 9 weeks ago
1 year 12 weeks ago
1 year 12 weeks ago
1 year 12 weeks ago
1 year 12 weeks ago
1 year 15 weeks ago
1 year 17 weeks ago
1 year 17 weeks ago