§ Obtaining the SAM\Password Hashes
Wow, how wonderful. Now we know where the goods are, and the problem is this...
"How do I get my hands on those hashes?" The answer is "One of four ways."
1) Probably the easiest way to do this is to boot your target machine to an
alternate OS like NTFSDOS or Linux and just copy the SAM from the
%systemroot%\system32\config folder. It's quick, it's easy, and it's effective.
You can get a copy of NTFSDOS from Sysinternals(http://www.sysinternals.com
The regular version of NTFSDOS is freeware, which is always nice, but only allows
for Read-Only access. This should be fine for what you want to do, however, if
you're the kind of person that just has to have total control and has some money to
burn. NTFSDOS Pro, which is also by Sysinternals has read/write access but it'll
cost you $299.
2) Once again, you may be able to obtain the SAM from %systemroot%\repair if rdisk
has been run and you are lucky enough to have a sloppy admin.
3) You can also get password hashes by using pwdump2. pwdump uses .DLL injection in
order to use the system account to view the password hashes stored in the registry.
It then pulls the hashes from the registry and stores them in a handy little text
file that you can then import into a password cracking utility like l0phtcrack.
4) The final way to obtain password hashes is to listen directly to the network
traffic as it floats by your computer and grab hashes using the above mentioned