Hi ppl
If I have got a SAm file of WINDOWS 2000 NT system , and I wanna dehash it, tell me how to do it ?
Printable View
Hi ppl
If I have got a SAm file of WINDOWS 2000 NT system , and I wanna dehash it, tell me how to do it ?
Hmm... thats a tough one.
Tell "sam" that you don't want his "hash". Its bad stuff. Never touch it...
Well if you dehash the hash is it still considered hash. or does it become something else that is better or worse than hash
nah, I think if you "dehash" the "hash" it just becomes "de"? dunno... you got me confused now...
Just say NO
Guys !!
See what I did was this, ran the repair utility, that makes a backup of the SAM file as SAM._ rite ?? Otherwise SAM is not accessible rite ???
Now what I want to do is unlock the info contained in that file ... basically all passwords, now
come some gimme a clue as to how to unlock this treasure !
Here's all you're gonna get from me :D
To get hash from Sam, you gotta know Sid.
Sid keeps Sam's hash, gotta find Sid!
Sid is 2 User as User is 2 Sid.
Hope you don't get confused, because I know that I did.
Figure out my riddle, might take you a day.
Or quit waisting time and crack LSA
Now Now
576869746568617 dearo I have a few more questions
1. What is LSA ? ( I am a newbie )
2. What is SID ? ( I am a newbie )
... and I am a confused newbie .....
Thanks neways
well 576869746568617
I did read what u said abt SID and LSA, and search like a maniac in Google . . . still empty handed. Help needed !!!
( NO I AM NOT GETTING INTO ANYTHING ILLEGAL )
By the definition of a Hash, you cannot decrypt it. It's a one way thing. The best (and often the only) way to "dehash" a hash is to brute force it.
Cheers,
cgkanchi
Use this link to find more about this wordsQuote:
Originally posted here by Desolation_Jam
Now Now
576869746568617 dearo I have a few more questions
1. What is LSA ? ( I am a newbie )
2. What is SID ? ( I am a newbie )
... and I am a confused newbie .....
Thanks neways
http://dictionary.reference.com/
Desolation_Jam,
There is some utility available for playing with SAM data, I have not used that one but that is available on packetfactory.net.
So search and download it yourself. :idea
Desolation_Jam,
There is some utility available for playing with SAM data, I have not used that one but that is available on packetfactory.net.
So search and download it yourself. :idea
Sheesh. Visit AtStake and buy their LC4 (formerly L0phtCrack). Or brute force the sucker as suggested earlier. You get into trouble, I don't wanna hear about it. It's your problem.
From Whatis Seach on LSA
Whatis.com Search on SIDQuote:
What is Local Security Authority?
This question posed on 28 June 2001
The Local Security Authority or LSA is a key component of the logon process in both Windows NT and Windows 2000. In Windows 2000, the LSA is responsible for validating users for both local and remote logons. The LSA also maintains the local security policy.
During the local (interactive) logon to a machine, a person enters their name and password to the logon dialog. This information is passed to the LSA, which then calls the appropriate authentication package. The password is sent in a nonreversible secret key format using a one-way hash function. The LSA then queries the SAM database for the user's account information. If the key provided matches the one in the SAM, the SAM returns the users SID and the SIDs of any groups the user belongs to. The LSA then uses these SIDs to generate the security access token.
Quote:
What is the function of the SID?
This question posed on 15 July 2003
Security identifier (SID) is a unique security identification number assigned to security principals (objects that can be assigned access to objects in Windows). Users, groups and computers are assigned SIDs. This uniquely identifies the user group or computer to the domain or to the local computer if a local account is used. For example, when a user logs on a collection of his SID, the SIDs of groups of which he is a member is made. This list is used when he needs to access a resource -- say, a file. The file has a Discretionary Access List (DACL) that is composed of access control entries (ACE) that include a SID and what permission that SID has on the file. The DACL is checked against the user's list, and a decision can be made whether or not to let him access the file.
And I thought I stayed up late! :DQuote:
posted Today 04:28 AM
What's your take on the first post, MsMittens? I mean, the SAM is on a floppy, exported from a "friend's computer"........don't you have to have Admin rights to do that?
