Cracking XP SAM (syskey)
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Cracking XP SAM (syskey)

  1. #1
    Junior Member
    Join Date
    Dec 2002
    Posts
    12

    Cracking XP SAM (syskey)

    I find myself in a situation where I have to crack a SAM file from a XP machine. I was able to recover the file by moving the hard drive from the machine in question and placing it in a forensic workstation where I could then access the drive. I am running LC4, but according to the session start it says it can't crack the SAM if if was done in syskey. Has anyone been able to crack syskey? This is a legitimate investigation and one I don't particularly enjoy having to do. Unfortunately it is my job. Any help is appreciated.
    Mantarey
    Question Everything!!!

  2. #2
    Junior Member
    Join Date
    Sep 2002
    Posts
    3
    Syskey is designed to prevent password cracking attacks by encrypting the SAM database using 128-bit cryptography. To defeat such a system, an attacker would need to first crack the Syskey encryption then conduct a password cracking attack against the now-decrypted SAM database. However, the number of possible decryption keys for Syskey is so large that it should, in theory, make such an attack computationally infeasible
    there was A flaw in the implementation of Syskey which meant you could remove it. but this was only on nt. xp and 2000 have fixed this.
    so i think you may be out of luck.

  3. #3
    Junior Member
    Join Date
    Dec 2002
    Posts
    12
    Thanks, 4Play, does anyone know if Microsoft has a backdoor to the SAM file?
    Mantarey
    Question Everything!!!

  4. #4
    Member
    Join Date
    Oct 2001
    Posts
    76
    Yes there is a backdoor, but you might have difficulty if you need to enter the administrator password to access the disk in question. I'll assume you have read and write access to the drive, as you've already managed to recover the SAM file.

    All you got to do is delete the SAM file from the disk completely. When you restart, windows will recreate the SAM file with no accounts and no passwords. Use Administrator as the user name, and leave the password blank. I've tried this on XP computers formatted with FAT32 with great success.

    Under NTFS, you usually need to enter the administrator password before you can access the drive though, and in this case, you need software that will let you write to the drive ignoring any security policies. Some versions of Linux will do this, although I can't remember any off the top of my head.

  5. #5
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    All Linuxes allow you to write to disk ignoring NTFS permissions. You just have to build NTFS write support into the kernel.
    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  6. #6
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    This might help you as well....

    http://www.winternals.com/products/r.../locksmith.asp

    You need the Locksmith tool, and the Remote Recover, so, getting the Administrators Recovery Pack, or whatever they call it is probably best.

    If you have to do this even two or three times a year, this is very much worth the cost.

    It will even make an ISO image for a bootable CD which you can then use to do almost anything you want to the system.

  7. #7
    Junior Member
    Join Date
    Dec 2002
    Posts
    12
    Thanks, IchNiSan, I will see If I can get approval to buy it. Sounds good, though I still have to make a disck copy first to preserve the original evidence. And thanks to all who have responded, help is greatly appreciated.
    Mantarey
    Question Everything!!!

  8. #8
    Junior Member
    Join Date
    Dec 2002
    Posts
    14
    Have a look at the following URL.
    http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html


  9. #9
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    If you are doing this with any thought of legal action in your mind(against the employee, or otherwise) you need to be fairly careful about how you go about things. There are all sorts of issues you need to keep in mind. you can get lots of information about the issues involved with forensics, and making sure any evidence collected is usable in a legal setting at www.sans.org .

    Here are 2 good starting points.

    http://rr.sans.org/incident/forensics.php
    http://rr.sans.org/threats/coroners_toolkit.php

  10. #10
    Junior Member
    Join Date
    Dec 2002
    Posts
    3
    If you're running XP home, and ya gotta lot of time on your hands, you might want to consider downloading ScanNt. All you need is a really large dictionary file, probably bigger than the one it comes with. Although it's made for Nt, it does work in XP - great M$ security!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides