SAM password question
Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: SAM password question

  1. #1
    Senior Member
    Join Date
    Jun 2003
    Posts
    236

    SAM password question

    There is a SAM file in the c:\winnt\repair\ directory. Is this same at the one in the config directory.

    Ive noticed the one in the config directory is being used by the system so you cannot read the contents but this one is readable.

    Can anyone shed light on why there is 2 SAMs?
    That which does not kill me makes me stronger -- Friedrich Nietzche

  2. #2
    Junior Member
    Join Date
    Jul 2003
    Posts
    17

    Lightbulb

    If i'm not mistaken this is the backup of the sam file, a read only copy.
    \"If we knew what we were doing..............It wouldnt be called research.\" Albert Einstein

  3. #3
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    Thanks
    That which does not kill me makes me stronger -- Friedrich Nietzche

  4. #4
    Banned
    Join Date
    May 2003
    Posts
    1,004
    the SAM in the repair folder is not exactly a backup nor is it RO, it is created when an ERD is created (or other various system recover tools are used), consequently this repair file tends to be quite dated.

    The other SAM actually contains the Hkey_Local_Machine\Sam registry hive.

    catch

  5. #5
    Junior Member
    Join Date
    Jul 2003
    Posts
    17
    well then my quote below is quite true!
    \"If we knew what we were doing..............It wouldnt be called research.\" Albert Einstein

  6. #6
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    Hmmm..so if I extracted a password out of it , it could be a very old password thats been changed?

    Is there anyway to read the current SAM file?
    That which does not kill me makes me stronger -- Friedrich Nietzche

  7. #7
    Banned
    Join Date
    May 2003
    Posts
    1,004
    There exist tools for extracting the SAM file, all of these require the privileges to do so (most likely Administrator).
    Passwords extracted from the SAM repair file may or may not be dated, but as a rule they are.
    Lastly, I don't know of any tools that will extract passwords from the SAM if LM passwords are disabled (as they should be in the security policy)

    catch

  8. #8
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    Well its on a remote machine, and its not so much I want to extract any passwords via network, I just want to get a copy of the SAM on my local computer. I dont think its possible, I was able to get the old one and extract the Administrator password but it appears the password did not work, so I figure it is an outdated password.
    That which does not kill me makes me stronger -- Friedrich Nietzche

  9. #9
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    Google "rdisk.exe /s". It was taken out after NT 4 and is now done via the repair disk wizard.



    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  10. #10
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Originally posted here by catch
    I don't know of any tools that will extract passwords from the SAM if LM passwords are disabled (as they should be in the security policy)
    pwdump2 should still dump the nt hashes from the SAM (presumably the LM ones will not be there though). I haven't tried it though. But it does dump the NT hashes normally along with the LM ones.

    There is a modified version of John which will attack the nt hashes instead of LM ones.

    The NT hash algorithm is better than the LM one - it is harder to attack. But dictionary attacks still work. It is more similar to how it works in Unix.

    The LM ones I don't fully understand, but maybe it is case insensitive and stores parts of the password so they can be cracked independently?

    Slarty

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •