Note that the "rdisk /s-" isn't for win2k. If you're with nt4.0 try using hk.exe to elevate your privileges. On win2k I'd try using the iiscrack dll by uploading it to the scripts or msadc dir (using tftp or such). In any case, if there is an mssql sever on the machine, many times it could be used by isql and the xp_cmdshell for doing anything with the system account privilege. Cheers, Ishai Wertheimer -----Original Message----- From: pmawsonat_private [mailto:pmawsonat_private] Sent: Thursday, November 01, 2001 12:00 AM To: david.watsonat_private; PEN-TESTat_private Subject: RE: Extracting NT password hashes from registry export file David One problem you have is even administrator doesn't have access to the sam and security hives in the registry. Only the system account has access to these. As a result it is unlikely that the registry export contains these hives. There may be passwords cached in other areas, I don't know, someone else may be able to answer that one. If you can run regedit /e then you should be able to run echo "I am the first line of cmdasp.asp" >cmdasp.asp echo "I am the second line of cmdasp.asp" >>cmdasp.asp and so on. Use this technique to get cmdasp.asp up to the server. You can then use cmdasp.asp to run rdisk /s- (back up the registry to the repair directory) Run copy c:\winnt\repair\sam._ c:\inetpub\wwwroot\sam._ Use your browser to download the file http://www.taget.com/sam._ Run it through lophtcrack and you're done. Phill -----Original Message----- From: David Watson [mailto:david.watsonat_private] Sent: Thursday, 1 November 2001 4:59 a.m. To: pen-testat_private Subject: Extracting NT password hashes from registry export file Hi, Hopefully someone will have come across this problem before and will be able to offer some advice to save me some unnecessary pain. I`m trying to find a method to quickly and easily extract the NT password hashes from a registry export text file (ie regedit /e reg.txt) of a Win2K server. I have no file upload capability to the server in question, so I cannot use interactive methods such as pwdump/samdump to export the NT password hashes from memory (or pwdump3 with DLL injection for syskey protected hashes). However, I have been able to export a copy of registry as local administrator and download this data locally. Short of opening the ASCII export in a hex editor, locating the correct password hash starting off-set location in [HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4] and manually extracting the first 16 bytes for the LMHash and the next 16 bytes for the NTHash from the "V"=hex: record for each account (which will be skeyed on further obfuscated via DES encryption with the user's RID as the key I believe), I can`t find any tool or current technique to do this more easily. Has anyone ever tried to do this before, or come across/written a tool capable of reading an entire export file and extracting all the necessary data? Is there a better way to approach this problem that I might have missed? The source code for pwdump has a method to handle the de-obfuscation of the hashes but i`m surprised that I cannot find any previous papers or tools that attempt this process. As an aside, in the past on NT4 I would have updated the Windows repair directory using rdisk and extracted the hashes from the SAM. This only appears to be possible now in Win2K and above when using the GUI as command line rdisk support was apparently dropped recently (MS Q231777). Has anyone found a method of up refreshing the repair directory from the command line in Win2K yet? Any advice appreciated, i`m happy to summarise my findings and post them here for others. Thanks, David -- David Watson Voice: +44 1904 438000 Technical Manager Fax: +44 1904 435450 ioko365 Email: david.watsonat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ************************************************************ CAUTION: This e-mail and any attachment(s) contains information that is both confidential and possibly legally privileged. No reader may make any use of its content unless that use is approved by Deloitte separately in writing. Any opinion, advice or information contained in this e-mail and any attachment(s) is to be treated as interim and provisional only and for the strictly limited purpose of the recipient as communicated to us. Neither the recipient nor any other person should act upon it without our separate written authorisation of reliance. If you have received this message in error please notify us immediately and destroy this message. Thank you. Deloitte Touche Tohmatsu Internet: www.deloitte.co.nz ************************************************************ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ***************************************************************************** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. ***************************************************************************** ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Nov 05 2001 - 09:04:49 PST