Cracking XP SAM (syskey)

[mantarey]

I find myself in a situation where I have to crack a SAM file from a XP machine. I was able to recover the file by moving the hard drive from the machine in question and placing it in a forensic workstation where I could then access the drive. I am running LC4, but according to the session start it says it can't crack the SAM if if was done in syskey. Has anyone been able to crack syskey? This is a legitimate investigation and one I don't particularly enjoy having to do. Unfortunately it is my job. Any help is appreciated.

[4play]

Syskey is designed to prevent password cracking attacks by encrypting the SAM database using 128-bit cryptography. To defeat such a system, an attacker would need to first crack the Syskey encryption then conduct a password cracking attack against the now-decrypted SAM database. However, the number of possible decryption keys for Syskey is so large that it should, in theory, make such an attack computationally infeasible
there was A flaw in the implementation of Syskey which meant you could remove it. but this was only on nt. xp and 2000 have fixed this.
so i think you may be out of luck.

[mantarey]

Thanks, 4Play, does anyone know if Microsoft has a backdoor to the SAM file?

[Beryllium9]

Yes there is a backdoor, but you might have difficulty if you need to enter the administrator password to access the disk in question. I'll assume you have read and write access to the drive, as you've already managed to recover the SAM file.

All you got to do is delete the SAM file from the disk completely. When you restart, windows will recreate the SAM file with no accounts and no passwords. Use Administrator as the user name, and leave the password blank. I've tried this on XP computers formatted with FAT32 with great success.

Under NTFS, you usually need to enter the administrator password before you can access the drive though, and in this case, you need software that will let you write to the drive ignoring any security policies. Some versions of Linux will do this, although I can't remember any off the top of my head.

[cgkanchi]

All Linuxes allow you to write to disk ignoring NTFS permissions. You just have to build NTFS write support into the kernel.
Cheers,
cgkanchi

[IchNiSan]

This might help you as well....

http://www.winternals.com/products/r.../locksmith.asp

You need the Locksmith tool, and the Remote Recover, so, getting the Administrators Recovery Pack, or whatever they call it is probably best.

If you have to do this even two or three times a year, this is very much worth the cost.

It will even make an ISO image for a bootable CD which you can then use to do almost anything you want to the system.

[mantarey]

Thanks, IchNiSan, I will see If I can get approval to buy it. Sounds good, though I still have to make a disck copy first to preserve the original evidence. And thanks to all who have responded, help is greatly appreciated.

[Meerkat]

Have a look at the following URL.
http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html

[IchNiSan]

If you are doing this with any thought of legal action in your mind(against the employee, or otherwise) you need to be fairly careful about how you go about things. There are all sorts of issues you need to keep in mind. you can get lots of information about the issues involved with forensics, and making sure any evidence collected is usable in a legal setting at www.sans.org .

Here are 2 good starting points.

http://rr.sans.org/incident/forensics.php
http://rr.sans.org/threats/coroners_toolkit.php

[$t0rm10rd]

If you're running XP home, and ya gotta lot of time on your hands, you might want to consider downloading ScanNt. All you need is a really large dictionary file, probably bigger than the one it comes with. Although it's made for Nt, it does work in XP - great M$ security!