The problem I've come across with this is that since the IUSR_machinename account is the anonymous web user, I don't have permissions to copy c:\winnt\repair\sam._ c:\inetpub\wwwroot\sam._ Any ideas??? Joe ----- Original Message ----- From: <pmawsonat_private> To: <pen-testat_private> Sent: Wednesday, October 31, 2001 4:23 PM Subject: RE: Extracting NT password hashes from registry export file > David > > One problem you have is even administrator doesn't have access to the sam > and security hives in the registry. > Only the system account has access to these. > As a result it is unlikely that the registry export contains these hives. > There may be passwords cached in other areas, I don't know, someone else may > be able to answer that one. > > If you can run regedit /e then you should be able to run > echo "I am the first line of cmdasp.asp" >>cmdasp.asp > > Use this technique to get cmdasp.asp up to the server. > > You can then use cmdasp.asp to run rdisk /s- (back up the registry to the > repair directory) > Run copy c:\winnt\repair\sam._ c:\inetpub\wwwroot\sam._ > Use your browser to download the file http://www.taget.com/sam._ > Run it through lophtcrack and you're done. > > > Phill > > > -----Original Message----- > From: David Watson [mailto:david.watsonat_private] > Sent: Thursday, 1 November 2001 4:59 a.m. > To: pen-testat_private > Subject: Extracting NT password hashes from registry export file > > > Hi, > > Hopefully someone will have come across this problem before and will be > able to offer some advice to save me some unnecessary pain. I`m trying to > find a method to quickly and easily extract the NT password hashes from a > registry export text file (ie regedit /e reg.txt) of a Win2K server. > > I have no file upload capability to the server in question, so I cannot use > interactive methods such as pwdump/samdump to export the NT password hashes > from memory (or pwdump3 with DLL injection for syskey protected hashes). > However, I have been able to export a copy of registry as local > administrator and download this data locally. Short of opening the ASCII > export in a hex editor, locating the correct password hash starting off-set > location in [HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4] and > manually extracting the first 16 bytes for the LMHash and the next 16 bytes > for the NTHash from the "V"=hex: record for each account (which will be > skeyed on further obfuscated via DES encryption with the user's RID as the > key I believe), I can`t find any tool or current technique to do this more > easily. > > Has anyone ever tried to do this before, or come across/written a tool > capable of reading an entire export file and extracting all the necessary > data? Is there a better way to approach this problem that I might have > missed? The source code for pwdump has a method to handle the > de-obfuscation of the hashes but i`m surprised that I cannot find any > previous papers or tools that attempt this process. > > As an aside, in the past on NT4 I would have updated the Windows repair > directory using rdisk and extracted the hashes from the SAM. This only > appears to be possible now in Win2K and above when using the GUI as command > line rdisk support was apparently dropped recently (MS Q231777). Has anyone > found a method of up refreshing the repair directory from the command line > in Win2K yet? > > Any advice appreciated, i`m happy to summarise my findings and post them > here for others. > > Thanks, > > David > > > > -- > David Watson Voice: +44 1904 438000 > Technical Manager Fax: +44 1904 435450 > ioko365 Email: david.watsonat_private > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ > > ************************************************************ > CAUTION: This e-mail and any attachment(s) contains > information that is both confidential and possibly legally > privileged. No reader may make any use of its content > unless that use is approved by Deloitte separately in writing. > Any opinion, advice or information contained in this e-mail > and any attachment(s) is to be treated as interim and > provisional only and for the strictly limited purpose of the > recipient as communicated to us. Neither the recipient nor > any other person should act upon it without our separate > written authorisation of reliance. > If you have received this message in error please notify us > immediately and destroy this message. Thank you. > Deloitte Touche Tohmatsu > Internet: www.deloitte.co.nz > ************************************************************ > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Sat Nov 03 2001 - 15:50:40 PST