The SAM exploit
Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: The SAM exploit

  1. #1
    Senior Member PacketThirst's Avatar
    Join Date
    Aug 2004
    Posts
    258

    The SAM exploit

    Hey folks ! ..

    I've been playin around with my SAM for quite sometime now. I found this trouble with SAM (iv'e tried it only on my box running XP pro). If you cracked the SAM file of a particular box
    (which you can obtain by booting into the command prompt or by using a live disk or just
    simply running an another OS ) , You could have a lifelong access to the box. I've often heard security pro's telling to change the windows password frequently so that even if someone did get the SAM file and cracked it using tools like LOphtCrack, he wouldn't be able to access it because the password was changed. My technique involves replacing the existing SAM file with the cracked one in ths same way the SAM file was taken. I haven't tried using the cracked SAM in different boxes ( not sure if it would work ). So whats your opinion ???. Any methods to stop this ??.

  2. #2
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    My opinion?

    If you can replace the SAM file, you therefore already have administrator level access to the box and can get whatever you require off of it. You therefore do not need to replace the SAM file to access this box in the future, unless you need to show off your newly gained r00t access with a fancy Windows GUI. It would also require physical access to the box, which is not always an option.

    It might, and probably will, break a bunch of random things as well, like changing the password for user accounts used by the kernel or things like VB or SQL.

    If one already has administrator access to the box, why potentially break things to get "more" administrator access?
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  3. #3
    Senior Member PacketThirst's Avatar
    Join Date
    Aug 2004
    Posts
    258
    Thats not my point. A person who has plain physical access to the box can take the SAM and crack it. Even if the cracking takes weeks or even months, he could come back later and access the system as root !. So..even if the administrator did find about this, his changing the
    password would not stop the attacker. By the way you don't need to be root to access the SAM and replace it!!. Try it !

  4. #4
    Senior Member PacketThirst's Avatar
    Join Date
    Aug 2004
    Posts
    258
    If you can replace the SAM file, you therefore already have administrator level access to the box and can get whatever you require off of it. You therefore do not need to replace the SAM file to access this box in the future, unless you need to show off your newly gained r00t access with a fancy Windows GUI

    Don't tell me getting files is not the only thing you can do as root !. There are a lot of stuffs which can only be done in that "fancy Windows Gui".

  5. #5
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    True, some things need the GUI. I tend to look at things from a forensics point of view; if you can get any file you need from a system, why put yourself thorugh more trouble? But it's not up to me to tell you whether what you want to do is useful to you or not, so I will answer your question a little better.

    You could replace the SAM with one containing additional accounts with administrator access, which the user likely wouldn't know about, and then if the administrator password were changed, you'd still have those extra accounts to fall back on, even if you no longer knew the administrator password. That would give you lifelong access to the box. This would require some serious cryptanalysis though (like you said, weeks or months, if you're lucky)

    This could be prevented, or at least detected, with an IDS such as TripWire, which monitors the MD5 sums (or sha sums, or whatever), of a list of critical files and alerts you if they are changed. You can then replace them with a known good backup.

    Totally preventing it it would be a lot more difficult, but it could be done perhaps by encrypting the entire hard drive in some sort of loopback system so an attacker wouldn't even recognize the SAM file if he/she were sitting on it. There are quite a few commercial programs which can do this. I believe some readily available hard drives have encryption capabilities which could do this too.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  6. #6
    Senior Member PacketThirst's Avatar
    Join Date
    Aug 2004
    Posts
    258
    Yeah ... why don't these OS companies hide these password files themselves. I don't know much about filesystems but, ext3 cannot be accessed by windows. Similarly can't you just use a very different file system or something for storing the passwords which can be only accessed when the computer reaches the LOGIN screen ?? ( dumb ?? hehe... I'm feeling strange today).


    Packet Thirst

  7. #7
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    You could... until somebody writes a module to read it. Windows can't read ext3 filesystems because they won't spend the money necessary to develop the support for it, not because ext3 filesystems are more secure.

    There ain't no such thing as a filesystem which can't be accessed except by the native OS. All it takes is someone to write the support to read it. This is why passwords are encrypted rather than hidden.

    You can't rely on nobody finding a password file. The sole strength of a password system lies in the strength of the encryption used.

    If an OS can read the password file at the login screen, then somebody has written the support to read it, which means somebody else can too.

    Passwords don't really do much once somebody has physical access to a system anyway. Their real strength is in limiting server access.

    Bottom line: if somebody found a way to hide the password file, somebody else would find a way to unhide it. So there better be some pretty good encryption used in it.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  8. #8
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Originally posted here by PacketThirst
    Yeah ... why don't these OS companies hide these password files themselves. I don't know much about filesystems but, ext3 cannot be accessed by windows. Similarly can't you just use a very different file system or something for storing the passwords which can be only accessed when the computer reaches the LOGIN screen ?? ( dumb ?? hehe... I'm feeling strange today).


    Packet Thirst
    Hey Hey,

    I just wanted to point out that you can access ext3 from Windows.... It's not an overly difficult process.. just requires the software.... check out Explore2fs.

    As far as playing with the SAM file to backdoor it.... As Striek said if you can get physical access then you'd take why you need then.. why risk going back a second time to dump your backdoored SAM file... if someone really wanted access again, they'd obtain it the same way they did the first time, or they'd drop a root kit (which does exist for Win32) and use it next time. You'd also need to figure out the syskey and make the systems think they were the same. To do this you'd prolly require dumping a ghost image...

    Get physical access and dump an image to an FTP somewhere
    Ghost that image onto another machine
    Dump the SAM file and decrypt the passwords
    Log in as Admin
    Add another account
    Dump the SAM file again
    Load that SAM File onto the original machine.

    Anyways.... that's my take on it...

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  9. #9
    Senior Member PacketThirst's Avatar
    Join Date
    Aug 2004
    Posts
    258
    As Striek said if you can get physical access then you'd take why you need then.. why risk going back a second time to dump your backdoored SAM file... if someone really wanted access again, they'd obtain it the same way they did the first time



    You can't just have complete access to the box with just physical access, can you ?.
    All you need to get the SAM file (as i've earlier said) is just a live cd or something like that. Without any kind of privileges you could get the SAM file. Get the SAM file, Crack it. Some back
    later (maybe after a few months ) and assuming the administrator didn't change his OS, you
    could be root and do all sort of stuffs!. You've seen the movie THE FUGITIVE, haven't you ?.

  10. #10
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    You can't just have complete access to the box with just physical access, can you ?
    Yes. you can. Boot from a floppy or a cd using some OS with ntfs read support. You can now take anything you want off that box.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •