How to dehash SAM s - Page 3
Page 3 of 3 FirstFirst 123
Results 21 to 24 of 24

Thread: How to dehash SAM s

  1. #21
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    Didn't think about that, MsMittens, sure could use rdisk. Gotta love MS and they're love of annonymous access!

  2. #22
    Junior Member
    Join Date
    Jan 2004
    Posts
    25
    See pppl
    I am fiddlingaround with my own comp, just wanted to know if the passwords can be recovered.
    Since its my own comp, I did the rdisk , got the sam file.
    Enough of accusations.
    And 4 ur info --> I dont like keeping friends.
    \"I\'d hate to have a kid like me\"

  3. #23
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    If syskey is enabled (Windows 2000 + ?) then the hashes are also encrypted in the SAM and cannot normally be read. There are several ways around this.

    - Use the running Windows to decrypt the hashes itself - use pwdump2 as localsystem or admin to dump them
    - Copy the SAM file into another (non-running) copy of the same version of Windows, boot it, and run pwdump2 on that
    - Ask M$ what the encryption algorithm is and where the syskey is stored (not likely to work). It is widely believed that it's in the registry somewhere (although perhaps not in the SAM).

    ---

    Getting admin or localsystem access without changing the existing administrator password is not too difficult - in practice it's usually just a matter of using an offline registry editor (Google for those three words) to change the default screensaver to cmd.exe. Then you get a localsystem shell which can run pwdump2 with no problem.

    Changing the admin password is also a no-brainer, although of course that changes the hash for the administrator's password in SAM. The other accounts can then be dumped of course.

    Slarty

  4. #24
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    Of course, if the guy's worth anything, he also changed the name of the admin account. That's OK though, because it's still easy to find the admin account using the method slarty mentioned to obtain a local system command prompt.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides