Re[2]: Hidden Sam (passwords) File on XP/2000 FileSystem
From: Phaedrus (phaedrus-securityfocus@lycanon.org)Date: 03/12/02
- Previous message: Mendoza Bazan, Luis - (Per): "Logs from WinNT/2k and Eventlog.pl"
- Maybe in reply to: Susan Chan Lee: "Hidden Sam (passwords) File on XP/2000 FileSystem"
- Next in thread: Slow2Show: "Re: Hidden Sam (passwords) File on XP/2000 FileSystem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 11 Mar 2002 15:57:22 -0800 From: Phaedrus <phaedrus-securityfocus@lycanon.org> To: "R Hampson" <ric_hampson@hotmail.com>
The "RP" directories in question are the restore points created by the
System Restore tool (either manually or automatically). Since System
Restore is designed to let you roll the machine back to a previous
state, I'm sure the restore-point directories include all sorts of
terribly interesting information; I'm not at all surprised that SAM
information is in there as well.
So this information isn't stored in this way unless the machine in
question is running System Restore (which, unless my memory is
failing, means that Win2K wouldn't store this informaiton, since it
doesn't include System Restore).
If you don't want attackers to access this information in this way,
you should either disable System Restore (and use some other backup
strategy), or set the permissions so that attackers can't have access
to it (which, arguably, the default permissions accomplish reasonably
well--if an attacker can execute code as SYSTEM, it's probably
game-over in any event).
-- Best regards, Phaedrus mailto:phaedrus-securityfocus@lycanon.org>> Hidden Sam File on XP/2000 FileSystem >> >> Tested on XP, but should apply to 2000 >> >> Note sure if this has been talked about before, but here it goes... >> >> On the system partition, their is a directory called System Volume >> Information. Normally you cannot access this, but if you launch a >> cmd.exe via at scheduled AT job, then the shell since it is launched >> as NT AUTHORITY\SYSTEM can access this directory. >> >> From this shell if you cd to System Volume Information and do a dir >> /a (/a to see the hidden files) you should see something like: >> >> E:\System Volume Information>dir /a >> Volume in drive E is System >> Volume Serial Number is F052-44PK >> >> Directory of E:\System Volume Information >> >> 02/15/2002 22:13 <DIR> . >> 02/15/2002 22:13 <DIR> .. >> 02/07/2002 16:18 20,480 tracking.log >> 03/06/2002 11:56 <DIR> >> _restore{DD482C7B-8876-4FAD-9DDE-607V6F1041F6} >> 1 File(s) 20,480 bytes >> 3 Dir(s) 1,644,077,056 bytes free >> >> If you cd to the _restore* directory, then you should see a number of >> RP* directories. Within some of these RP* directories there will be >> another directory called snapshot within which you find a complete >> registry dumping including a file called _REGISTRY_MACHINE_SAM which >> is the SAM file for the machine. You can feed this to a password >> cracker to get the passwords. >> >> This technique can be useful when the backup SAM file in REPAIR is >> outdated or inaccessible or when the current SAM file cannot be >> dumped. All you need to do is run a process as NT AUTHORITY\SYSTEM. >> >> Thanks >> >> >> Susan Chan Lee >> Security Associates - Singapore >> e-mail: susan.lee@securityassoc.com >> web: http://www.securityassoc.com >> >>
- Previous message: Mendoza Bazan, Luis - (Per): "Logs from WinNT/2k and Eventlog.pl"
- Maybe in reply to: Susan Chan Lee: "Hidden Sam (passwords) File on XP/2000 FileSystem"
- Next in thread: Slow2Show: "Re: Hidden Sam (passwords) File on XP/2000 FileSystem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
