-
September 9th, 2003, 11:23 PM
#1
SAM password question
There is a SAM file in the c:\winnt\repair\ directory. Is this same at the one in the config directory.
Ive noticed the one in the config directory is being used by the system so you cannot read the contents but this one is readable.
Can anyone shed light on why there is 2 SAMs?
That which does not kill me makes me stronger -- Friedrich Nietzche
-
September 9th, 2003, 11:29 PM
#2
Junior Member
If i'm not mistaken this is the backup of the sam file, a read only copy.
\"If we knew what we were doing..............It wouldnt be called research.\" Albert Einstein
-
September 9th, 2003, 11:38 PM
#3
That which does not kill me makes me stronger -- Friedrich Nietzche
-
September 9th, 2003, 11:51 PM
#4
the SAM in the repair folder is not exactly a backup nor is it RO, it is created when an ERD is created (or other various system recover tools are used), consequently this repair file tends to be quite dated.
The other SAM actually contains the Hkey_Local_Machine\Sam registry hive.
catch
-
September 10th, 2003, 12:02 AM
#5
Junior Member
well then my quote below is quite true!
\"If we knew what we were doing..............It wouldnt be called research.\" Albert Einstein
-
September 10th, 2003, 12:03 AM
#6
Hmmm..so if I extracted a password out of it , it could be a very old password thats been changed?
Is there anyway to read the current SAM file?
That which does not kill me makes me stronger -- Friedrich Nietzche
-
September 10th, 2003, 12:07 AM
#7
There exist tools for extracting the SAM file, all of these require the privileges to do so (most likely Administrator).
Passwords extracted from the SAM repair file may or may not be dated, but as a rule they are.
Lastly, I don't know of any tools that will extract passwords from the SAM if LM passwords are disabled (as they should be in the security policy)
catch
-
September 10th, 2003, 12:14 AM
#8
Well its on a remote machine, and its not so much I want to extract any passwords via network, I just want to get a copy of the SAM on my local computer. I dont think its possible, I was able to get the old one and extract the Administrator password but it appears the password did not work, so I figure it is an outdated password.
That which does not kill me makes me stronger -- Friedrich Nietzche
-
September 10th, 2003, 03:06 AM
#9
Google "rdisk.exe /s". It was taken out after NT 4 and is now done via the repair disk wizard.
-Maestr0
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
-
September 10th, 2003, 10:14 AM
#10
Originally posted here by catch
I don't know of any tools that will extract passwords from the SAM if LM passwords are disabled (as they should be in the security policy)
pwdump2 should still dump the nt hashes from the SAM (presumably the LM ones will not be there though). I haven't tried it though. But it does dump the NT hashes normally along with the LM ones.
There is a modified version of John which will attack the nt hashes instead of LM ones.
The NT hash algorithm is better than the LM one - it is harder to attack. But dictionary attacks still work. It is more similar to how it works in Unix.
The LM ones I don't fully understand, but maybe it is case insensitive and stores parts of the password so they can be cracked independently?
Slarty
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|