Win XP SAM files

[Corso]

what are common local machine passwords that would be stored? like logon for the users? maybe screen savers? what about any passwords that would be from sites for example like this forum how it can auto log you on, those would be stored in cookies or somewhere else right. sooo its been awhile since i set alot of local machine passwords since ususally im the only one to use my comp. what other local passwords might you find?

[VAMPIRE_GOD]

for example if ur brother suppose has a password protected user account as a guest on ur pc and u have the administrator account on the same pc. The password by which ur brother use to login into his account that password is saved in the SAM file as well as urs.

[Corso]

yeah i know that any users that make other account to use the computer the passwords goto the SAM, but is there any other passwords that you would find in there. or is the SAM only for account/user passwords? nothing to do once they log in and start putting in passwords for whatever else they might be doing?

[VAMPIRE_GOD]

Only user account password. But there are some other programs which can do the job for u like the passwords which are saved in the cookies.

[Corso]

ok i dunno if this is crossing the line between spamming or personal protection. but what program can you use to scan your cookies to see what passwords of yours are stored in your cookies? i mean im the only one that uses my computer. but i wanna start to learn what gets stored where for security. thanks.

[Ammon]

heh.. i got the SAM file for my school...

[576869746568617]

Just think of the SAM as the /etc/passwd file of the Windows world. I got about a $1.25 worth, so here goes:

1.) The SAM not only contains hashes for user accounts, but also for user groups and on domain controllers it contains the hashes for computer accounts.

2.) The Win2K post SP2 and XP SAM itself is pretty secure (128-bit). There are only 4 ways that I know of to get the SAM. Three of these four require either physical access or administrative privelage. The last is to sniff the password hashes from the network durring the authentication phase of domain logon.

3.) Sniffing hashes only works if the domain security policy allows LanMan or old-style 40-bit (pre-Win2K SP2) challenge, and if the firewall is configured sloppy. If the newer kerberos encryption is used, It's not impossible to crack, but a lot harder to do. Blocking TCP/UDP 135-139 and 445 will stop it.

4.) If it's an NT 4 or Win2K pre SP2 box, Why bother cracking the SAM for user accounts and passwords when the Local Security Authority is so much easier to crack, as it stores service account names and passwords in plain text, caches the password hashes of the last ten users to log onto the machine, caches FTP and Website passwords in plain text, and computer account passwords for domain access.

Better yet, if you can get to the SAM (because the firewall isn't blocking the NetBIOS ports and user permissions allow "Everyone" full control of systemroot), just delete it. If syskey isn't installed, deleting the SAM will blank out the Admin password, and this works on Win2K and XP! Not only will it blank the password, if the account was renamed, it reverts back to the default Administrator.

Even worse, if the machine in question were using EFS, they're really screwed, as all the files will be decrypted automatically when Administrator is logged on, as the Administrator is the default key recovery agent for EFS.

EDIT: I took part out cause I didn't want the script kiddies to see it. It was pretty step-by-step. Sometimes I go off on a tangent.......

The key to any of these attacks is a network that is improperly secured and an administrator that doesn't do their job. If the OS is patched properly, vulnerable ports are blocked at the border routers and firewalls, strict security and group policies are implemented, and the administrator is dilligent, these attacks can be prevented.

And now I'm broke! Can anyone spare some change.....I need a soda!

[cgkanchi]

Some miscellaneous information that people missed. Remember that L0phtCrack costs about $350 though, not the ideal program for home users. The hashes are (AFAIK) made using md5, so if you can find out a very few specifications, you could easily write a program to brute force the SAM once you have it.
Cheers,
cgkanchi

[Corso]

How hard would it be to program your own brute program? Because im learning c++ in school right now and im done like the first year or semester the "11" course and going on to the second half of it next week. so how proficient do you need to be with c++ to write one? maybe i should post this in the programming section?

[Algaen]

To brute force the password you would want to find out what algorithm hashed (encrypts) the password and then write a program that hashes a dictionary of possible passwords and compares them to the one stored in the SAM. If the "guess" matches the one in the SAM, you will have figuered out the password. The only thing is that you would have to program a very complex mathematical algorithm, but it could be done.
Hopefully, this makes sense and is correct. I am not sure this is the easiest way to do it, but it's how I would try it. If I'm wrong, please correct me.
Good luck!