Importing SAM to another domain
Results 1 to 6 of 6

Thread: Importing SAM to another domain

  1. #1
    Member
    Join Date
    Sep 2001
    Posts
    37

    Importing SAM to another domain

    Hi all,

    I have a problem investigating an IT security breach in my organisation. I have restored the shared folder area of a file and print server on our network to a test server such that I can look at permissions set on these shared folders (I cant visit the server itself, its in another country).

    Having done this, when I look at the permissions and ownerships of the folders my server reports "account unkown". This is reasonable as my SAM doesn't know about the accounts on the server from which the folders were taken. So I copied across the SAM from that server hoping I could then usefully check who had permissions to various filders.

    But in copying across the SAM, I found I couldn't log onto the box at all, even though I know the Domain Admin password. I assume this is due to my test server being in a different domain to that which the imported SAM came from.

    Does anyone know of a way around this? Perhaps there is an import tool that allows me to import shared folders and accounts into a different domain? But if I import this information (rather than just directly copying the data across) I don't want to lose the original file and folder permissions. Any thoughts, anyone?

    Thanking you all in advance for any advice,

    Alan Mott

  2. #2
    Junior Member
    Join Date
    Jul 2003
    Posts
    7
    Does anyone know of a way around this?
    Just create a new domain and setup a trust between the two domains...

    otherwise do a restore on your test server from your production server of the registry / system state. (try to get similar hardware though )
    --
    Computers are like humans, except that they dont blame
    their mistakes on other, computers.

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    The problem is that you just want to know the names?

    Is it actually saying "account unknown"? IME, in WIN2k, ( I don't remember what NT said.... Damn I'm getting old....), it simply gives the SID of the user. If that is what it is doing there are a couple of M$ tools to convert the SIDs and usernames, I believe the one you need is SID2User, (the other is User2sid IIRC).

    You could also blast away at the SAM with John the Ripper to enumerate the accounts.

    As an aside, if you believe there was a security breach you should have taken an image of the drives on the server. Can you not have copies sent to you. You will be able to boot to them and play with them to your heart's content.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Member
    Join Date
    Sep 2001
    Posts
    37
    In response to your questions,

    For a start, Im running NT4.

    I cant set up a trust to the original domain because my test server is not part of our global production network. I'm not in the habit of setting up trusts willy-nilly anyway.

    The suspect system has been rebuilt recently, and part of this rebuild included a change of domain name. Since this rebuild the security issue came to light, and I've been asked to look at the old data save tapes to see if the issue was present prior to the upgrade. So basically the system from which I have backup tapes doesn't exist anymore.

    Complicated, huh?

    When looking at the file and folder permissions on the restored shares in question Windows NT reports "account unkown", not the SID. I have the SAM from the old system so can see the SIDs in there using various tools. What I wanted to do is save some time by running DumpACL against the restored folders and see who owned what prior to the upgrade.

    Its looking like I'm going to have to dump out the folder ACLs using XCACLS and manually compare each one to the SIDs in the SAM. Please God don't make do that.........!

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Alan: Complicated.... Naaaaaah...... You have a gift for understatement...... Let me guess... The SAM contains thousands of SIDs?

    Here's what I would try..... Use a tool to dump the SAM to a text file, same same with the file and folder persmissions.

    Go here and get the free tool LineStrip. Run that, tell it the input file is the SAM text dump and cut and paste the file/folder SIDs one at a time into the "find" box and tell it to "drop the line if not present". LineStrip is really fast on a reasonable computer and you will see in a matter of seconds if you have a match.

    I know it's far from a perfect solution if there are a lot of file/folder SID's to look for but it's a $h1t load quicker and more accurate than a manual search IMO.

    Good luck, I hope it helps
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    All you have to do is use NT locksmith to set the admin account pw using the imported SAM, then you can extract the PW hashes from the registry and crack all the accounts in no time, assuming you even need access to the accounts. (You will need the registry of course.)

    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •