I've grabbed the SAM file from remote IIS servers in my younger years and cracked the passwords locally.
Buffer overflow the web service, bind a command shell to a port running as the system account (by having the system execute shellcode used in the buffer overflow), netcat to your open port, ftp the SAM (located in the repair directory) to somewhere you can retrieve it, download the file, delete all of the logs, crack the file.
Hard drive encryption would have done nothing to prevent this.
> Hard drive encryption would have done nothing to prevent this.
And it's quite common in corporate environments for PGP Desktop HDD encryption to be setup to use the Windows password as the key to accessing the HDD encryption key(s).
For this reason we're advised not to put out laptops in sleep mode when transporting the laptop as someone finding the laptop could do something like the above (remote exploit and then get access). When coming out of hibernation PGP desktop requires the HDD password to be provided so that it isn't in an exploitable state.
Buffer overflow the web service, bind a command shell to a port running as the system account (by having the system execute shellcode used in the buffer overflow), netcat to your open port, ftp the SAM (located in the repair directory) to somewhere you can retrieve it, download the file, delete all of the logs, crack the file.
Hard drive encryption would have done nothing to prevent this.