So there are three possibilities, IMHO:
1.) Friend trusts Desolation Jam enough to export SAM to disk for whatever reason (which is kind of fishy to me, because I don't trust anyone that much) In any event, if the friend trusts Desolation Jam that much, why doesn't Desolation Jam know the Admin User Name and Password?
2.) Desolation Jam exported the SAM from the "friend's computer", which means Desolation already knows the Admin Username and Password.
3.) Desolation Jam stole someone else's ERD and is trying to crack the SAM to get access to the system.
I just don feel obliged to help out on this any more than I already have, but I could be wrong, so here's a link for you to check out:
www.foundstone.com Check out the tools section. Try using user2sid and sid2user, in conjunction with l0phtcrack (LC4) and possibly enum, depending on how you want to go about it. That's all you'll get from me. If you need any more info, Buy the damn book!
Hey 576869746568617, your avatar looks like Yoshimitsu.
You do not need the password to export the SAM. Last time I check, you could not touch SAM in NT unless you used DLL injection.. All you have to do is boot into DoS, or some other OS that can touch the NT partition and then export it.Quote:
2.) Desolation Jam exported the SAM from the "friend's computer", which means Desolation already knows the Admin Username and Password.
3.) Desolation Jam stole someone else's ERD and is trying to crack the SAM to get access to the system.
It can not be number three because he is to stupid to perpetrate number two, and probably does not understand number one. I think he actually wants to crack the password on his own computer that his parents control (only let him on when they want, etc...).
-Cheers-
[Edit]
PS: I r00ted the computer my parents had control of when I thought I was 733t. Lol. I used the method I just said.[/Edit]
I was talking bout exporting it on an ERD, which would require Administrator, or at the very least, backup, account, or server operator privelages.
Dll injection would work too (and work very well), but if Desolation Jam can't figure out how to do #1,2, or 3, probably won't have a clue how to do that either. That would be the easiest way to do it. Of course, I don't know how dll injection would help crack a SAM that is on floppy and not in use.
:cool: I used to think I was 733t cause I could do that too. Boy was I off it!
Lol. I am just talking about retrieving it. Interesting stuff. Basically DLL injection would allow you to stop the process (the one the if it is running SAM can not be opened), then inject your own DLL (or EXE I think...). Allowing you to C/P the SAM file, then resume the process. I know that is not very technical, but I only read a brief paper on it.
-Cheers-
Actually, if the admin did rdisk /s (I think that's the command.. bare with me cuz I'm getting old and as we know, memory is the 2nd thing to go), it copies the SAM to the Repair directory, which, last time I checked, be default was "Everyone have access". Yay MS.
MsMittens rolls her eyes
The other way of getting the same is from backup tapes or booting with a DOS disk using NTFSDos. Kinda a nifty old trick. :p
And naw... I just get up early... I didn't have to today but wanted to do a ride. :D
Didn't think about that, MsMittens, sure could use rdisk. Gotta love MS and they're love of annonymous access!
See pppl
I am fiddlingaround with my own comp, just wanted to know if the passwords can be recovered.
Since its my own comp, I did the rdisk , got the sam file.
Enough of accusations.
And 4 ur info --> I dont like keeping friends.
If syskey is enabled (Windows 2000 + ?) then the hashes are also encrypted in the SAM and cannot normally be read. There are several ways around this.
- Use the running Windows to decrypt the hashes itself - use pwdump2 as localsystem or admin to dump them
- Copy the SAM file into another (non-running) copy of the same version of Windows, boot it, and run pwdump2 on that
- Ask M$ what the encryption algorithm is and where the syskey is stored (not likely to work). It is widely believed that it's in the registry somewhere (although perhaps not in the SAM).
---
Getting admin or localsystem access without changing the existing administrator password is not too difficult - in practice it's usually just a matter of using an offline registry editor (Google for those three words) to change the default screensaver to cmd.exe. Then you get a localsystem shell which can run pwdump2 with no problem.
Changing the admin password is also a no-brainer, although of course that changes the hash for the administrator's password in SAM. The other accounts can then be dumped of course.
Slarty
Of course, if the guy's worth anything, he also changed the name of the admin account. That's OK though, because it's still easy to find the admin account using the method slarty mentioned to obtain a local system command prompt.