So after my last article, in which I describe an alternative way to execute code on a remote machine if you have the local administrator’s password, I kept wondering what else could be done with the remote registry? The first thing I immediately thought of was dumping the windows hashes. The reason I thought of this was because it would have several advantages:
- You would not need to bypass anti virus
- You would not need to worry about uploading executable files
- You would not need to worry about spawning new processes on the remote machine
- You would only need one open port
Since I dislike reinventing the wheel (unless it’s for educational purposes) I started to first search around and see what current methods are available. As far as I can tell they all boil down to the following:
- Use psexec to dump hashes by
- Spawning a new process and running reg.exe
- Uploading your own executable and running it
- Use WMI to spawn a new process and run reg.exe
- Use Windows tools
- regedit.exe / reg.exe
- Third party (WinScanX)
If you are not interested in my first failed attempt, the learned things you can skip directly to the script on GitHub as usual. Keep reading if you want to know the details. In case you are wondering: Yes I used impacket, it rocks.
Continue reading “Remote hash dumping: no processes or tool upload needed”
DiabloHorn 