•SAM file in Windows NT/2000 contains the usernames and encrypted passwords. The SAM file is located at %systemroot%\system32\config directory [open this link using RUN] •The file is locked when the OS is running.
◦Booting to an alternate OS
■NTFSDOS (http://www.sysinternals.com/) will mount any NTFS partition as a logical drive.
◦Backup SAM from the Repair directory
■Whenever rdisk /s is run, a compressed copy of the SAM called SAM._ is created in %systemroot%\repair. Expand this file using c:\>expand sam._sam
◦Extract the hashes from the SAM
■Use LOphtcrack to hash the passwords.
This file is usually locked when the system is in use. However, once the system is not used by any system components, it is world readable by default. Attackers are particularly vigilant to detect any possible SAM.SAV files which could be readable, as these can be used for obtaining password info.
There are tools such as NTFSDOS that are capable of mounting any NTFS partition as a logical drive. NTFSDOS.EXE is a read-only network file system driver for DOS/Windows that is able to recognize and mount NTFS drives for transparent access. It makes NTFS drives appear indistinguishable from standard FAT drives, providing the ability to navigate, view and execute programs on them from DOS or from Windows.
Not all is lost if the system is in use and the SAM file is locked. If a system administrator has casually forgotten to rename the administrator account or change the initial password, the attacker might be in luck because during the installation of NT/2000 a copy of the password database is put in \\WINNT\REPAIR.
What happens if the system administrator has updated their repair disk? The attacker can then look for a copy of the repair disks and extract the password database from the SAM._ file in the ERD directory. He can then use a couple of different utilities for dumping the password hashes out, like pwdump or even run Lophtcrack (which has pwdump code built in) to extract the passwords. SAMDUMP.EXE can be used to extract the user information out of it.
◦Booting to an alternate OS
■NTFSDOS (http://www.sysinternals.com/) will mount any NTFS partition as a logical drive.
◦Backup SAM from the Repair directory
■Whenever rdisk /s is run, a compressed copy of the SAM called SAM._ is created in %systemroot%\repair. Expand this file using c:\>expand sam._sam
◦Extract the hashes from the SAM
■Use LOphtcrack to hash the passwords.
This file is usually locked when the system is in use. However, once the system is not used by any system components, it is world readable by default. Attackers are particularly vigilant to detect any possible SAM.SAV files which could be readable, as these can be used for obtaining password info.
There are tools such as NTFSDOS that are capable of mounting any NTFS partition as a logical drive. NTFSDOS.EXE is a read-only network file system driver for DOS/Windows that is able to recognize and mount NTFS drives for transparent access. It makes NTFS drives appear indistinguishable from standard FAT drives, providing the ability to navigate, view and execute programs on them from DOS or from Windows.
Not all is lost if the system is in use and the SAM file is locked. If a system administrator has casually forgotten to rename the administrator account or change the initial password, the attacker might be in luck because during the installation of NT/2000 a copy of the password database is put in \\WINNT\REPAIR.
What happens if the system administrator has updated their repair disk? The attacker can then look for a copy of the repair disks and extract the password database from the SAM._ file in the ERD directory. He can then use a couple of different utilities for dumping the password hashes out, like pwdump or even run Lophtcrack (which has pwdump code built in) to extract the passwords. SAMDUMP.EXE can be used to extract the user information out of it.
No comments:
Post a Comment