| I l@ve RuBoard | |
Source: NT resource kit
Client OS: Windows NT
Target OS: Windows NT
Description: REGDMP is a Windows NT resource kit utility that can be used to dump registry information from an NT server. Many NT registry keys provide key information about the server that can be used during penetration testing. The tool can be executed remotely against a server. REGDMP usually requires administrator access in order to function properly, but sometimes it will return information with only a null connection.
Use: First perform a NET USE connection to the server with an administrator account. If you do not have an administrator account, try using a null connection. The following command can be used to connect to the server with administrator access:
C:\>net use * \\server_name\ipc$ admin_password /user:administrator
Once this connection has been established, REGDMP can be executed from the command line.
C:\>regdmp -m \\server_name "key_name"
The following example of the REGDMP command and sample output extracts the Winlogon key information:
C:\>regdmp -m \\server_name
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\Currentversion\Winlogon"
The following registry keys provide information that can be useful during testing.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\Currentversion\Winlogon
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Currentversion\Hotfix
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\Currentversion\NetworkCards
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session
Manager\Memory Management
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\
parameters
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\
permissions
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSFTPSVC\
parameters
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W2SVC}
ameters
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip}
ameters
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rdr}
ameters
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\AutoAdminLogon
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\DefaultUserName
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\DefaultPassword
Benefit: REGDMP provides you with a command line tool for extracting key registry information from a target server. Registry keys can provide useful information that may help you to obtain unauthorized access, such as logon passwords, application passwords, service pack levels, user names, and other data.
Cons: Often you need administrator access to obtain the registry information. Also, you need to know the specific key name for the registry information you wish to obtain.
| I l@ve RuBoard | |