Re: Encrypted SAM file

From: Chris St. Clair (chris_stclairat_private)
Date: Fri Jun 29 2001 - 08:50:10 PDT

  • Next message: G A Evans: "Re: Nortel Security"

    Evidently there is a way to do it. Check out
    http://home.eunet.no/~pnordahl/ntpasswd/
    
    This linux-based boot disk utility has a way to get around it,
    and disable it(syskey that is). Perhaps perusing through the source
    will give you some ideas.
    
    Or, if you can load the stolen SAM onto a system you have physical
    access to, boot with that disk and then manually dump the hashes.
    Can you do that? Will it work? I don't know. Just an idea.
    
    Good luck, and let me know if it works.
    
    -chris
    
    --
    Interesting problem.
    
    I was trying to use pwdump3 to download the hashes from an NT server. The
    problem is that this server will not allow access to the admin share.
    However I was able to gain access to the C$ using Hyena and a admin
    equivalent user account which also does not have access to the admin share.
    I was able to access the repair directory and get the compressed sam and
    expanded it. The file appears to be encrypted using the Syskey. Any ideas on
    how to get pass the encryption. I thought that there was a way to use
    pwdump3 to do this but its looking for a server name not a file name.
    
    
    _________________________________________________________________
    Get your FREE download of MSN Explorer at http://explorer.msn.com
    
    
    --------------------------------------------------------------------------------------
    
    This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service
    For more information on SecurityFocus' SIA service which automatically alerts you to 
    the latest security vulnerabilities please see:
    
    https://alerts.securityfocus.com/
    



    This archive was generated by hypermail 2b30 : Fri Jun 29 2001 - 14:19:34 PDT