Printable View
There is a SAM file in the c:\winnt\repair\ directory. Is this same at the one in the config directory.
Ive noticed the one in the config directory is being used by the system so you cannot read the contents but this one is readable.
Can anyone shed light on why there is 2 SAMs?
If i'm not mistaken this is the backup of the sam file, a read only copy.
Thanks
the SAM in the repair folder is not exactly a backup nor is it RO, it is created when an ERD is created (or other various system recover tools are used), consequently this repair file tends to be quite dated.
The other SAM actually contains the Hkey_Local_Machine\Sam registry hive.
catch
well then my quote below is quite true!
Hmmm..so if I extracted a password out of it , it could be a very old password thats been changed?
Is there anyway to read the current SAM file?
There exist tools for extracting the SAM file, all of these require the privileges to do so (most likely Administrator).
Passwords extracted from the SAM repair file may or may not be dated, but as a rule they are.
Lastly, I don't know of any tools that will extract passwords from the SAM if LM passwords are disabled (as they should be in the security policy)
catch
Well its on a remote machine, and its not so much I want to extract any passwords via network, I just want to get a copy of the SAM on my local computer. I dont think its possible, I was able to get the old one and extract the Administrator password but it appears the password did not work, so I figure it is an outdated password.
Google "rdisk.exe /s". It was taken out after NT 4 and is now done via the repair disk wizard.
-Maestr0
pwdump2 should still dump the nt hashes from the SAM (presumably the LM ones will not be there though). I haven't tried it though. But it does dump the NT hashes normally along with the LM ones.Quote:
Originally posted here by catch
I don't know of any tools that will extract passwords from the SAM if LM passwords are disabled (as they should be in the security policy)
There is a modified version of John which will attack the nt hashes instead of LM ones.
The NT hash algorithm is better than the LM one - it is harder to attack. But dictionary attacks still work. It is more similar to how it works in Unix.
The LM ones I don't fully understand, but maybe it is case insensitive and stores parts of the password so they can be cracked independently?
Slarty