Using WinScanX to retrieve Windows password hashes, LSA secrets and MS CACHE hashes without copying a single file to the remote host. Read on...
Video and WinScanX (free) download link at: http://windowsaudit.com/winscanx/retrieving-password-hashes-with-winscanx-y/ Retrieving password hashes, LSA secrets, and MS CACHE hashes from a remote machine can end up in disaster if things don’t go exactly as planned. Often times the LSASS.exe process dies and the machine is forced into a reboot. Often times anti-virus gets in the way. Say goodbye to all of these issues. With WinScanX (and the help of Cain & Able | http://www.oxid.it/) you can retrieve the password hashes, LSA secrets, and MS CACHE hashes from a remote machine without copying a single file to the remote host. This way the LSASS.exe process won’t be touched and anti-virus applications won’t have the chance to interfere. Saving the remote registry hives using WinScanX -y: The first thing you need to do is ensure that you have administrative access to the remote machine. Afterward, open the WinScanX GUI and enter the remote host into the Target Host(s) field. Select the “Save Remote Registry Hives” option and click Start Scan. >From the command line you would run the following: winscanx.exe -y <hostname> + + When the scan has completed you should have three new files in the root of the WinScanX directory (not the Reports directory): <HOSTNAME>-SAM <HOSTNAME>-SECURITY <HOSTNAME>-SYSTEM Extracting the passwords hashes, etc. using Cain: Open Cain, click the Decoders tab, click LSA Secrets on the left and click the blue plus sign at the top of the screen. Select the “Import Secrets from Registry Hive files” radio button and point Cain to the <HOSTNAME>-SYSTEM and <HOSTNAME>-SECURITY files that WinScanX retrieved. Click Next to finish the process of retrieving the LSA secrets. The password hashes and MS CACHE hashes can be retrieved very similarly. Click the Cracker tab, select the LM & NTLM Hashes or the MS-Cache Hashes option on the left and click the blue plus sign at the top of the screen. Point Cain to the appropriate files to complete the process. Still confused? Watch the video: Sometimes seeing something in action can make the process more clear. Feel free to watch the video of these actions being performed at: http://windowsaudit.com/winscanx/retrieving-password-hashes-with-winscanx-y/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/