The SAM exploit

**AxessTerminated** · December 6th, 2004, 04:27 AM

You won't have access to EFS files....that's a problem, especially if the whole drive is EFS. But yea, this method does work rather well for editing system settings, creating a new admin account for yourself, or just retrieving info. Also, make sure you have SP2 installed, cuz it may have some sort of time check on the file...I'm not sure, as I haven't done it in a while. If you do have SP2, then email M$, because though it is common sense, it's obviously been overlooked, and the file should be modified somehow everytime you shutdown the box, so the time stamp is set....and somewhere it stores that...but it's only a matter of time until someone finds out how to crack the file with the timestamp..

A_T

**wildred** · December 6th, 2004, 06:52 PM

So what about a BIOS password, or better some sort of biometrics scanner (finger print) etc.
Something that stops the user prior to loading windows/dos.

**spazzmatrix** · December 6th, 2004, 07:08 PM

Bios passwords are junk. They can be reset by a jumper on the board. If they jumper does not exist (unlikely) the battery can be removed and replaced and the password will be gone.

Secondly If you have physical access to the box there is no need to crack anything at all. Tools to read/write any file/os can be loaded onto a live cd of linux.

Biometric scanners are only good if they are plugged in and the OS loads, again using a live cd or command prompt would not load the software for the biometric scanner.

**wildred** · December 7th, 2004, 07:00 AM

See, now on my pc i have a lock on it so you cant get access to the machine. In addition, I have a cylinder lock for the keyboard as well....maybe I am paranoid...
Best security....a handgun....catch the lil booger and hes gone.

**PacketThirst** · December 8th, 2004, 07:44 PM

Its true that doing these things would not stop someone from gaining full control of your box.
But shouldn't we make it harder task for them to accomplish?. Anyway there's nothing called "Absolute Security" in networking. Its our job to try our best to keep our systems as secure as possible.

***thehorse13*** · December 8th, 2004, 08:02 PM

Save yourself the trouble of trying to place a SAM dump from one box to another. Just look up SID and RID and that should explain why. For those who are lazy, these unique IDs are generated on every account and populated through NTFS and surely will not work on other hosts. This is why you see the warnings in Windows about removing an account and then creating the same account name again. Although the name of the account is the same, the SID has changed and thus, the permissions wont apply.

If you want to see a windows box choke, go ahead and go through the motions.

--TH13

**djscribble** · December 8th, 2004, 08:09 PM

to add on to the last post, only windows xp (iirc) checks for SID signing of the SAM. windows 2k will let you just replace it. NOW, if you use something that generates a new SID for the machine AND will open the registry hives (so that everything is changed) after you replace the SAM, then ALL THEIR BASE ARE BELONG TO YOU

***thehorse13*** · December 8th, 2004, 08:38 PM

to add on to the last post, only windows xp (iirc) checks for SID signing of the SAM.

Yep. He mentioned XP specifically which is why I mentioned this.

NOW, if you use something that generates a new SID for the machine AND will open the registry hives (so that everything is changed) after you replace the SAM, then ALL THEIR BASE ARE BELONG TO YOU

True, like the chntpw app, which pwn3s the SAM.

Thread: The SAM exploit

Thread Tools

Display

Posting Permissions