sam/lc5 question

Printable View

April 1st, 2005, 06:44 AM
dark5yntax

sam/lc5 question

Hi, here is my question. I made a copy of my desktop pc's sam file. I then moved it over to my laptop. I made a new text document and put my password into it. When i ran a dictionary attack against my sam file, nothing happened. It isn't cracking the hashes. Also, when i run LC5 and audit my laptop passwords, it will show more info then just the account name, but with the file I get only the account names. I also tried to use Cain and Able with the file which has the password in it but I have had no sucess. Has anyone tried this before and what am I doing wrong?

Thanks

~ |)ARK$YNTA>< ~
April 1st, 2005, 09:26 AM
ghostmachine

Re: sam/lc5 question

Quote:

Originally posted here by dark5yntax
Hi, here is my question. I made a copy of my desktop pc's sam file. I then moved it over to my laptop. I made a new text document and put my password into it. When i ran a dictionary attack against my sam file, nothing happened. It isn't cracking the hashes. Also, when i run LC5 and audit my laptop passwords, it will show more info then just the account name, but with the file I get only the account names. I also tried to use Cain and Able with the file which has the password in it but I have had no sucess. Has anyone tried this before and what am I doing wrong?

Thanks

~ |)ARK$YNTA>< ~

how did you make the copy of the SAM on your desktop?
April 1st, 2005, 03:03 PM
dark5yntax

Re: Re: sam/lc5 question

Quote:

Originally posted here by ghostmachine
how did you make the copy of the SAM on your desktop?

I used knoppix and copied it to an sd card in my card reader via usb.
Then I just moved it over to my desktop on my other comp.
April 1st, 2005, 03:12 PM
Irongeek

you have to undo Syskey on the SAM first. See:

http://www.irongeek.com/i.php?page=s.../localsamcrack
http://www.antionline.com/showthread...ghlight=syskey
April 2nd, 2005, 04:34 AM
dark5yntax

k one more question

your referance was awsome. It helped me understand syskey and sam files a lot better. But another question I have is when I first imported the dump into cain it said for the admin password it was ???????S and after brute forcing for awhile I now have WE3KING???????. Does the question marks actually represent how many characters are left and if so is there any way I can lock in the first 7 which it already gave me and just work on the last ones? Again thank you for your help.

-= |)ark$ynta>< =-
April 2nd, 2005, 05:07 AM
Irongeek

Basically it means that you are cracking the older LAN Manager hashes where the password is all uppercase and split into two 7 byte sections. I copied this from a Microsoft site, it may help explain:

Quote:

The LAN Manager (LM) Hash
The LM hash is technically speaking not a hash at all. It is computed as follows:
1. Convert all lowercase characters in the password to uppercase
2. Pad the password with NULL characters until it is exactly 14 characters long
3. Split the password into two 7 character chunks
4. Use each chunk separately as a DES key to encrypt a specific string
5. Concatenate the two cipher texts into a 128-bit string and store the result

What L0phtcrack or Cain is telling you is that it has cracked one 7 byte section of the password already. (there may be a better way to say that, someone else pipe in)
April 2nd, 2005, 05:41 AM
dark5yntax

so is there anyway to have either LC5 or cain crack the second have since I already have the first? Im a little new at this so how would u go about finishing it?

and thanks for your quick responses I do appreciate it.
April 2nd, 2005, 03:05 PM
Irongeek

Just let it keep running the brute force crack, it just happened to find one 7 character string before the other.
April 2nd, 2005, 11:40 PM
dark5yntax

ok so then your saying it is two seperate strings of 7characters each. Right?
Also I'm up to 8 characters now so should i start over at 6 so I fully go through seven?
Thanks again.
April 3rd, 2005, 12:03 AM
Irongeek

I'm not sure what you mean.
April 3rd, 2005, 12:11 AM
dark5yntax

ok im sorry I'll try again. when i right click in cain and select the admin account to brute force is says 2 hashes loaded for that one password. which corresponds with you saying that there are two 7 character parts to it. My question was I am already bruteforcing in the 8 range XXXXXXXX. But since it is two sevens should I stop it and change the min and max characters both to seven because once I got the first seven I stopped it and moved it up to 8. I was thinking to crack the whole password since there are apparently 14 character i need to move it up to 14. But if it is two differant hashes I should put it back down to seven right? And also what if it is only 8 or 9 character. I'm sorry if this isn't making sense Im just a little confused.
April 3rd, 2005, 03:19 AM
Irongeek

I'm no expert on L0phtcrack, but I would think if you have the LM hashes the longest string you wouldever want to brute with is 7. What character set are you using?
April 3rd, 2005, 05:27 AM
dark5yntax

I'm using all leters and numbers but that is it. the first part contained only letters and numbers and im assuming so does the second but i brute forced from 1 character up to 7 again and i stillhave 7 question marks. what would happen if they are null. just place holders. would it still have question marks?
April 3rd, 2005, 05:44 AM
dark5yntax

k so the first half was we3king
and the second half was s
so the full password was we3kings
how come the bruteforce didnt pick it up
when I bruteforced the second half even with
the letter s?

One more thing in the pwdump file i have there is a domain and hashes for that as well.
what exactly is that? another password?

~ |)ark$ynta>< ~
April 3rd, 2005, 01:06 PM
Irongeek

Sorry, I don't know.
April 4th, 2005, 02:12 AM
dark5yntax

Alright if I find anything useful out I'll let everyone know.