The SAM exploit

Printable View

December 5th, 2004, 05:15 AM
PacketThirst

The SAM exploit

Hey folks ! ..

I've been playin around with my SAM for quite sometime now. I found this trouble with SAM (iv'e tried it only on my box running XP pro). If you cracked the SAM file of a particular box
(which you can obtain by booting into the command prompt or by using a live disk or just
simply running an another OS ) , You could have a lifelong access to the box. I've often heard security pro's telling to change the windows password frequently so that even if someone did get the SAM file and cracked it using tools like LOphtCrack, he wouldn't be able to access it because the password was changed. My technique involves replacing the existing SAM file with the cracked one in ths same way the SAM file was taken. I haven't tried using the cracked SAM in different boxes ( not sure if it would work ). So whats your opinion ???. Any methods to stop this ??.
December 5th, 2004, 05:29 AM
Striek

My opinion?

If you can replace the SAM file, you therefore already have administrator level access to the box and can get whatever you require off of it. You therefore do not need to replace the SAM file to access this box in the future, unless you need to show off your newly gained r00t access with a fancy Windows GUI. It would also require physical access to the box, which is not always an option.

It might, and probably will, break a bunch of random things as well, like changing the password for user accounts used by the kernel or things like VB or SQL.

If one already has administrator access to the box, why potentially break things to get "more" administrator access?
December 5th, 2004, 05:35 AM
PacketThirst

Thats not my point. A person who has plain physical access to the box can take the SAM and crack it. Even if the cracking takes weeks or even months, he could come back later and access the system as root !. So..even if the administrator did find about this, his changing the
password would not stop the attacker. By the way you don't need to be root to access the SAM and replace it!!. Try it !
December 5th, 2004, 05:57 AM
PacketThirst

Quote:

If you can replace the SAM file, you therefore already have administrator level access to the box and can get whatever you require off of it. You therefore do not need to replace the SAM file to access this box in the future, unless you need to show off your newly gained r00t access with a fancy Windows GUI

Don't tell me getting files is not the only thing you can do as root !. There are a lot of stuffs which can only be done in that "fancy Windows Gui".
December 5th, 2004, 06:08 AM
Striek

True, some things need the GUI. I tend to look at things from a forensics point of view; if you can get any file you need from a system, why put yourself thorugh more trouble? But it's not up to me to tell you whether what you want to do is useful to you or not, so I will answer your question a little better.

You could replace the SAM with one containing additional accounts with administrator access, which the user likely wouldn't know about, and then if the administrator password were changed, you'd still have those extra accounts to fall back on, even if you no longer knew the administrator password. That would give you lifelong access to the box. This would require some serious cryptanalysis though (like you said, weeks or months, if you're lucky)

This could be prevented, or at least detected, with an IDS such as TripWire, which monitors the MD5 sums (or sha sums, or whatever), of a list of critical files and alerts you if they are changed. You can then replace them with a known good backup.

Totally preventing it it would be a lot more difficult, but it could be done perhaps by encrypting the entire hard drive in some sort of loopback system so an attacker wouldn't even recognize the SAM file if he/she were sitting on it. There are quite a few commercial programs which can do this. I believe some readily available hard drives have encryption capabilities which could do this too.
December 5th, 2004, 06:18 AM
PacketThirst

Yeah ... why don't these OS companies hide these password files themselves. I don't know much about filesystems but, ext3 cannot be accessed by windows. Similarly can't you just use a very different file system or something for storing the passwords which can be only accessed when the computer reaches the LOGIN screen ?? ( dumb ?? hehe... I'm feeling strange today).

Packet Thirst
December 5th, 2004, 06:43 AM
Striek

You could... until somebody writes a module to read it. Windows can't read ext3 filesystems because they won't spend the money necessary to develop the support for it, not because ext3 filesystems are more secure.

There ain't no such thing as a filesystem which can't be accessed except by the native OS. All it takes is someone to write the support to read it. This is why passwords are encrypted rather than hidden.

You can't rely on nobody finding a password file. The sole strength of a password system lies in the strength of the encryption used.

If an OS can read the password file at the login screen, then somebody has written the support to read it, which means somebody else can too.

Passwords don't really do much once somebody has physical access to a system anyway. Their real strength is in limiting server access.

Bottom line: if somebody found a way to hide the password file, somebody else would find a way to unhide it. So there better be some pretty good encryption used in it.
December 5th, 2004, 10:43 PM
HTRegz

Quote:

Originally posted here by PacketThirst
Yeah ... why don't these OS companies hide these password files themselves. I don't know much about filesystems but, ext3 cannot be accessed by windows. Similarly can't you just use a very different file system or something for storing the passwords which can be only accessed when the computer reaches the LOGIN screen ?? ( dumb ?? hehe... I'm feeling strange today).

