-
November 25th, 2004, 02:00 PM
#1
Banned
Where is SAM?
Dear Buddies, I want to know where is the actual location of Windows NT SAM. From where the PWDump like tools dump these password hashes.
I have tried "%systemroot%\respair\sam" and "%systemroot%\system32\config\sam" but none of it dumped the correct hashes.
I took my SAM from *config* folder with the help of NTFSDOS and exported it to LC5 and at the same time I imported the password hashes with the help LC5 itself. Now the hashes of earlier were different from the latter. Whats this. Can you please help me to get the original SAM.
Regards
-Navi Aulakh
-
November 25th, 2004, 02:10 PM
#2
It should be under %systemroot%\system32\config\sam. You might want to look at Cain and Abel and pull it from the Hive. I suspect the SAM file itself only gets updated during a reboot/shutdown.
-
November 25th, 2004, 02:17 PM
#3
If you mean this pwdump:
http://us1.samba.org/samba/ftp/pwdump/
/*
* Program to dump the Lanman and NT MD4 Hashed passwords from
* an NT SAM database into a Samba smbpasswd file. Needs Administrator
* privillages to run.
* Takes one arg - the name of the machine whose SAM database you
* wish to dump, if this arg is not given it dumps the local machine
* account database.
*/
Oliver's Law:
Experience is something you don't get until just after you need it.
-
November 25th, 2004, 02:25 PM
#4
Banned
This didn't solve my problem.
Just tell me that is the file located at "%systemroot%\system32\config\sam" the file which PWDump, Cain and Abel, LC5 , etc use to dump the password hashes.
-
November 25th, 2004, 02:35 PM
#5
Member
The reason why the hashes are different if you're getting them from the raw SAM file not through pwdump/cain, etc is because they are syskey encrypted.
-
November 25th, 2004, 02:38 PM
#6
Didn't I just say that? The file you are looking for is called SAM and it's under %systemroot%\system32\config. However, it may not be updated immediately and a tool that can access information kept in the Registry Hive might be more current, hence the possibility of using something that accesses the registry. But as Sir Dice pointed out, if you aren't admin, you probably won't be able to access that.
-
November 29th, 2004, 01:55 PM
#7
Banned
Thankx for your helpfull replies. But you buddies have created a new ques in my mind.
Can we extract the password hashes from *Registry Hive*?
However, it may not be updated immediately and a tool that can access information kept in the Registry Hive might be more current, hence the possibility of using something that accesses the registry
I would really appreciate if you reply me this question.
-
November 29th, 2004, 02:01 PM
#8
Sigh.
Yes. As I pointed out, download a tool like Cain and Abel or SamInside. Both of those will pull it out of the Registry Hive or rather from it's location when stored in memory (LSA Secret -- might want to look for LSADump2 should do the same thing).
-
November 29th, 2004, 02:09 PM
#9
Banned
o dear, How can I use 'cain and abel' or 'sam inside' when I am trying to get the password file through NTFSDOS and please tell me are these password hashes pre syskey encrypted.
-
November 29th, 2004, 06:15 PM
#10
Should have mentioned that at the start. Use the reg command. More details here. I suspect reg query <hive> is what you want to use.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|