Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Win2KSecurity Advice> 1999-q4

NTSecAdvice Archives: Re: remote sam copy

Re: remote sam copy

Ken Brady (kbradyADOBE.COM)
Wed, 3 Nov 1999 21:32:52 -0800

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: NT Security Advice: "Re: IE 5.0 vulnerabilities using HTTP redirection"
Previous message: Ussr Labs: "Remote DoS Attack in BFTelnet Server v1.1 for Windows NT"
Next in thread: Ulises Gonzalez, Jr.: "Re: remote sam copy"

-----Original Message-----
From: david nercle [mailto:dnercleNETSCAPE.NET]
Sent: Wednesday, November 03, 1999 7:10 PM
To: WIN2KSECADVICELISTSERV.NTSECURITY.NET
Subject: remote sam copy

Does anyone know of a way to remotely copy open sam files from
\winnt\system32\config?
i've used utilities that can extract user names and password hash's on a
local
machine, by using system privleges (eg samdump2.exe), but nothing to do it
remotely. I thought there might be some form of remote rdisk, but i haven't
found this. I have admin privileges, so you think it would be possible

____________________________________________________________________
Get your own FREE, personal Netscape WebMail account today at
http://webmail.netscape.com.

----------------------------------------------------------------------------
----

This is an article by Alessandro Iacopetti that was posted in the April 1999
issue of Windows NT Magazine that should help you to get this to work.

********************************************************************
ERDs and RDISK
If you're like some administrators, updating (or creating) Windows NT
Emergency Repair Disks (ERDs) occurs to you only when you need to use one.
Most administrators who fail to create or update ERDs do so out of
carelessness rather than because they know of another way to repair NT.
You'll be interested to know that you can repair NT without an ERD. (For
information about ERDs, see Michael D. Reilly, "The Emergency Repair Disk,"
January 1997.)

When you run the rdisk /s command, the \winnt\system\repair directory
receives an updated Registry backup. The system uses these files when you
attempt a repair installation of NT and you tell the installer you don't
have an ERD. Thus, you can perform a complete repair of NT without ERDs if
your repair directory is up-to-date.

To ensure that your repair directory is up-to-date, use a simple AT command
such as AT 00:00 /every:su rdisk /s-. (The hyphen after the /s switch
bypasses the rdisk prompt to insert a disk.) I typically schedule rdisk to
run only on Sundays, so I can test new configurations all week before I
commit them.

If you have a hard disk failure, an updated repair directory is useless and
you'll need an ERD. Because an ERD is just an NT-formatted disk that
contains the repair directory's contents, you can easily create one at any
time if you store the repair directory centrally.

Select a server or workstation in your domain. (I'll call it the REPAIR
server.) Configure the Scheduler service to start automatically and to run
with a newly created account. This account (which I'll call SCHEDULE) must
be a member of the Domain Admins group. Create a directory (e.g., RDISKPLUS)
on the REPAIR server, and copy rdiskplus.bat into it. (Listing 2 contains
rdiskplus.bat.) Create a text file (e.g., serverlist.txt) that contains the
names of all your servers, with one server on each line. Schedule RDISKPLUS
on the REPAIR server with the following command

AT 00:10 /EVERY:SU CMD /C "C:\RDISKPLUS\RDISKPLUS.BAT
>C:\RDISKPLUS\RDISKPLUS.LOG 2>&1"
Then, on every server in the serverlist.txt file, schedule the rdisk /s-
command. If you've already configured the Scheduler service to start
automatically, you can simply type

FOR /F "DELIMS=*" %I IN ('TYPE SERVERLIST.TXT') DO AT \\%I 00:00 /EVERY:SU
RDISK /S-
For each of your servers, rdiskplus.bat creates a directory (named after the
server) under C:\RDISKPLUS that contains the entire repair directory. Then,
you can create an ERD at any time by formatting a disk and copying the
server's directory contents onto it.

—Alessandro Iacopetti
a.iacopetticedacriovest.it

Here's the script:

Listing 2: Rdiskplus.bat
echo off

REM
REM *** RDISKPLUS.BAT
REM ***Centralized Management for RDISKs
REM
REM ***Alessandro Iacopetti - 12/10/1998
REM ***a.iacopetticedacriovest.it
REM

cd /d %~dp0
for /f "delims=*" %%i in ('type serverlist.txt') do call :cp_rdisk %%i
goto :eof

:cp_rdisk
REM *** Creates a directory for each of the servers
mkdir %1
cd %1

REM *** Note: robocopy is from the resource kit
REM *** you can use a simple copy instead

robocopy \\%1\ADMIN$\REPAIR . /e /np /r:10
cd ..
goto :eof

----------------------------------------------------------------------------
----

Next message: NT Security Advice: "Re: IE 5.0 vulnerabilities using HTTP redirection"
Previous message: Ussr Labs: "Remote DoS Attack in BFTelnet Server v1.1 for Windows NT"
Next in thread: Ulises Gonzalez, Jr.: "Re: remote sam copy"

This archive was generated by hypermail 2.0b3 on Thu Nov 04 1999 - 07:53:21 CST