Exporting the Registry for Fun and Profit

Over the last few days, I have been playing with WinScanX, a free command-line tool for querying Windows service information over SMB. WinScanX combines many of the essential tools used during a penetration test into a single utility. One of the more interesting features is the "-y" flag, which instructs WinScanX to save a copy of the remote registry hives for SAM, SECURITY, and SYSTEM. These three hives can be used in conjunction with Cain and Abel or creddump to dump the LANMAN/NTLM hashes, view cached credentials, and decrypt LSA secrets. All very useful pieces of data for a penetration test. The traditional way to obtain this information is by injecting a thread into the LSASS.exe process, calling various undocumented Windows APIs, and exporting the decrypted data back out. The problem with this method is that process injection is not necessarily reliable, especially when third-party security products interfere with the injection code. Any crash in the LSASS.exe process will force the OS to halt or reboot, which is far from stealthy and generally not what you want have happen to a client's domain controller during a penetration test. The injection method is implemented by pwdump, fgcache, cachedump, and the "hashdump" command in the Metasploit Meterpreter payload. Since imitation is the sincerest form of flattery, I looked into (continue reading...)