W2K Pro Password Recovery
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: W2K Pro Password Recovery

  1. #1
    Junior Member
    Join Date
    Jul 2003
    Posts
    2

    W2K Pro Password Recovery

    Hi All,

    I'm running W2K pro with normal user privileges. If I make a copy of the SAM file and run a password cracking utility will it give me my password in clear text?

    Any help would be greatly appreciated.

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    One would think that the password cracking tool would give you the final password in clear text. It would sort of defeat the purpose for an admin to test password strength if he/she is unaware of what password the user is using.

    And I will assume that this is *your* box and no one elses as I do not advocate or encourage people to break the law.

    Errr.. yes and no. There is a location on Windows where the SAM is copied for recovery disk purposes (depending on how you've locked down your system either just admin or everyone has access to this location).

    Alternatively, you can boot with DOS and NTFSDOS and copy it. And there are a few quick and dirty ways to reset the password in worst case scenarios.(google is great for finding this)
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207

    Re: W2K Pro Password Recovery

    Originally posted here by cBYTE
    I'm running W2K pro with normal user privileges. If I make a copy of the SAM file...
    Hang on a minute... if you're running w2k pro with user privileges, it won't *let* you make a copy of the sam file, or otherwise access the SAM data.

    So just stop right there.

    Normal users *cannot* get the SAM file (unless they use some privilege escalation sploit first, boot from floppy and copy it, etc)

    Slarty

  4. #4
    Junior Member
    Join Date
    Jul 2003
    Posts
    2
    MsMittens,

    It absolutely is my box. I do not like to break into other peoples machines as I've no business.


    Slarty,

    I was wondering if a normal user can copy the SAM file and thankyou for letting me know that a normal user can NOT. I do have Administrator rights on the box, which means I can copy the SAM file, booting into DOS < command-prompt only >.

    Also, I've read that Login credentials in the SAM file where the passwords are kept are encrypted and has another layer of encrpytion i.e. SYSKEY which is enabled by default in
    W2K Pro. So as per MsMittens running a password utility will not give me my passwords in clear text. Is that correct? So why the hell there are so many password cracking utilities?

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    If you use a utility inside Windows to dump the SAM, like any of the samdump thingies, like pwdump2, it will spit out a passwd-style file which can then be cracked. This will work syskey or not.

    Of course you need to get in as admin or localsystem for that, so theoretically you could run an offline registry editor, change the logon screensaver to cmd.exe and dump the SAM from there.

    I have tried this on a system in "lab" conditions (my own box, with another OS on too) but it's not something you'll want to do to your system if you don't have a recent backup There is the obvious danger of breaking something rather important in the registry.

    If you don't care about destroying the old admin password, you could always just reset the admin pasword and get in that way. That's the normal way of getting into forgotten password systems.

    In my test system I was able to quicky retrieve the plaintext passwords after grabbing the sam with pwdump2. However my test system had very easy guessable passwords (it's behind a firewall anyway).

    I have no idea how quickly it works if you have stronger passwords.

    Slarty

    PS: This message is not supposed to be a skript kiddies guide to cracking win2k boxes so I have been deliberately vague above.

  6. #6
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    The file may be encrypted but tools like LC4 will break that and show you the final result unencrypted.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  7. #7
    Senior Member
    Join Date
    Feb 2003
    Posts
    109
    Well, depending on how you locked down your box, normal users often have readonly access to the %SYSTEM%\repair directory. Inside is an un-syskeyed backup copy of your SAM with the hash of the administrator password you set during installation.
    $person!=$kiddie or die(\"Alas, die you hotmail hacker!!\");
    SecureVision

  8. #8
    Senior Member Info Tech Geek's Avatar
    Join Date
    Jan 2003
    Location
    Vernon, CT
    Posts
    828
    I don't like to get into cracking passwords, but I know the NT Password and Registry Editor Boot Disk is a great utility to change the password if you forgot it. It works great on NT & 2K and very easy to use.

    Google Search: NT Password and Registry Editor Boot Disk

  9. #9
    Senior Member
    Join Date
    Sep 2001
    Posts
    144
    winternals administration pack..

    emergency repair disk creation wizard.. makes an iso that lets you boot off the cd, and have access to the hdd and such.. also has a utility called "locksmith".. that will let you change the password of any account on the system.

  10. #10
    Senior Member
    Join Date
    Feb 2003
    Posts
    109
    Yeah, locksmith is sweet. In fact I firmly believe that winternals adminpack is one of the most essential admin tools for windows ever made.

    NOTE: If you have any data encrypted with EFS, you will LOSE IT ALL if you reset your password this way.
    $person!=$kiddie or die(\"Alas, die you hotmail hacker!!\");
    SecureVision

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •