Getting in windows 2k and xp with local access.
Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Getting in windows 2k and xp with local access.

  1. #1

    Getting in windows 2k and xp with local access.

    This is my first article, so if there are any suggestions of any kind or questions, please let me know.
    my email is: lepricaun2003@yahoo.com

    <i'm not responsible for any of this info i will give you here, it is for educational purposes only, what you do with it is your business, not mine!!>

    I'm working on a repaircenter for computers, very often we get a system in from a customer who forgot to give us his password to test the system.
    At first we called the customer everytime to get the password, but i was so sick and tired of that, that i began to do some research to remove them on my own.


    <For all the tools i've mentioned i will give the link to download them or the original site of that tool at the bottom of this article.>
    I thought this info might interest lot of other people so here it is:


    Ok now for the passwords,

    The windows 2000 and XP passwords (i think this also goes for NT and ME) are stored in the SAM file.

    SAM stands for Security Account Manager.
    This is the service which stores the passwords in the registry and in the SAM file. This is done by using a LM-hash (for compatiblity with older versions of windows) and a MD5-hash.
    This file can not be accessed when the OS is running.
    if that's not all, Windows also uses syskey to encrypt the file, so that offline viewing ( with a dos bootdisk) doesn't work. But there still are ways to get them....



    Let's start with getting administrator rights on a local machine.

    If you have complete access to the system, then there are several tools to use to change the admin password or any other for that matter. here are the tools:


    Offline NT password & registry editor:

    this is a linux based tool ( the program for making a bootable disk is for windows ) and allows you to change any password on a windows system, although it is advised not to use it on NTFS partitions for it can crash the system. But you can even disable syskey with this proggie so that all passwords are reset to blank.
    And best of it, it's free! (with source)


    CIA commander:

    This tool only works on NTFS partitions, but it works great! You can even use it to copy data from one place to another. But it is not for free.


    Passware password recovery kit:

    This is a complete kit which allows you to get almost every password for anything you want (zip-files, msoffice documents, saved passwords in IE, etc) and ofcourse a tool in it to set the administrator password to '12345', and this can also be undone if you like, so no one will ever know you were there..
    Also not for free but very very good!


    These are the tools i mostly use, and i haven't seen a system yet where i didn't got in (with local access that is :P )



    And now the registry, here the passwords are stored in HKEY_LOCAL_MACHINE\SAM.
    this can only be accessed by administrators, but even then you don't have the possibilities of seeing them without using some kind of tool (unless you can make yourself 'system' but that isn't neccessary here.)
    Here the tool 'pwdump2' comes in handy, this will give you a complete dump of all the local passwords on the system.

    Another tool is 'lsadump2', you know the screen where you have to put in your name and password if you want to connect to internet using a modem?
    Even if you don't save the password, it will be saved for you in the registry by windows and can be viewed with this tool. Also the default password (if there is any) will be shown.

    there is another version of this tool 'pwdump3' which allows you to do the same on a remote machine, you'll need the admin password for that machine too for this tool.

    And last but not least the tool i mentioned before:

    The passware IE key, which allows you to get all the stored passwords (including sites) on the system.
    This tool can be found too in the Passware password recovery kit.


    Now, i hope that this is of any use to anyone, i did my best writing it, that's for sure
    if you like this tutorial (or if you don't) please let me know with voting for it..

    here are the links i promised:

    Offline NT password & registry editor:
    http://home.eunet.no/~pnordahl/ntpasswd/

    CIA commander:
    http://www.datapol-technologies.com/...ander/main.htm

    Passware password recovery kit:
    http://www.lostpassword.com/

    pwdump2:
    http://razor.bindview.com/tools/files/pwdump2.zip

    pwdump3:
    http://packetstormsecurity.org/Crackers/NT/pwdump3.zip
    (this link should work, but the site is down at the moment)

    lsadump2:
    http://razor.bindview.com/tools/files/lsadump2.zip

    btw, pwdump 2 & 3 and lsadump2 are free tools...


    enjoy the knowledge,

    grtz


    lepricaun

  2. #2
    Senior Member Info Tech Geek's Avatar
    Join Date
    Jan 2003
    Location
    Vernon, CT
    Posts
    828
    Not to be critical or anything, but this is more of a reference list than a tutorial. You may want to explain how to use one or more of them to help someone better understand how to use it, what they are doing, and why they are doing it. I'm a huge fan of the Offline NT Password & Registry Editor if you would like I can write a step by step and also explaining exactly what the software is doing along the way.

  3. #3
    AO Guinness Monster MURACU's Avatar
    Join Date
    Jan 2004
    Location
    paris
    Posts
    1,003
    I think the idea is good but it needs to be refined a bit more. The list of tools is good. With them in your box as you said you can get into most systems. As Info Tech Geek said it needs to be more explanitory and a bit more structured.

    Having said that I havent dare a tutorial yet so I take my hat off to you. I will be looking forward to your next post.

    Info Tech Geek I would be interested in that step by step guide you mentioned .

    Cheers

  4. #4
    i know a bit about what it is doing, writing hives to the registry, etc..

    but how it can exactly open the registry to that particular string, and what exactly must be changed i don't know.
    But if you can tell me how exactly the program works, please do!

    i'm here to learn, as much as possible!

    as for the summing, like i said, it is my first tutorial, and i want to make another one as well for all the proggies that i mentioned of how to use them, but it will take time, so have patience for them, but they will come

  5. #5
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    FFR (For Future Reference)...

    Windows ME does not use a SAM....The SAM is specific to Windows NT (3.5-4.0), Windows 2000-2003, and Windows XP

    Windows ME is based on the Win9X kernel and therefore stors all password information in LanMan format and in the registry.

    Nice try, though....keep it up, listen to your feedback, and your Tuts will get better.

