hash dumping

No explicit questions like "how do I hack xxx.com" please!
Post Reply
User avatar
snapson
forum buddy
forum buddy
Posts: 18
Joined: 30 Aug 2006, 16:00
17

hash dumping

Post by snapson »

ok well i want to dump the windows hash into a file and then actually be able to acces that file later. so how do i do that. i know that the hash is dumped after the BSoD but where can i locate it and can i make windows dump the ash without having to crash the system


Hey its a noob Q but i am curious

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11636
Joined: 06 Apr 2005, 16:00
18
Location: In your eye floaters.
Contact:

Post by bad_brain »

um, I'm not sure what you mean with "hash" (a hash is an encrypted string), but I think you mean event viewer:
To open Event Viewer, click Start, click Control Panel, click Performance and Maintenance, click Administrative Tools, and then double-click Event Viewer.
you'll find a lot of info there.... :wink:

for more details check here.

User avatar
sternbildchen
Fame ! Where are the chicks?!
Fame ! Where are the chicks?!
Posts: 421
Joined: 26 Apr 2006, 16:00
17
Location: Germany

Post by sternbildchen »

Maybe he wants the hash from the Sam file. ^^ ?
But I'm as unsure a you are b_b.

What do you really mean snapson?

User avatar
DNR
Digital Mercenary
Digital Mercenary
Posts: 6114
Joined: 24 Feb 2006, 17:00
18
Location: Michigan USA
Contact:

SAM files and how-to

Post by DNR »

(edited from hackinthebox.org By: Grifter (2600 Salt Lake City))


you can find the SAM on the hard drive in the folder %systemroot%system32config. However this folder is locked to all accounts including Administrator while the machine is running. The only account that can access the SAM file during operation is the "System" account.

You may also be able to find the SAM file stored in %systemroot% epair if the NT Repair Disk Utility a.k.a. rdisk has been run and the Administrator has not removed the backed up SAM file.

The final location of the SAM or corresponding hashes can be found in the registry. It can be found under HKEY_LOCAL_MACHINESAM. This is also locked to all users, including Administrator, while the machine is in use.

So the three locations of the SAMHashes are:

- %systemroot%system32config

- %systemroot% epair (but only if rdisk has been run)

- In the registry under HKEY_LOCAL_MACHINESAM

§ Obtaining the SAMPassword Hashes

Wow, how wonderful. Now we know where the goods are, and the problem is this... "How do I get my hands on those hashes?" The answer is "One of four ways."

1) Probably the easiest way to do this is to boot your target machine to an alternate OS like NTFSDOS or Linux and just copy the SAM from the %systemroot%system32config folder. It's quick, it's easy, and it's effective. You can get a copy of NTFSDOS from Sysinternals(http://www.sysinternals.com) The regular version of NTFSDOS is freeware, which is always nice, but only allows for Read-Only access. This should be fine for what you want to do, however, if you're the kind of person that just has to have total control and has some money to burn. NTFSDOS Pro, which is also by Sysinternals has read/write access but it'll cost you $299.

2) Once again, you may be able to obtain the SAM from %systemroot% epair if rdisk has been run and you are lucky enough to have a sloppy admin.

3) You can also get password hashes by using pwdump2. pwdump uses .DLL injection in order to use the system account to view the password hashes stored in the registry. It then pulls the hashes from the registry and stores them in a handy little text file that you can then import into a password cracking utility like l0phtcrack.

4) The final way to obtain password hashes is to listen directly to the network traffic as it floats by your computer and grab hashes using the above mentioned l0phtcrack.

§ Cracking Password Hashes

With the hashes in hand and an eagerness to find out what passwords lie waiting. Let's get cracking. While there are numerous programs available for the use of password cracking I will quickly cover two of the most popular ones.

John the Ripper - John the Ripper is to many, the old standby password cracker. It is command line which makes it nice if you're doing some scripting, and best of all it's free. The only real thing that JtR is lacking is the ability to launch Brute Force attacks against your password file. But look at it this way, even though it is only a dictionary cracker, that will probably be all you need. I would say that in my experience I can find about 85-90% of the passwords in a given file by using just a dictionary attack. Not bad, not bad at all.

L0phtCrack - Probably the most wildly popular password cracker out there. L0phtCrack is sold by the folks at @Stake. And with a pricetag of $249 for a single user license it sure seems like every one owns it. Boy, @Stake must be making a killing. :) This is probably the nicest password cracker you will ever see. With the ability to import hashes directly from the registry ala pwdump and dictionary, hybrid, and brute-force capabilities. No password should last long. Well, I shouldn't say "no password". But almost all will fall to L0phtCrack given enough time.

§ Injecting Password Hashes into the SAM

Probably one of my favorite and easiest ways to gain Administrator privileges on a machine, is by injecting password hashes into the SAM file. In order to do this you will need physical access to the machine and a brain larger than a peanut. Using a utility called "chntpw" by Petter Nordhal-Hagen you can inject whatever password you wish into the SAM file of any NT, 2000, or XP machine thereby giving you total control. I would suggest backing up the SAM file first by using an alternate OS. Go in, inject the password of your choosing. Login using your new password. Do what you need to do. Then restore the original SAM so no one knows you were there.

(end edited article)

Beware of the syskey;
"
The Microsoft Windows 2000, Microsoft Windows XP, and Microsoft Windows 2003 Security Accounts Management Database (SAM) stores hashed copies of user passwords. This database is encrypted with a locally stored system key. To keep the SAM database secure, Windows requires that the password hashes are encrypted. Windows prevents the use of stored, unencrypted password hashes.

You can use the SysKey utility to additionally secure the SAM database by moving the SAM database encryption key off the Windows-based computer. The SysKey utility can also be used to configure a start-up password that must be entered to decrypt the system key so that Windows can access the SAM database"

"The System Key is defined using the command Syskey.exe. Only members of the Administrators group can run the Syskey.exe command. The utility is used to initialize or change the System Key. "

http://support.microsoft.com/default.aspx?kbid=310105

---

DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.

z3mwaz
suck-o-fied!
suck-o-fied!
Posts: 85
Joined: 23 Jul 2006, 16:00
17
Location: Texas
Contact:

Post by z3mwaz »

hey, DNR.
did u see my post on system rights.
thats another way right.?
i'm just not sure....
“Yes, I am a criminal. My crime is that of curiosity.”

User avatar
snapson
forum buddy
forum buddy
Posts: 18
Joined: 30 Aug 2006, 16:00
17

??

Post by snapson »

event viewer why would i want that??? i meant the hash in the SAM file yeah but access to the SAM file is often restricted so i want to dump the hash into a seperate file to decrypt it later thanks DNR you got me

Post Reply