Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Where is SAM?

  1. #1

    Where is SAM?

    Dear Buddies, I want to know where is the actual location of Windows NT SAM. From where the PWDump like tools dump these password hashes.

    I have tried "%systemroot%\respair\sam" and "%systemroot%\system32\config\sam" but none of it dumped the correct hashes.

    I took my SAM from *config* folder with the help of NTFSDOS and exported it to LC5 and at the same time I imported the password hashes with the help LC5 itself. Now the hashes of earlier were different from the latter. Whats this. Can you please help me to get the original SAM.

    Regards

    -Navi Aulakh

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    It should be under %systemroot%\system32\config\sam. You might want to look at Cain and Abel and pull it from the Hive. I suspect the SAM file itself only gets updated during a reboot/shutdown.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    If you mean this pwdump:
    http://us1.samba.org/samba/ftp/pwdump/

    /*
    * Program to dump the Lanman and NT MD4 Hashed passwords from
    * an NT SAM database into a Samba smbpasswd file. Needs Administrator
    * privillages to run.
    * Takes one arg - the name of the machine whose SAM database you
    * wish to dump, if this arg is not given it dumps the local machine
    * account database.
    */
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    This didn't solve my problem.

    Just tell me that is the file located at "%systemroot%\system32\config\sam" the file which PWDump, Cain and Abel, LC5 , etc use to dump the password hashes.

  5. #5
    The reason why the hashes are different if you're getting them from the raw SAM file not through pwdump/cain, etc is because they are syskey encrypted.

  6. #6
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Didn't I just say that? The file you are looking for is called SAM and it's under %systemroot%\system32\config. However, it may not be updated immediately and a tool that can access information kept in the Registry Hive might be more current, hence the possibility of using something that accesses the registry. But as Sir Dice pointed out, if you aren't admin, you probably won't be able to access that.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  7. #7
    Thankx for your helpfull replies. But you buddies have created a new ques in my mind.

    Can we extract the password hashes from *Registry Hive*?

    However, it may not be updated immediately and a tool that can access information kept in the Registry Hive might be more current, hence the possibility of using something that accesses the registry
    I would really appreciate if you reply me this question.

  8. #8
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Sigh.

    Yes. As I pointed out, download a tool like Cain and Abel or SamInside. Both of those will pull it out of the Registry Hive or rather from it's location when stored in memory (LSA Secret -- might want to look for LSADump2 should do the same thing).
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  9. #9
    o dear, How can I use 'cain and abel' or 'sam inside' when I am trying to get the password file through NTFSDOS and please tell me are these password hashes pre syskey encrypted.

  10. #10
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Should have mentioned that at the start. Use the reg command. More details here. I suspect reg query <hive> is what you want to use.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •