Ted, you have a valid point, and I think that you are right for the most part...as long as you are not the one who breaks into the system, or you do not collaborate directly to help compromise the system.
This is fine and dandy and all...as long as both of the above apply, and there are no extenuating circumstances that would cause a third variable to fall into play.
I for instance, by nature of my employment with a certain entitiy, have such a third variable. The 99.975% chance that nothing would happen to me or my employment does not outweigh the .025% chance that something would, IMHO.
You can call me a puss or whatever...I don't care. I worked very hard to get the job that I have, and I'm not about to risk losing that.
Besides, there are plenty of step by step explinations of how to do it...many on this site. Maybe I'll just link to one next time, like newinnash did, instead of feigning ignorance.
I for one wouldn't even fool around with the SAM. It's much easier to enumerate the information from the LSA, especially if you have physical access.
And if you know the person really well, you probably have the password on you computer already from when he checked his Hotmail account from your computer the last time he came over to visit. (Survey says: 95% of people polled use the same password for everything)
Not bashing or flaming...just explaining.
Have you tryed Cain?
Cain is good for dumping users and passwords! on the box that your using anyway
i would never think anyone a puss for saying what they believe. actually i think thats being rather stand-up. but i could not accuse someone of criminal intent in word or in deed for wanting to learn something that i myself have learned in pretty much the same way either....but thats just me.
I feel you on that one, Ted. Sorry If I came across as abrasive or rash earlier. I wasn't pissed off at ya,...have more respect for you than that, as you do me :)
BTW, the puss remark wasn't directed directly at you....I was referring to whomever were to read the post and get that impression. I know you better than that from what you post to other people, and you're the kind of person that call it as you see it....if you thought I was being a puss, you would have said that from the start! :p
And I do agree with you that it isn't fair to automatically assume that someone has poor intentions just because they ask a question like the one that started this thread. I think that's the core of the issue, isn't it.
It's just that, in this instance, the ole' red flag came up, because I was talking about it in the other SAM cracking post (by the same person, same subject), and when I got here, the information in the reason for needing the info was different.
I think that we both hope that everyone else at AO doesn't just start flaming folks for asking questions. That would be a shame. How else are we going to help educate and shape the minds of future generations of security professionals? Do we really want to fill our ranks with ignorance?
Of course we don't. It's OK to have fun and taunt and make jokes and all, and sometimes, giving out a hard time to someone is OK. I'm not saying that we should not give out this kind of information just because the question is "How do you crack an XP logon password?". There ARE a lot of legitimate reasons to ask a question like this.
I also think, and I think that we both agree on this, that we all, as security professionals, have a responsability to not give this kind of information out indiscriminately.
Now, If they ask something like "How do get root on Windows XP" and when you ask them to explain they say something like "There's this computer in the barracks, blah, blah, blah..." Well, that's a whole different matter. :D