sam/lc5 question

[dark5yntax]

Hi, here is my question. I made a copy of my desktop pc's sam file. I then moved it over to my laptop. I made a new text document and put my password into it. When i ran a dictionary attack against my sam file, nothing happened. It isn't cracking the hashes. Also, when i run LC5 and audit my laptop passwords, it will show more info then just the account name, but with the file I get only the account names. I also tried to use Cain and Able with the file which has the password in it but I have had no sucess. Has anyone tried this before and what am I doing wrong?

Thanks

~ |)ARK$YNTA>< ~

[ghostmachine]

Originally posted here by dark5yntax
Hi, here is my question. I made a copy of my desktop pc's sam file. I then moved it over to my laptop. I made a new text document and put my password into it. When i ran a dictionary attack against my sam file, nothing happened. It isn't cracking the hashes. Also, when i run LC5 and audit my laptop passwords, it will show more info then just the account name, but with the file I get only the account names. I also tried to use Cain and Able with the file which has the password in it but I have had no sucess. Has anyone tried this before and what am I doing wrong?

Thanks

~ |)ARK$YNTA>< ~

how did you make the copy of the SAM on your desktop?

[dark5yntax]

Originally posted here by ghostmachine
how did you make the copy of the SAM on your desktop?

I used knoppix and copied it to an sd card in my card reader via usb.
Then I just moved it over to my desktop on my other comp.

[Irongeek]

you have to undo Syskey on the SAM first. See:

http://www.irongeek.com/i.php?page=s.../localsamcrack
http://www.antionline.com/showthread...ghlight=syskey

[dark5yntax]

your referance was awsome. It helped me understand syskey and sam files a lot better. But another question I have is when I first imported the dump into cain it said for the admin password it was ???????S and after brute forcing for awhile I now have WE3KING???????. Does the question marks actually represent how many characters are left and if so is there any way I can lock in the first 7 which it already gave me and just work on the last ones? Again thank you for your help.

-= |)ark$ynta>< =-

[Irongeek]

Basically it means that you are cracking the older LAN Manager hashes where the password is all uppercase and split into two 7 byte sections. I copied this from a Microsoft site, it may help explain:

The LAN Manager (LM) Hash
The LM hash is technically speaking not a hash at all. It is computed as follows:
1. Convert all lowercase characters in the password to uppercase
2. Pad the password with NULL characters until it is exactly 14 characters long
3. Split the password into two 7 character chunks
4. Use each chunk separately as a DES key to encrypt a specific string
5. Concatenate the two cipher texts into a 128-bit string and store the result

What L0phtcrack or Cain is telling you is that it has cracked one 7 byte section of the password already. (there may be a better way to say that, someone else pipe in)

[dark5yntax]

so is there anyway to have either LC5 or cain crack the second have since I already have the first? Im a little new at this so how would u go about finishing it?

and thanks for your quick responses I do appreciate it.

[Irongeek]

Just let it keep running the brute force crack, it just happened to find one 7 character string before the other.

[dark5yntax]

ok so then your saying it is two seperate strings of 7characters each. Right?
Also I'm up to 8 characters now so should i start over at 6 so I fully go through seven?
Thanks again.

[Irongeek]

I'm not sure what you mean.