weyne/pwnwiki.github.io
1
0
Fork 0
mirror of https://github.com/oXis/pwnwiki.github.io.git synced 2025-10-29 16:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

This is Alias1's pull

Browse Source
This commit is contained in:
webbreacher 2014-02-06 20:10:28 -05:00
commit 3af99b0f83
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
presence/windows/blind.md
View File

@ -12,6 +12,8 @@ The files below are things to pull when all you can do is to blindly read. Examp
| `%SYSTEMROOT%\repair\system`<br>`%SYSTEMROOT%\System32\config\RegBack\system` | This is the SYSTEM registry hive. This file is needed to extract the user account password hashes from a Windows system. The SYSTEM file in \repair is locked, but can be retrieved using forensic or [Volume Shadow copy methods](http://www.room362.com/blog/2013/6/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part1.html). |
| `%SYSTEMROOT%\repair\SAM` <br> `%SYSTEMROOT%\System32\config\RegBack\SAM` | These files store the LM and NTLM hashes for local users. Using [Volume Shadow Copy](http://www.room362.com/blog/2013/6/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part1.html) or [Ninja Copy](http://clymb3r.wordpress.com/2013/06/13/using-powershell-to-copy-ntds-dit-registry-hives-bypass-sacls-dacls-file-locks/) you can retrieve these files. |
| `%WINDIR%\repair\sam`<br>`%WINDIR%\repair\system`<br>`%WINDIR%\repair\software`<br>`%WINDIR%\repair\security` | System registry hives. https://en.wikipedia.org/wiki/Windows_Registry |
| `%SYSTEMROOT%\repair\SAM`<br>`%SYSTEMROOT%\System32\config\SAM`<br>`%SYSTEMROOT%\System32\config\RegBack\SAM` | Stores user passwords in either an [LM hash](https://en.wikipedia.org/wiki/LM_hash) and/or an [NTLM hash](https://en.wikipedia.org/wiki/NTLM) format. The SAM file in \repair is locked, but can be retrieved using forensic or [Volume Shadow copy methods](http://www.room362.com/blog/2013/6/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part1.html). |
| `%SYSTEMROOT%\repair\SYSTEM`<br>`%SYSTEMROOT%\System32\config\SYSTEM`<br>`%SYSTEMROOT%\System32\config\RegBack\SYSTEM` | This is the SYSTEM registry hive. This file is needed to extract the user account password hashes from a Windows system. The SYSTEM file in \repair is locked, but can be retrieved using forensic or [Volume Shadow copy methods](http://www.room362.com/blog/2013/6/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part1.html). |
| `%SYSTEMDRIVE%\autoexec.bat` | autoexec.bat is a startup script that executes at startup. As [Webopedia states](http://www.webopedia.com/TERM/A/autoexec_bat.html), “Stands for automatically executed batch file, the file that DOS automatically executes when a computer boots up. This is a convenient place to put commands you always want to execute at the beginning of a computing session. For example, you can set system parameters such as the date and time, and install memory-resident programs.” |
| `%SYSTEMDRIVE%\pagefile.sys` | This file is used by the operating system when there is not enough RAM (memory) in the system. It is a large file, but contains spill over from RAM, usually lots of good information can be pulled, but should be a last resort due to size. |
| `%SystemDrive%\inetpub\logs\LogFiles` | IIS 7.x web server log file location. |