Re: two questions that need answering

From: Dan B (neo@redcell.fsnet.co.uk)
Date: 01/29/02


Date: 29 Jan 2002 12:39:30 -0000
From: Dan B <neo@redcell.fsnet.co.uk>
To: focus-ms@securityfocus.com


('binary' encoding is not supported, stored as-is)

In-Reply-To: <B36C365832C90E47A37F4FFCDDEFC46D04F62C@hkisrv08.tw.fi>

The reason i ask about syskey is that i found the
following in the LC3 helpfile :

SAM File
On systems that do not use Active Directory, or
SYSKEY, you may obtain
password hashes directly from a password database
file stored on the system
-- the SAM file.

Note: this approach will not allow you to obtain
password hashes from most
Windows 2000 systems, as Windows 2000 uses
SYSKEY by default. SYSKEY was
introduced in Windows NT Service Pack 3, but was
not turned on by default,
so SAM access works on Windows NT systems
unless SYSKEY was explicitly
turned on. SYSKEY provides an additional layer of
encryption to stored
password hashes. Interestingly, you can't tell by
looking at the SAM or at
password hashes it contains whether they've been
encrypted with SYSKEY or
not. LC3 cannot crack SYSKEY-encrypted password
hashes. This implies that
if you do not have access to at least one
administrator account on a
Windows 2000 machine, you cannot obtain the
password hashes required to run
LC3. In such cases, you may benefit from a
password reset utility.