Problems retreiving a SAM file

I'm very close to rooting a machine but falling at the last hurdle..I used sql injection to get site admin access, then inserted an lfi vulnerability into a page, so now I can access any file on the machine..

I've found a SAM in C:\WINDOWS\repair\sam, so I display that to screen and try and save it as a sam file on my pc but lc5 says its invalid, looks like an encoding problem. I've tried different encodings in FF and tried IE, which I thought would work because it looked valid, but same problem.

Any way I can get this SAM without it screwing up?

are you sure you REALLY got it? Cuz windows systems don't let a user access the SAM file while the system in ON (active) :matey:

I can steer you towards cracking it once you give me facts.

actually you can retrieve a sam from the repair directory, as for making it work, i really cant help you out that much… srry :(

The repair/sam file is just as it states it is a back-up and is overwritten each time the machine is started, NOT reliable, You need to access C:\WINDOWS\system32\config\sam, That's your starting point Good luck. You cannot just access it while the machine is running but there is a way:happy:

Surely the repair sam can be useful though? I tested it on my local box and LC5 read it ok, the users weren't that up to date but it had my main account.

So do you see the problem? I can get the repair sam (through the browser) but LC5 won't read it, are there any other possible reasons? Maybe there is another way I can get access to the file like using PHP to ftp it?

If you want to share that technique or give a hint please do :) I did read about pwdump, but there is no way I can get a file on the box that I can think of at least

P.S - the repair sam is the only sam on the machine, i did a find on it.

The SAM file is in the system32\config, LOL it's there you can't open it when it's running. Do some research on your own for cracking and finding SAM files. Maybe GOOGLE

I do not have physical access to the machine, so I can not reboot it - or if I do reboot it with system() in php I won't actually be able to do anything with it. I have already tried a few exploits, especially RDC ones because they have that running but the machine is patched up to the hilt. So my only real chance is that there is something useful in the repair sam. Getting it through the browser won't work so I'm gonna try ftp'ing it in ASCII or fwriting it to a location in the www and saving the file its self

I was just looking for ideas though so if I'm going about it in the wrong way or missing something I would appreciate a hint, other than GOOGLE..lol.

asilvermtzion wrote: I have already done a lot of research thanks, no need to be a patronising twat.

I do not have physical access to the machine, so I can not reboot it - or if I do reboot it with system() in php I won't actually be able to do anything with it. I have already tried a few exploits, especially RDC ones because they have that running but the machine is patched up to the hilt. So my only real chance is that there is something useful in the repair sam. Getting it through the browser won't work so I'm gonna try ftp'ing it in ASCII or fwriting it to a location in the www and saving the file its self

Obviously, you have done a lot of research, as shown by your comments. As for the "patronizing twat" portion, I wouldn't act that way towards people trying to give you advice. Try to glean any information from any advice, even if it seems demeaning.

You say that you're able to view the \repair\SAM… have you tried copying and pasting the text into Notepad, then saving it as "sam" on your system? Finding out what account the web server is running under, using that account to try and access the C$ or IPC$?

At this point, it might help you more to dwell on the current situation rather than researching to death. Maybe a different thought process would get the job done. You could try reading others' methods in that type (or a similar) situation to get some ideas.

Thanks Zephyr, I entirely agree with your sentiment - it's slightly annoying however when people say GOOGLE in an ironic fashion, it's like I am posting here as a last resort, I'm not some 'tard who wants people to hack a site for them. I should show more constraint nevertheless.

I did try saving it into notepad, I tried everything I could think of but for some reason any modification to a SAM, in whatever program you might choose under any encoding immediately invalidates it. Hence I started to theorise about methods which could transfer the SAM without directly accessing the data - FTP was my first attempt, it transferred seemingly ok but wouldn't be read by LC5 or SAMDUMP. I then tried simply doing a system copy command to a web accessible directory (I verified locally that a straight copy did not corrupt the file first) - then downloaded the file directly from the browser, it worked and I now finally have a SAM even though it's a repair file, I'm brute forcing it right now to see if it has anything useful. Even if it fails, I think I've done reasonably well to get this close to rooting a server from a mere SQL injection having only started "hacking" 2 days ago, I do really want to learn other methods though, more direct methods to achieving serious penetration.

