How to dehash SAM s

[MrBabis]

Originally posted here by Desolation_Jam
Now Now
576869746568617 dearo I have a few more questions
1. What is LSA ? ( I am a newbie )
2. What is SID ? ( I am a newbie )
... and I am a confused newbie .....
Thanks neways

Use this link to find more about this words

http://dictionary.reference.com/

[compusperm]

Desolation_Jam,
There is some utility available for playing with SAM data, I have not used that one but that is available on packetfactory.net.
So search and download it yourself. :idea

[ZeroOne]

Originally posted here by 576869746568617
Here's all you're gonna get from me

To get hash from Sam, you gotta know Sid.

Sid keeps Sam's hash, gotta find Sid!

Hey, I like SIDs too! I downloaded yesterday the HVSC, High Voltage Sid Collection! It rocks.

[compusperm]

Desolation_Jam,
There is some utility available for playing with SAM data, I have not used that one but that is available on packetfactory.net.
So search and download it yourself. :idea

[MrLinus]

Sheesh. Visit AtStake and buy their LC4 (formerly L0phtCrack). Or brute force the sucker as suggested earlier. You get into trouble, I don't wanna hear about it. It's your problem.


From Whatis Seach on LSA

What is Local Security Authority?
This question posed on 28 June 2001



The Local Security Authority or LSA is a key component of the logon process in both Windows NT and Windows 2000. In Windows 2000, the LSA is responsible for validating users for both local and remote logons. The LSA also maintains the local security policy.

During the local (interactive) logon to a machine, a person enters their name and password to the logon dialog. This information is passed to the LSA, which then calls the appropriate authentication package. The password is sent in a nonreversible secret key format using a one-way hash function. The LSA then queries the SAM database for the user's account information. If the key provided matches the one in the SAM, the SAM returns the users SID and the SIDs of any groups the user belongs to. The LSA then uses these SIDs to generate the security access token.

Whatis.com Search on SID

What is the function of the SID?
This question posed on 15 July 2003

Security identifier (SID) is a unique security identification number assigned to security principals (objects that can be assigned access to objects in Windows). Users, groups and computers are assigned SIDs. This uniquely identifies the user group or computer to the domain or to the local computer if a local account is used. For example, when a user logs on a collection of his SID, the SIDs of groups of which he is a member is made. This list is used when he needs to access a resource -- say, a file. The file has a Discretionary Access List (DACL) that is composed of access control entries (ACE) that include a SID and what permission that SID has on the file. The DACL is checked against the user's list, and a decision can be made whether or not to let him access the file.

[576869746568617]

posted Today 04:28 AM

And I thought I stayed up late!

What's your take on the first post, MsMittens? I mean, the SAM is on a floppy, exported from a "friend's computer"........don't you have to have Admin rights to do that?

So there are three possibilities, IMHO:

1.) Friend trusts Desolation Jam enough to export SAM to disk for whatever reason (which is kind of fishy to me, because I don't trust anyone that much) In any event, if the friend trusts Desolation Jam that much, why doesn't Desolation Jam know the Admin User Name and Password?

2.) Desolation Jam exported the SAM from the "friend's computer", which means Desolation already knows the Admin Username and Password.

3.) Desolation Jam stole someone else's ERD and is trying to crack the SAM to get access to the system.

I just don feel obliged to help out on this any more than I already have, but I could be wrong, so here's a link for you to check out:

www.foundstone.com Check out the tools section. Try using user2sid and sid2user, in conjunction with l0phtcrack (LC4) and possibly enum, depending on how you want to go about it. That's all you'll get from me. If you need any more info, Buy the damn book!

[PM8228]

Hey 576869746568617, your avatar looks like Yoshimitsu.

2.) Desolation Jam exported the SAM from the "friend's computer", which means Desolation already knows the Admin Username and Password.

3.) Desolation Jam stole someone else's ERD and is trying to crack the SAM to get access to the system.

You do not need the password to export the SAM. Last time I check, you could not touch SAM in NT unless you used DLL injection.. All you have to do is boot into DoS, or some other OS that can touch the NT partition and then export it.

It can not be number three because he is to stupid to perpetrate number two, and probably does not understand number one. I think he actually wants to crack the password on his own computer that his parents control (only let him on when they want, etc...).

-Cheers-

[Edit]

PS: I r00ted the computer my parents had control of when I thought I was 733t. Lol. I used the method I just said.[/Edit]

[576869746568617]

I was talking bout exporting it on an ERD, which would require Administrator, or at the very least, backup, account, or server operator privelages.

Dll injection would work too (and work very well), but if Desolation Jam can't figure out how to do #1,2, or 3, probably won't have a clue how to do that either. That would be the easiest way to do it. Of course, I don't know how dll injection would help crack a SAM that is on floppy and not in use.

I used to think I was 733t cause I could do that too. Boy was I off it!

[PM8228]

Lol. I am just talking about retrieving it. Interesting stuff. Basically DLL injection would allow you to stop the process (the one the if it is running SAM can not be opened), then inject your own DLL (or EXE I think...). Allowing you to C/P the SAM file, then resume the process. I know that is not very technical, but I only read a brief paper on it.

-Cheers-

[MrLinus]

Actually, if the admin did rdisk /s (I think that's the command.. bare with me cuz I'm getting old and as we know, memory is the 2nd thing to go), it copies the SAM to the Repair directory, which, last time I checked, be default was "Everyone have access". Yay MS.

MsMittens rolls her eyes

The other way of getting the same is from backup tapes or booting with a DOS disk using NTFSDos. Kinda a nifty old trick.

And naw... I just get up early... I didn't have to today but wanted to do a ride.