SAM file in %systemroot%\repair....

[br_fusion]

Hey I have a general question. Ive noticed on Win2000 and WinXP their is a file called sam in the repair directory. I may be wrong, but couldn't somebody copy this file out of this directory with ease and later crack it.

I know you can obtain SAM with NTFSDOS before boot up. But obtaining SAM right out of the folder while windoz is running, seems very insecure.

thanks again

Fusion

[HTRegz]

Since I'm seeing my account info listed in the File, you're probably right. I'm taking Win NT/2k security right now, and if no one has an answer for ya i'll be happy to ask my prof tomorrow morning in class.

I'm sure their are precautions tho, first of all only Admin and the system have access to the file. As well if you're running a large network the file would be stored them on your PDC and BDC's in which case the user would need physical access to the system assuming it's completely locked down, as secondary servers are probably used for Services, and I doubt any admin would share those folders.

[br_fusion]

yeah good point and thanks

[Tedob1]

its the same sam file and thats exactly what happens with it br_fusion. you put it on a computer you have admin rights to and run LC

[br_fusion]

Well "SAM" in system32 is 256kb and "sam" in repair is 20kb. they can't be the same file...well I wouldn't think so.

[cgkanchi]

That's the proverbial weak link in Win2K/XP. Though the file is only accessible by Administrators, if you have physical access to the system, it's fairly easy to copy it to a floppy and then run L0pht Crack on it.
Cheers,
cgkanchi

[phaza7]

your right I remember reading a post once before that spoke of cracking Sam files. Surely there has to be a way to prevent it or restrict user rights to it. :grins: :-* It's windows, there's always something insecure.

[UKnetSec]

It appears that this copy of the sam file only gets updated when you update the ERD, so if you don't update it, the sam file will be the same as when the machine was first built (accounting for the smaller file size)

Folks,

Saw mention on this list a while back (10/5/01) that it's a good
practice to delete the 'repair' directory after making an Emergency Repair
Disk, because some directory traversal exploits will try to extract the SAM
from the %systemroot%\winnt\repair folder. That seems to be good advice
for NT systems. However, I blindly carried that practice over to the
Windows 2000 servers. That was a decidedly BAD idea. Once the repair
folder is gone on a W2K system, any subsequent attempt to make an ERD will
result in a "diskette is unusable" error message. There is, of course, no
apparent connection between the error message and the problem ...

The recovery process is fairly simple, but not particularly
intuitive. If you create an empty %systemroot%\winnt\repair folder, the
ERD process with the box checked to "Also back up the Registry" will create
a RegBack subfolder under %systemroot%\winnt\repair but will still fail to
create a recovery diskette. The solution that worked for me was to copy
the three files (autoexec.nt, config.nt, and setup.log) from the previous
ERD to the repair folder. At that point the "unusable" diskette
experienced a full recovery.

Going forward, one option might be to manually copy SAM to the ERD and
delete it from it's new location of %systemroot%\winnt\repair\RegBack. Any
thoughts from those more knowledgeable about this?

Regards,

Dave Owens

link here

hope this helps

[br_fusion]

Would the SAM file in the repair directory be SYSKEY encrypted?

[henpen55]

To be "kinda" secure one of the first things you need to do is remove the "everyone" group.
Also disbale Lan Manager compatibility and null sessions.

Not many people do this cause it's too much hassle. but the fact remains, if you don't have access to the repair folder there's not much you can do about it. no matter how many SAM crackers you have.

If physical access to the machine is avilable reboot, boot with a stiffy and inject your own SID.

happy days.