I am currently in the password cracking section of my studies, and much to my dismay, the written part of the guide seems to have glossed over acquiring passwords for Windows and Nix systems. I'm sure the videos will provide examples, but the forums are here for a reason, might as well use them.

So I know that during system hacking, password files are often transferred from the remote machine to the hacker's computer. Starting with windows, how is this done? Obviously the hacker gets remote access and a command prompt, probably of a limited user.  Can the SAM be accessed with a LU account, or does it require elevated privileges?

So I just learned about the SYSKEY function. This seems to be a mute point because I know I have cracked passwords offline using LC5 and Ophcrack. So I need to ask, if syskey something I need to be aware of when conducting password attacks?

Most importantly, how do I dump the SAM remotely? I'm on youtube now, but i'm guessing most videos will be showing local dumps.

Of course the same question needs to be asked of linux, how do I retrieve the shadow file and dump them to a remote pc (my attacking pc)?

Thanks for posting this links, KillJ0y.  I've yet to watch the vids on the 2nd link, but the first video is great.  This is the first I've heard of masking for password cracking.  Is that something new or am I just behind the times?

As for Windows, just as KillJ0y said, you can use Metasploit to grab the hashes.  Reversespace has been doing Metasploit classes following Offensive Security's "Metasploit Unleashed."  During their week 1 class (can be found here: http://www.grmn00bs.com/), Georgia shows an example of exploiting MS08_067 using a payload that drops into meterpreter.  Once in meterpreter, you can issue a command that prints all the usernames and their respective hashes on the screen.  Then use whichever method you prefer to crack them.

I'm new to Metasploit, so if I've misworded something or understood something incorrectly, anybody please correct me

Thanks to all for some stuff that is over my head lol. I'm still trying to understand that "meterpreter"stuff.

In any case, what about Netcat? I see that it is a popular tool, and I hear it has the ability to transfer files. I assume I would need to get a copy on the remote computer and one on my local computer. Which would be the listener, and which would connect? How do I get nc on the remote machine?

it also appears it is for nix only, so I suppose I need to look at that MSU article referenced above.

yeah, that article focuses on getting the SAM locally, which isnt the goal in this exercise, though it may be useful to someone reading this.

I assume that either during my CPT examination, or at some other time, I will need to get a SAM from over the internet. Also, looking at my W7 box, there doesn't appear to be a C:\Windows\Repair directory, perhaps it is not included in W7 or has been renamed.

I found a link to a post here on the forums, from the Remote Exploit forums that explains one way to do it on windows:

http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,533.0/

A also found a video that shows how to do the meterpreter exploit.

http://www.youtube.com/watch?v=XbG8qW_COaQ

of course the the video shows how to perform this when you are "in control" of both machines. I would need to find a way to get the executable on the "remote" pc and execute the binary without user interaction.

*sighs*

this course has taught me a few things, but i'm still comming up with the same questions. I think the problem is they are not presenting the material the same way a test would go...

For instance (I know this is off topic),

The syllabus goes from network recon to service identification to breaking passwords... the first two are good, but I cant crack the passwords until I have access to the machine, which hasn't been taught yet...

I just skimmed this thread and may have missed this, but what course are you doing?

As others noted, if you can use Metasploit to exploit a vulnerability on the target system, you can use hashdump via the meterpreter payload's priv module to obtain the hashes.

If you have credentials and the requisite network connectivity, you can use pwdump/fgdump to obtain the hashes remotely.

Physical access allows you to boot to an alternate OS and retrieve the actual/backup SAM files (or LiveCD for cracking that specific system).

You can also use pwdump/fgdump locally. Just run one of those on your own system with no options and load the hashes into Ophcrack with the free tables to get a feel of that process.

As I'm sure you know, Linux uses /etc/passwd and /etc/shadow, but the idea is the same. Use credentials or exploits (or leverage a horrible misconfiguration) to gain access. You can combine the files with JTR (unshadow) and crack away. The salt used for the passwords will require you to use a brute-force/dictionary/hybrid method instead of rainbow tables.

If you really need to crack a hash, you'll save a bunch of time by paying the guys at question-defense. They're setup to do it. It costs $5 & up.