Damon Cortesi's blog

Musings of an entrepreneur.

Using Shadow Copies to Steal the SAM

| Comments

As I was enjoying a fine dinner of Lipton Italian Sides one night, I came across Adi’s post on how to copy an open file with shadow copies. Not bad, I thought, and stored that little nugget of knowledge away for when I might need to do just that.

A few minutes later I remembered an old email about pwdump horking a domain controller (yes, horking is a technical term…) and wondered if I could simply copy the SAM hive (%SystemRoot%\system32\config) using shadow copies. A few hours later, using Adi’s post as a reference, I came up with the code below.

There was one small hitch when I realized that since Windows 2000, the SAM is encrypted using the syskey. Fortunately, I came across InsidePro, which includes a couple utilities to help out:

    <li><em>GetSyskey </em>will extract the SYSKEY key from the SYSTEM hive.</li>
    <li><em>GetHashes </em>extracts hashes in pwdump format using the previously extracted SYSKEY.</li>

Adding the decryption of the SAM into the script was pretty simple and by specifying this command, you will get yourself a nice list of hashes: VPass.bat hashes.txt


Here is a zip file containing the batch script, vshadow (for both 2k3 and XP from the Volume Shadow Copy SDK), and the two utilities mentioned above in one happy automated script: VPass.zip