    BTW Info Tech Geek: I too would be interested in that.

  6. #6
    Senior Member
    Join Date
    Jun 2003
    Posts
    142
    ummm...you mentioned that the tool "Offline NT password & registry editor"...but it works on Linux. So what you'll do is first to dual boot the machine with any Linux distro(installing it), then mount the Windows partition and then get hold off the SAM file. Is'nt it a little too much for the SAM file. And secondly, if you dont have the password for logging in the machine (which provided you no shell),then how would you actually install that software and make it run.

    I am a little confused but the topic seems to be intresting. I might gain some confidence if I'd be able to do that. Moreover, can someone throw some light over the fact that how actually passwords in SAM file are generated from the MD5 hashes again. and how would you stop the tools to do so. What happens in the case of a LAN where users have to login on the networked machine with some profile server in place?(active directory)....too many questions ..I guess

    Might help me to understand the concept of Windows security

  7. #7
    ummm...you mentioned that the tool "Offline NT password & registry editor"...but it works on Linux. So what you'll do is first to dual boot the machine with any Linux distro(installing it), then mount the Windows partition and then get hold off the SAM file. Is'nt it a little too much for the SAM file. And secondly, if you dont have the password for logging in the machine (which provided you no shell),then how would you actually install that software and make it run.
    the "Offline NT password & registry editor" distribution is bootable, so are CIA-commander and the passware tool ( that is the setup cd of windows is);
    this is how you can get to the SAM file, you'll have to shut down the system and boot it again with one of the programs.

    for the pwdump2, pwdump3 and lsadump2, these can only be used when you already are an admin, but still they are very interesting. take a look at the following example:

    Box: windows 2000
    users: A,B,C,D and the administrator
    user A and B have administrator rights

    first you boot with the windows 2000 set up cd, and use the additional drivers <f6>command to add the driver from passware. now you can change the admin password to '12345'

    boot the system ( you'll be asked to change your password as admin) , don't do this, but just get into windows.

    run pwdump2 --> you'll have the LM and MD5 hashes for users A,B,C,D and of course the admin ( which at this point is 12345)

    run lsadump2 to see if there is a default password set and to see if the ras dial-up parameterds are something interesting.

    then shutdown and reboot with the windows cd and repeat the procedure with the passware driver, now you'll have the option to set the admin pw back to it's original.


    now you can start cracking the hashed of pwdump2 using "john the ripper" or some other tool.
    once you have the pw for user A or B, then you'll have full admin access without anyone knowing since no passwords were changed.

    total time: depending on the speed of cracking, but lets say if they use dictionary passwords, less then one hour.

    if you just want to use the system because someone lost his pw, then you'll be in it withing 5 minutes..

  8. #8
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    EDIT...The underlined portion is how I should have started this post. (Thanks, MsMittens, for pointing out the oversight!)

    As for stopping the tools, If you have physical access to the machine, and it's not properly secured (see MsMittens Post Below), you are pretty much screwed! There are also a few basic things you can do to keep that kind of thing at bay over the net.

    1.) Disable any services you do not need. This is pretty much a trial and error process, depending on what you use the box for. Under no circumstances should you disable the Security Accounts Manager service, as this is the SAM database. If you disable that, you'll be re-installing windows (most of the time).

    2.) Block TCP and UDP ports 135-139 and 445 at the network perimeter firewall/gateway. This will help stop NetBIOS enumeration and LSA snooping.

    3.) Replace every instance of the "Everyone" group with "Authenticated Users" on all shares and in the registry. This will help to limit a hacker's ability to use anonymous credentials to enumerate the SAM.

    4.) Use the Local Security Policy, Domain Security Policy, Domain Controller Security Policy, and Group Policy MMC snap-ins to define a strict security policy. Set passwords to require alpha-numeric combinations and a minimum of 7 characters. For administrative accounts, make the passwords 14 or 21 characters, nothing in-between, exactly 14 or exactly 21 characters. Any services that use a user account rather than the local system account should have passwords of 28 characters. This is because in addition to the SAM, Win2K and XP store a LanMan password in the LSA, which is much easier to crack than the SAM (because it is usually plain text) and it stores passwords in seven character chunks, so a 12 character password would be stored as 2 7 character password chunks, with the remaining 2 characters being zeros.

    Also pay close attention to the "RestrictAnonymous" settings there and in the registry.

    This is not an all-inclusive list by any means. I'm working on part 2 of my tutorial series Simplified Domain Controller Hardening, which should be out next week. I'm covering this in depth, so give it a read.

  9. #9
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    If you have physical access to the machine, there's not much one can really do to secure it.
    Sure you can! Remember, there isn't anything that guarantees security (nothing is 100%) but dammit, mitigate it as much as possible:

    1. restrict access to servers and other "important" machines (important is defined by the company or individual as to how much access others should have to it)

    2. put servers and other critical machines into metal cages

    3. ensure that the server room doesn't have a drop down ceiling

    4. security screws for the box

    5. remove/disable floppy/cdrom drives

    6. remove keyboard/monitor and use remote access. Store extra peripherals in a locked closet/cage

    7. set bios passwords that restrict access to changes to boot sequence.

    8. CCTV the server room with the Video being recorded on a 72 hour or longer tape. Store tapes as per the policy of the company.

    9. Employ smart card or push button access to the server room

    10. Never allow anyone into the server room who shouldn't be allowed access and if someone must go in, go with them. Never assume that the CEO or some other employee is "trustable".

    It's a question of making it harder for an attacker rather than just giving up.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  10. #10
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    Touche'

    I stand corrected. (Which is always an honor and a privelage where MsMittens is concerned J'aime MsMittens!) Excusez moi, I'm rusty!

    I really wasn't thinking about a corporate environment, but rather a home office or personal type setting.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides