Results 1 to 10 of 10

Thread: Windows NT SAM Attack

  1. #1
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584

    Cool Windows NT SAM Attack

    Now... All of us knows that a lot of Networks today uses NT as their choice of OS. Expecially in schools. Though some may use Novell that is not much of a problem coz I will show you how to hack into Novell's network on the other Tutorial.

    I have tired this on Windows NT 4.0 and Windows 2000 Professional (which is also Windows NT 5.0)
    Im not sure if this will work with Windows NT 2000 Advance Server and Data Center, but they should be thesame since they are both made from NT Technology.

    Now, a network has a Server also called as the PDC (Primary Domain Controller). The PDC does the authentication of Login Names and Passwords. The PDC does that thru a file called SAM. SAM is a file that holds Login Names and Passwords.

    What the server does is that it creates a SAM file which is created by the Admin, then sends a copy to the BDC (Backup Domain Controler) if there is... and a copy to the Workstation so the users can login locally to the workstation.

    This also means that the workstation has a SAM file in it that is the exact copy of the SAM in the server... So our objective will be retrieving that SAM file.

    If you look at C:\Winnt\repair\ folder or direcotory, you will find the SAM file there. But wait, you cant open it or copy it to a disk. Why? Because the OS is using it. When you login to the workstation, the OS(Operating System, which in this case is Windows NT) uses both SAM files from
    the server and workstation to make sure that your login name and password is real.

    So how can we get the SAM file?

    Easy, we just have to copy it OUTSIDE windows. Which means you need to create the boot disk and make sure that the workstation boots from a floppy.

    Where can I get the Boot Disk?

    Go to www.bootdisk.com and download it there. The Boot Disk will use 3 floppy disk since it is huge.


    So then the boot disk is created. Now put your Boot Disk #1 and restart the computer. Then you will see it booting up by itself. Then its gonna ask you for Disk 2, then finally Disk 3.

    When you find your way to A: prompt, go to the "repari" directory/folder that i just showed you where you can see the SAM file and copy it to your floopy...

    Now you have the SAM file!!! But.. what do I use to open it? The SAM file, for security purposes, is encrypted. So you hafta download a crack or a DUMP for it.

    Go to http://l0pht.com and download SAM DUMP.

    When you are done with the downloading, use the DUMP and BINGO! Login names and passwords Galore!


    But what if the computer doesnt boot from floppy?

    Simple, go to CMOS setup and set the computer to boot first from floppy then the HDD.

    But what if the CMOS Setup is password protected. Simple, go to Astalavista.box.sk and search for CmosPwd By Christophe GRENIER. And read the instructions on how to Kill the CMOS Setup Password.

    And that concludes our tutorial for WinNT.

    Source:
    Hackers Inc & BSRF

  2. #2
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584

    Cool

    now.. u network admin d00ds might want to know how to stop this from happening..

    well simple.. do what i did.. setup a password on the cmos setup and dont let the box boot from floppy...

    surely they can crack the cmos password.. but it would give u enuff time to catch the crimminal...

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    257
    The PDC does not transfer the entire security accounts database to the local machine on login. If you're talking about taking it directly off a PDC, then the admin should know better than to allow you physical access to the box. FYI, this will not work in a native mode windows 2000 domain, it has no SAM(It uses several files that rely on each other, and has a 128-bit encryption compared to the SAM with 64-bit).

    Also if you can log into the machine anyway, there are plenty of tools that will conduct an open file copy of the SAM, without resorting to boot disks and the like. Killing the password in the CMOS is as easy as pulling the battery off the motherboard.

  4. #4
    Sorry sonic, but i agree with shkuey.... you are wrong. The sam you can get on workstation is the workstation SAM.... that mean it contains local groups, users and hashed password. Don't hope to get Domain Sam like this !

    I've already encoutered a method to get domain SAM, is sniffing SMB authentification packet until you ran into admin login. Then you can access directly Domain SAM.

    To prevent this problem, fixes : :

    1) on local workstation, increase SAM Encryption with a tool named syskey, that is shipped since NT4 SP3 and activated by default on NT2000 (i think so). Use strong password with letters and names and special characters

    2) on the sniffing problem, modify registry with a free tool called 'NT Security Wizard' to disable "LM authentification on LAN", because the password cryptographic is lame for that protocol and that is how it is sniffed.

    Hope it helps !

    -hantiz

    PS : forget about the 3 floppies, NTFS for DOS is enough.
    Linoux c\'est de la bombe bébé !

  5. #5
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584

    Cool

    i agree with you guys but then the SAM files on the workstation could also contain the login name and password of the admin since the admin would log in first locally to do the settings of the workstation to add it to the domain..

    i wasnt refering to the actuall SAM file in the PDC...
    and a lil correcting to that tut.. the PDC only sends a copy of its SAM to the BDC not the workstations.. sorry my bad.. i didnt notice the mistakes in that tut..

    and yeah.. im not sure if it does work on 2000 coz i never tried it on 2000... and i did saw a SAM file in the 2000 repair folder but im not sure if it works thesame as NT4.

  6. #6
    I tried it man ! I tried it to see what it does and :

    1) You can get the SAM on NT2000 like on NT4, through registry or directly dumping SAM file in repair or config.

    you can see these accounts with password hash, but L0phtCrack will not be able to recover them.

    for that you need an utility called pwdump2 wich will be able to read the SYSKEY protected hash (and i confirm this super encryption is activated bu default on NT2000). They you get a list of password that L0phtCrack can proceed and recover. I tested it with L0phtCrack 2.52 and it has worked.

    as an admin, I have still not found how to counter that

    2) Concerning the look for "cached password" from domain users/admin that log on this workstation, I 've heard rumor that there is way to get them (they seems to be stored into the local cached profiles). If anyone has news concerning this, i would be happy to check that.

    - hantiz.
    Linoux c\'est de la bombe bébé !

  7. #7
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584

    Cool

    well as i learned from Med School.. the best way to counter it is to prevent it..

    well i havent tried using lopht crack.. but i did suggest to download a file called SAM DUMP.. that would be the proggy that would decrypt the SAM file..

    and to prevent it from happenin.. as i said.. dont let your w/s boot from floppy and assign a password for the CMOS Setup.. surely they can crack the CMOS password but hey.. that would give you enuff time to see from your Admin office window who da heck is accessing the CMOS Setup..

  8. #8
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584

    Thumbs up

    haha and by the way, thanks for the corrections

    i admire it when a woman challenges me.. hahah.. *just joking* hehe....

  9. #9
    Senior Member
    Join Date
    Nov 2001
    Posts
    257
    Originally posted by hantiz
    as an admin, I have still not found how to counter that
    Move the domain over to native mode (it is mixed mode by default), it removes all backward compatibility with nt 4 domains, and thus no longer uses a sam for domain accounts. It does not keep user information in a single file(depending on your network, may not even all be on one computer), and has stronger encryption. Workstations will maintain a local account database, in the systemroot\system32\config folder but caching domain accounts here is turned off after a standard install (except on laptops).

    I've found that there is really no way to keep a computer secure if somebody has physical access to it, but you can keep them from getting into the network with it(usually).

  10. #10
    Senior since the 3 dot era
    Join Date
    Nov 2001
    Posts
    1,542
    Another precaution for an admin:

    make your passwords very strong:
    use 8 characters or more, upper and lower case, numbers, symbols, no words or logical things.

    After you did that:
    Dump the SAM file -> you now have the hashes ->
    check with l0phtrack 3.x how much time it takes on a fast computer to crack them. -> Set the time that users have to replace their passwords to that time or less. -> You passwords get replaced before they could be cracked.

    and of course disable not used accounts, they could be a vulnerability.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •