RE: question regarding SAM file / l0phtcrack / pwdump2

From: mike.borkin@gm.com
Date: 12/19/01


From: mike.borkin@gm.com
To: Farid Schuda <f.schuda@bysecure.com>
Date: Wed, 19 Dec 2001 17:12:52 -0500

To answer your second question first, the information you are getting is from
NTDS.dit. Pwdump2 does seem to automatically determine where to pull the
password hashes from, regardless of whether it should be the SAM or NTDS.dit. I
am not an expert on how pwdump works programatically, but because the April 2000
version is AD capable I would have to assume that it looks for the NTDS.dit file
(which would only exist on a W2K DC) before looking at the SAM. For auditing
purposes, this would mean that you can easily load pwdump2 on the server and
have its output redirected to a file which you could then crack utilizing a
different machine (which is probably the same way you have always audited).
However, if you are attempting to audit by doing what the original question
talks about (boot to DOS and then grab the SAM file), then you would have to
grab NTDS.dit rather than the SAM file.

Mike

Farid Schuda <f.schuda@bysecure.com> on 12/19/2001 03:37:25 PM

To: Mike Borkin/US/GM/GMC@GM
cc: focus-ms@securityfocus.com
Subject: RE: question regarding SAM file / l0phtcrack / pwdump2

Hi, I`ve been folowing the mails, and I find very intresting that Win2000
don not save the information in the sam file, like win NT.

But I have some question, you said that W2k save the infomation in the file
NTDS.dit;

1- sow how can I use this file for auditing muy users??
2- if I do a pwdump, I still get the information of the users, is this
infomation from the NTDS.dit file??
> -----Mensaje original-----
> De: Mike Borkin [SMTP:mike.borkin@gm.com]
> Enviado el: Martes, 18 de Diciembre de 2001 12:38
> Para: focus-ms@securityfocus.com
> Asunto: Re: question regarding SAM file / l0phtcrack / pwdump2
>
>
> In-Reply-To: <5.1.0.14.0.20011217144411.0325efb8@mail.wwisp.com>
>
> >I can boot to dos and snag the SAM file, but it
> seems very old. When I
> >actually extracted the info it was only the local
> account info--not domain.
> >I assume that Active Directory user information is
> stored differently even
> >on a PDC?
> >
>
>
> In Windows 2000 all domain information (including
> user accounts and password hashes) are stored in
> AD. Therefore, the only purpose of the SAM
> database file on a W2K domain controller is for the
> directory services restore mode. In order to locate
> user account information in W2K you actually need to
> look at the NTDS.dit file (which is the AD database
> file) that is located at %systemroot%\ntds\ntds.dit,
> rather than the SAM file. The SAM file on a W2K
> member server or workstation, however, still holds all
> local account information just as it did in NT.



Relevant Pages