|
-
September 10th, 2003, 10:25 AM
#11
*revision*
When I meant extract the passwords, I meant the final passwords, there are many tools that will pull the hashes.
Yes a dictionary attack will work, but a system established according to the MS/NSA guidelines using 8+ chars and password complexity, will from my experience take too long to be useful. NTLMv2 is pretty decent, I have not even read of a successful crack against a system following standard guidelines.
-
September 10th, 2003, 02:37 PM
#12
Junior Member
I beleave that if you syskeyed your system, prog's like pwdump & l0pht will dump the sam and the hashs , even from a remote machine but they will not be able to crack it, (the new version of l0pht, i think can but im not at work to play with it) so if you used syskey as you should you might not be able to recover. and yes you do need root priv. on a box to dump the sam remotely.
\"If we knew what we were doing..............It wouldnt be called research.\" Albert Einstein
-
September 10th, 2003, 02:57 PM
#13
Originally posted here by slarty
pwdump2 should still dump the nt hashes from the SAM (presumably the LM ones will not be there though). I haven't tried it though. But it does dump the NT hashes normally along with the LM ones.
AFAIK you still need admin privs to be able to do that.
The LM ones I don't fully understand, but maybe it is case insensitive and stores parts of the password so they can be cracked independently?
LM passwords use only ascii and are always converted to uppercase. After that it will fill the password with nulls if it's shorter then 14 characters. This 14 character password gets split up into 2 7 char. pieces. These pieces are used as a key in a 56bit DES encryption resulting in 2 pieces of DES cyphertext. These are concatenated and stored in the SAM.
In contrast the NTLMv2 passwords are unicode and use MD5, making it alot more difficult to brute-force.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
September 12th, 2003, 11:12 PM
#14
Junior Member
I think there is a way to gain admin acces with ntfsdos pro and chtdisk, and then use pwdump2 and L0pht.
But ntfsdos isnt working on my comp so cant help you a lot 
If you want exact detail:
1. Boot with an Ms-Dos boot disk, run ntfsdos pro and mount partition
2. Copy SAM on disk(for back up)
3. Use Nt password recovery tool to reset password
4. Extract password with pwdump2 and save output on disk
5. replace new SAM with old backup SAM
6. Wait on your super computer to crack the pw file with L0pht
And you have admin password!
-
September 13th, 2003, 04:33 PM
#15
What franklinchef said doesnt' work anymore. For Windows 2000/XP "syskey.exe" is automatically turned on. So even if you boot with NTFSPRO and extract SAM. It will be useless. Even with the newest LC4. I found the only sure way to recover SAM is to use a linux boot disk.
-
September 13th, 2003, 07:53 PM
#16
Junior Member
Nt password recovery
Works with syskey (no need to turn it off, but you can if you have lost the key)
And btw, this is a linux boot disk...
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote