Investigation: How to acquire a local SAM file.
Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Investigation: How to acquire a local SAM file.

  1. #1
    Member
    Join Date
    Mar 2005
    Posts
    65

    Question Investigation: How to acquire a local SAM file.

    Ola:

    We are conducting an investigation in cooperation with our corporate security group, our first, and our manager, who knows how to do this, is out. We have a laptop from the employee under investigation and we are wondering how to get the local SAM file from the laptop. We can't ask the employee, as they do not know they are under investigation. We are going to try an UltraBay, and reload the physical harddisk into it and try to get admin access to the harddrive. Any thoughts, leads, tools or ways to check out would be appreciated.

    The machine is a IBM Thinkpad T40.
    The OS is W2KPro.

    Let me know if there are questions as well.

    In advance,

    Gracias.

  2. #2
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Well,

    If you have an admin account on the machine... and the machine is connected to your network .....than you can pretty well copy any file off the laptop using the hidden admin share

    \\machinename\c$


    Although...there are procedures to "collect" info for investigations...depending on what your investigating, local laws, and if it needs to stand up in court. etc etc

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  3. #3
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Posts
    347
    you could download the live cd "Auditor" and use the samdump utillity.

    Check out IronGeek's Tut on it:
    http://irongeek.com/i.php?page=security/localsamcrack2
    kr5kernel
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.

  4. #4
    Member
    Join Date
    Mar 2005
    Posts
    65
    Ola:

    Well,

    If you have an admin account on the machine... and the machine is connected to your network .....than you can pretty well copy any file off the laptop using the hidden admin share

    \\machinename\c$


    Although...there are procedures to "collect" info for investigations...depending on what your investigating, local laws, and if it needs to stand up in court. etc etc

    MLF
    Thanks for the reply back, but that's just it, we don't have admin access. Hold on...

    ...
    OMG we just got it. We asked one of workstation analysts for an IBM ultrabay. We got the ultrabay, took the harddrive from the laptop we are looking at, put it into the ultrabay, loaded the ultrabay into bay of another IBM laptop we control and was able to mount the drive like a jump drive and pull over the SAM file. Took about 5 minutes total. Now off to use LC5. We are only going to get the admin pw and turn it all back over to our corporate security group. Thanks for the advice.

    Buenos dias.

  5. #5
    Member
    Join Date
    Sep 2003
    Posts
    42
    There you go. But like kernal said, there are utilities out there to boot with that will let you access NTFS partitions and grab the SAM file.

    And I wouldn't even break out LC5. The guy's password is probably his username or a local sports team.

    Hang him!

  6. #6
    Senior Member
    Join Date
    Mar 2004
    Posts
    510
    we don't have admin access
    Just curious, why don't you? Does anyone in the company or is it just your manager who isn't there right now? Is this a personal laptop that they use at work? If it's a corporate computer someone should have admin access.
    \"You got a mouth like an outboard motor..all the time putt putt putt\" - Foghorn Leghorn

  7. #7
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Posts
    347
    seriously, why even remove the hard drive, throw on audittor dump the sam to a jump drive and crack it on another machine, it would take less than 5 minutes, probably even with boot time.
    kr5kernel
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.

  8. #8
    Member
    Join Date
    Mar 2005
    Posts
    65
    Just curious, why don't you? Does anyone in the company or is it just your manager who isn't there right now? Is this a personal laptop that they use at work? If it's a corporate computer someone should have admin access.
    It's a company computer, but we found out that they wanted the person's own id/pw, which in this case was not on the local machine but was a domain account. They also wanted admin access to laptop and did not want to ask IT - for confidentiality purposes.

    seriously, why even remove the hard drive, throw on audittor dump the sam to a jump drive and crack it on another machine, it would take less than 5 minutes, probably even with boot time.
    What is the software you are referring to "audittor"? If so, would you need login access to load it up or can you boot up from it on a CD (like Knoppix)?

    ...

    Also found out that the person who asked us to do that, was in fact NOT supposed to be asking us, but going through other channels, like our manager. It was cool to watch our manager flip and go after the corporate security person. Our manager told us what should have actually happened. So we stopped LC5 and handed the material over to our manager. And the reasons for that deal with legality and security - and we found out that the person who asked us to do the deed, should have known better. Hmmm. Be interesting to hear if anything happens from this whole incident.

    Thanks again.

    Buenos dias.

  9. #9
    Junior Member
    Join Date
    Feb 2003
    Posts
    10
    I accidentally unsubscribed from my work laptop's domain while having some phun(tm) with unencrypted wireless access points in an apartment building parking lot. I tried joining a workgroup but when I rebooted I couldn't log in to WinXP anymore. I tried using Auditor to capture the SAM last night and it was as simple as mounting hda1 and navigating to c:\windows\system32\config. I couldn't figure out how to get WLAN working and the laptop has no floppy drive so I don't think I can get the SAM off the computer. I'll be reading Irongeek's tutorial for John the Ripper tonight, though I may grab a 300mb text file for rainbowcrack instead since that's supposed to be way faster.

    Unfortunately, I believe I'll need physical access to the domain if I want to join it again, even with the admin password. My account is locked until my next contract in a month and I have some hackering and crackering to do before then, so I'm just brute forcing the SAM to see if I can do it. I'm going to format it and tell them I got a Norton-crippling virus and didnt' want to take chances.

    Word to the wise - don't unsubscribe from an inaccessible domain if you need it to log in! Whoops!

  10. #10
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Posts
    347
    Auditor is a lot like knoppix, its a live linux cd.

    its available at:
    http://new.remote-exploit.org/index.php/Auditor_main
    kr5kernel
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •