Sam File

Printable View

June 23rd, 2003, 02:03 AM
hjack

Sam File

I was reading somewhere that the SAM file in windows is the passwords in a hash. There are programs available that will crack these for you by hashing a supplied list of words and comparing them against the hashes in the file you are trying to decrypt. Then I read that Microsoft did something to make this process a lot harder and that available software will no longer work. Is this true and what exactly did Microsoft do to prevent these types of attacks. I do not want the program that does this just information concerning how they prevented this. Also, when you have IE save passwords for you (AUTO somthing I belive) does this also go into some encrypted file or is this availabl in plain text for anyone who knows where to look?

hjack
June 23rd, 2003, 02:10 AM
geepod

The SAM

the SAM is the Security Accounts Manager which is like the doorman at a nightclub with his clipboard for who can come in or not. it is a database that contains the accounts and passwords and rights on the system. it is not used in all windows systems like 95 or 98 but it is used in NT based systems.
yes there are well documented tools for enumeration of the accounts from the file the most famous being lophtcrack from the infamous and previous lopht heavy industries 9created i believe by Dr mudge) who now is a sought aftersecurity consultant whom works for @stake now.
Microsft did fix the hash problem sort of with windows 2000 as that now uses kerberos (from the cerberus three headed gatekeeper in greek mythology)

however i believe it still stores hash information for backward compatability and indeed there are new tools for win2k security enumeration (lc4 etc etc)

anyway hope this helps
June 23rd, 2003, 03:35 PM
®¿® Racin

Yes, passwords are saved in both plain text as well as encypted I believe. I just read about this from somenes tut in the last few days. All IE usage is saved in a "hidden" folder only accessible through Dos. Someone help with the thread, I cant find it and am running later for work.
June 23rd, 2003, 03:45 PM
geepod

Well the passwords are not stored as plain text ! they are stored using a hashing algorithm.

but i think i know what you mean !
June 23rd, 2003, 08:45 PM
RoadClosed

Backwards

Yes MS fixed the hashing problem in Window2000, however it was designed to work with NT machines so backward compatablity is turned on by default. So your really difficult password is encrypted for windows 2000 just fine and dandy, and then a copy is stored with the old nt hashing scheme and converted to all uppercase. We all agree that it is EASY to break with a few tools or some extesive know how.

This entire situation is left over from Lan Manager, a pre-NT OS that added network features to Microsoft and was then incorporated into NT. Lan Manager is still around and you can turn it off but be warned! Some stuff will stop working, and you have to take extra steps to make sure hashing is still not being copied, because that process still happens on certain OS machines. I don't even have it turned off, yet... it's time consuming and complicated. I keep hoping MS will release some magical tool to do it for me.

It is possible to completely disable Lan Manager and LMhash and use a newer more secure version of it. Here are some articles on the subject. Have fun, I am too scared to do this since I have many many NT stations. Has anyone been succesfull at it??

"How to Disable LM Authentication on Windows NT [Q147706]"
"LMCompatibilityLevel and Its Effects [Q175641]"
"How to Enable NTLMv2 Authentication for Windows 95/98/2000/NT [Q239869]."

Technet also has some articles www.technet.com