Packet Thirst

Hey Hey,

I just wanted to point out that you can access ext3 from Windows.... It's not an overly difficult process.. just requires the software.... check out Explore2fs.

As far as playing with the SAM file to backdoor it.... As Striek said if you can get physical access then you'd take why you need then.. why risk going back a second time to dump your backdoored SAM file... if someone really wanted access again, they'd obtain it the same way they did the first time, or they'd drop a root kit (which does exist for Win32) and use it next time. You'd also need to figure out the syskey and make the systems think they were the same. To do this you'd prolly require dumping a ghost image...

Get physical access and dump an image to an FTP somewhere
Ghost that image onto another machine
Dump the SAM file and decrypt the passwords
Log in as Admin
Add another account
Dump the SAM file again
Load that SAM File onto the original machine.

Anyways.... that's my take on it...

Peace,
HT
December 6th, 2004, 03:25 AM
PacketThirst

Quote:

As Striek said if you can get physical access then you'd take why you need then.. why risk going back a second time to dump your backdoored SAM file... if someone really wanted access again, they'd obtain it the same way they did the first time

You can't just have complete access to the box with just physical access, can you ?.
All you need to get the SAM file (as i've earlier said) is just a live cd or something like that. Without any kind of privileges you could get the SAM file. Get the SAM file, Crack it. Some back
later (maybe after a few months :D ) and assuming the administrator didn't change his OS, you
could be root and do all sort of stuffs!. You've seen the movie THE FUGITIVE, haven't you ?.
December 6th, 2004, 03:34 AM
Striek

Quote:

You can't just have complete access to the box with just physical access, can you ?

Yes. you can. Boot from a floppy or a cd using some OS with ntfs read support. You can now take anything you want off that box.
December 6th, 2004, 04:27 AM
AxessTerminated

You won't have access to EFS files....that's a problem, especially if the whole drive is EFS. But yea, this method does work rather well for editing system settings, creating a new admin account for yourself, or just retrieving info. Also, make sure you have SP2 installed, cuz it may have some sort of time check on the file...I'm not sure, as I haven't done it in a while. If you do have SP2, then email M$, because though it is common sense, it's obviously been overlooked, and the file should be modified somehow everytime you shutdown the box, so the time stamp is set....and somewhere it stores that...but it's only a matter of time until someone finds out how to crack the file with the timestamp..

A_T
December 6th, 2004, 06:52 PM
wildred

So what about a BIOS password, or better some sort of biometrics scanner (finger print) etc.
Something that stops the user prior to loading windows/dos.
December 6th, 2004, 07:08 PM
spazzmatrix

Bios passwords are junk. They can be reset by a jumper on the board. If they jumper does not exist (unlikely) the battery can be removed and replaced and the password will be gone.

Secondly If you have physical access to the box there is no need to crack anything at all. Tools to read/write any file/os can be loaded onto a live cd of linux.

Biometric scanners are only good if they are plugged in and the OS loads, again using a live cd or command prompt would not load the software for the biometric scanner.
December 7th, 2004, 07:00 AM
wildred

See, now on my pc i have a lock on it so you cant get access to the machine. In addition, I have a cylinder lock for the keyboard as well....maybe I am paranoid...
Best security....a handgun....catch the lil booger and hes gone.
December 8th, 2004, 07:44 PM
PacketThirst

Its true that doing these things would not stop someone from gaining full control of your box.
But shouldn't we make it harder task for them to accomplish?. Anyway there's nothing called "Absolute Security" in networking. Its our job to try our best to keep our systems as secure as possible.
December 8th, 2004, 08:02 PM
thehorse13

Save yourself the trouble of trying to place a SAM dump from one box to another. Just look up SID and RID and that should explain why. For those who are lazy, these unique IDs are generated on every account and populated through NTFS and surely will not work on other hosts. This is why you see the warnings in Windows about removing an account and then creating the same account name again. Although the name of the account is the same, the SID has changed and thus, the permissions wont apply.

If you want to see a windows box choke, go ahead and go through the motions.

--TH13
December 8th, 2004, 08:09 PM
djscribble

to add on to the last post, only windows xp (iirc) checks for SID signing of the SAM. windows 2k will let you just replace it. NOW, if you use something that generates a new SID for the machine AND will open the registry hives (so that everything is changed) after you replace the SAM, then ALL THEIR BASE ARE BELONG TO YOU
December 8th, 2004, 08:38 PM
thehorse13

Quote:

to add on to the last post, only windows xp (iirc) checks for SID signing of the SAM.

Yep. He mentioned XP specifically which is why I mentioned this.

Quote:

NOW, if you use something that generates a new SID for the machine AND will open the registry hives (so that everything is changed) after you replace the SAM, then ALL THEIR BASE ARE BELONG TO YOU

True, like the chntpw app, which pwn3s the SAM.