I have already done a lot of research thanks, no need to be a patronising twat. Shithead! You just joined the site and your asking for help already and you have the balls to say something like that! Now theres a good way to make friends with senior members:angry:

Seeing as how you did so much research you won't be needing any help from me. Banned from help!

I'm not going to react to that, all I will say is if being patronised is a pre-requisite to receiving advice in your forum, I'm quite content to stay away from it.

Lol Korg, you were right as well damn it! I spent ages getting the syskey and sam from repair, finally cracked it and the password was……..CHANGEME.. hahaha..they havent restarted the server once! FUCK!!!! arghghh

I'm all out of ideas, I have no physical access to the machine so I can't use a bootdisk etc. to access the sys32/config files…

There are ways to dump the sysconfig one, think aobut it like this, the code stopping you was coded my M$… what are the odds that it works?!

1 to 22 I guess.

Thanks spy :)

Good point actually, considering l0phtcrack can retrieve the sys32/config file locally, there must be a way…maybe registry or something? i tried pwdump2 locally but it caused a critical error in lsass.exe ….time for some more research i guess.

Fritzo wrote: [quote]korg wrote: quote: I have already done a lot of research thanks, no need to be a patronising twat. /quote

Shithead! You just joined the site and your asking for help already and you have the balls to say something like that! Now theres a good way to make friends with senior members:angry:

Seeing as how you did so much research you won't be needing any help from me. Banned from help!

Shut up and Go Die in a Hole…[/quote] btw, post count != intelligence (usually)

geez, it's like a freakin' civil war here :P

So, if we could forget the little tiff I'd be grateful.

Because, this is troubling me still…does anyone know an easy way to find out what user is currently in use, I can't do ECHO %USERNAME% because php will interpret the echo and simply print the statement

In terms of dumping the hashes without rebooting, I have tried fgdump locally but I get this:

Service not found. Installing CacheDump Service (C:\DOCUME1\xpusr\LOCALS1\Temp\cachedump.exe -s)

CacheDump service successfully installed.

Service started.

ERROR ConnectNamedPipe function failed. (code 535)

Service currently active. Stopping service…

Service successfully removed.

The way I'm going to try doing it is, if IIS is running as Admin, using the lfi hole i created to upload fgdump and then running it remotely through php. The thing is, fgdump doesn't work locally so I'm not sure whether I should try it on the target, and pwdump which I also tried caused a fatal error in lsass, so i REALLY dont want to reproduce that on the target because then im stuffed, to put it plainly, I need to be absolutely sure, or as sure as possible, that the dump is not going to reboot the machine, because that would make clean up impossible.

[Offtopic] This is not aimed at anyone but Fritzo your an ass, You weren't even involved in this forum so keep your comments to yourself, you have no clue.

PS: I did die in a hole last night your MOMS!

I'm done now:D

korg wrote: [Offtopic] This is not aimed at anyone but Fritzo your an ass, You weren't even involved in this forum so keep your comments to yourself, you have no clue.

PS: I did die in a hole last night your MOMS!

I'm done now:D

While we're offtopic…

[offtopic] How about we just sum it all up and say that everyone flaming and responding to flames in this thread is being an ass? No comment on the other parts of your posts. [/offtopic]

To the OP, good luck with resolving your problem. It looks as if you're getting to learn quite a bit through the experience.

thanks a lot guys. Lot of info(in the form of keywords) in this thread to learn.

though I didnt completely get. I will try my best and will trouble you if i need any help.

Well I'm glad my thread helped someoned, I still haven't managed my objective. :(

but you really did a great work dude.

GreatGoing!!! :)