security acount manager (SAM) [Q & A]

[str33tl0rd]

hello

The security acount manager (SAM)...stores the passwords and the user names of the users in an encrypted form known as the hashing algorithm and with winxp and upwards the hash can get encrpyted as welll by using SYSkey....now i read somewhere that the hashing process is a OW (one-way function) so it cannot be decrypted but it can be guessed { i read that in hacking exposed -windows}.....

ok now....is that true?....or the SAM or the AD stored usernames and passwords can get cracked?....and if they can what program do you prefer to use?


*subject title edit by DNR, to be more descriptive*

[pseudo_opcode]

it can be done,

http://en.wikipedia.org/wiki/L0phtCrack

google for more info

[str33tl0rd]

yer i have that progie and also opcrack...they both good.....but i thought they do it someother way....

[bad_brain]

please use more descriptive topic titles from now on...

[simonde]

Absolutely true.

If the SAM is SYSKEY encrypted, the good news is that the system knows how to decrypt it. In addition to grabbing the SAM off of the system, grab the SYSTEM file. Load into 0phcrack and you've removed the SYSKEY encryption and can access the raw hashes.

Alternately, you can run pwdump on the system to get at the live SAM without any encryption.

Once you have the hashes, assuming that you have the LANMAN hash, the cracking process is easy. While hashing is a one-way process (that's pretty much the definition of a hash), LANMAN is horrendously weak. The LANMAN hash is calculated by first padding the password out to 14 characters with null characters, converting to all uppercase, and then splitting it into two 7 character segments. These two 7 character segments are then individually hashed and the hash values are joined together to give the LANMAN hash.

This means that:

1. You only need to crack/guess a 7 character password
2. You only need to worry about upper-case letters (eliminating 26 characters from your set)


Still a lot of guessing before you get the password, which is why Rainbow Tables exist. Pull down the rainbow tables for LANMAN (alphanumeric + 32 special characters + space) -- about 60GB, and run rainbowcrack against the hashes --- 100% success rate in recovering passwords.

[DrVirus]

Well First let me clear that I am no expert there are tons of guys who are. I just thought that I might post a method to crack SAM of windows. Usually the popular method it to get the SAM from the target computer using some kind of software(Example: NTFSPro) then retrive the hash code stored inside them.
Now Since the code is one way u can not create an alogorithm to get the password. Most people use some kind of brute forcer (Example : cain and abel) to get the key. But it takes tons of time.
I once tried to get my own password hash coded and then replacing with the password stored in SAM. The logic was to get in side the system using my password. But then the adminstrator will know that I logged in once his password is not working. So I wanted to enter the system install a keylogger and then replace the SAM with the original one.

Now did it work ? Well that my friend you figure out yourself. By trying of course.

[simonde]

It won't work due to the marvels of SYSKEY encryption.

Replacing the SAM is not enough -- the SAM is encrypted with a 128bit cipher. If you simply replace the SAM with one from a different system, when the target system goes to decrypt and use the SAM, the encryption keys will be different and the SAM will be non-functional.

Brute-forcing is a very bad (and, as stated, long) way to go about cracking hashes. Rainbow tables can DRAMATICALLY speed this process up.

With the inherent weaknesses of LANMAN hashing, you can reliably crack password hashes from a SAM within about 15-20 minutes. The only passwords that have have not cracked are those that are over 14 characters in length (which prevents the LANMAN hash from being stored, keeping only the NTLM hash).

[DNR]

Thinking out of the box here, an idea mention by Drvirus;

1. Save a copy of the SAM from the target computer
2. Delete the SAM from target computer
3. do your business on target computer
4. reinstall the original admin SAM to target computer

Might work on pre-XP win OS?

DNR

[simonde]

Give it a shot and see what happens -- I suspect you'll be disappointed at the results

I would recommend saving the SAM file and the SYSTEM file off, trying your attack, and the putting them back in place. You're likely to hork the system pretty badly.

Far more reliable is to simply crack the SAM (since you're saving it off anyway). Save the SAM and SYSTEM files from %systemroot%\System32\config, load them into 0phcrack to decrypt and get at the raw hashes, and then crack the LANMAN hashes using rainbow crack and the full LANMAN rainbow tables (alpha-numeric, 32 special characters plus space -- about 60GB). I have yet to be blocked from getting the Administrator password off of a system with this approach (takes about 15 minutes). I've been blocked from getting (to date) 2 user accounts off of a system, due to the fact that the users in question used strong passwords of more than 14 characters, which prevented the LANMAN hash from being stored.

[DNR]

http://home.eunet.no/~pnordahl/ntpasswd/

I've put together a single floppy or CD which contains things needed to edit the passwords on most systems. The CD can also be installed on a USB drive, see readme.txt on the CD.


The bootdisk should support most of the more usual disk controllers, and it should auto-load most of them. Both PS/2 and USB keyboard supported.

Tested on: NT 3.51, NT 4 (all versions and SPs), Windows 2000 (all versions & SPs), Windows XP (all versions, also SP2 and SP3), Windows Server 2003 (all SPs), Vindows Vista 32 and 64 bit, and some say it works on Server 2008 (32 & 64 bit)

----

http://www.ubcd4win.com/index.htm

Create and Burn the FREE "Ultimate Boot CD for Windows"(UBCD4WIN) and use it to reset your Windows password. The UBCD4WIN method uses some files from your Windows XP or Server 2003(180-day trial version OK) disk to create a Windows-based System "Swiss-Army-Knife" disk that works not only for resetting your Windows passwords using the Free "Password Renew" PE plugin (author Sala-Source), but also for other System Administration tasks (i.e., partition editing, Virus-Removal, System Diagnostics, File Recovery, Securely Erasing files, and more.

To use the UBCD4WIN method, just follow the straight-forward "How-To" instructions provided on the UBCD4WIN website to build(Windows XP disk(or Windows Server 180-day trial disk) needed for the building), and then create a UBCD .iso image file here. After you have built your UBCD4WIN .iso file, you will need to burn it to a CDR/RW disk
-------
BackTrack 3 - http://www.remote-exploit.org/backtrack.html
CryptCat - http://sourceforge.net/projects/cryptcat/
Free Rainbow Tables - http://rainbowtables.shmoo.com/
John the Ripper - http://www.openwall.com/john/
NetCat - http://netcat.sourceforge.net/
RainbowCrack - http://www.antsight.com/zsl/rainbowcrack/
Shmoo Group Rainbow Tables - http://rainbowtables.shmoo.com/
USB Switchblade - http://gonzor228.com/

DNR