RE: Syskey on Win2k
From: Hopkins, Joshua (joshua.hopkins@aruplab.com)
Date: 02/06/03
- Previous message: John Hendren: "RE: adware showing up"
- Maybe in reply to: Simon Taplin: "Syskey on Win2k"
- Next in thread: Lachlan McGill: "RE: Syskey on Win2k"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Hopkins, Joshua" <joshua.hopkins@aruplab.com> To: 'James Kelly' <jim@essistants.com>, 'Pez Mohr' <boredMDer74@msn.com>, simont@lantic.net, 'Security-Basics' <security-basics@securityfocus.com> Date: Thu, 6 Feb 2003 11:03:26 -0700
If you have the rights to the machine all you need to do is use the first
version of pwdump on the machine that you are looking for and dump the sam
into a txt file and then just import the dumped sam into LC4
Joshua R. Hopkins
Information Security Analyst
ARUP Laboratories
Salt Lake City, UT
tel. 801.583.2787 ext 3110
fax. 801.584.5108
josh.hopkins@aruplab.com
-----Original Message-----
From: James Kelly [mailto:jim@essistants.com]
Sent: Wednesday, February 05, 2003 6:16 PM
To: 'Pez Mohr'; simont@lantic.net; 'Security-Basics'
Subject: RE: Syskey on Win2k
I may be wrong in this, but im pretty sure from previous "exercises"
that you can't copy the sam data when windows is running. It can be
accessed however, when you have admin writes. Which gives LC4 access to
the data, and as far as the technet claim, I have seen in my own
personal experience, LC4 get passwords in minutes. If it does have to
bruteforce, this takes considerably longer...
Jim
-----Original Message-----
From: Pez Mohr [mailto:boredMDer74@msn.com]
Sent: Wednesday, February 05, 2003 3:11 PM
To: simont@lantic.net; Security-Basics
Subject: Re: Syskey on Win2k
Simon Taplin wrote:
> On Windows 2000, Syskey is enabled by default, can I copy the .sam
> file from \winnt\system32 after booting from bootdisk and then
> running LC4 or do I need to run something else first. Just wondering
> since I know Syskey is supposed to be 128 encryption.
>
> Simon
AFAIK, Syskey encrypts the SAM with 128 bit encryption, not just when
Windows is running. With appropriate permissions, grabbing the SAM after
booting from a bootdisk would yield the same result as grabbing it when
you
were logged in to Windows.
The following is taken from a TechNet page:
'Syskey thwarts this attack by encrypting the SAM database using strong
encryption. Even if an attacker did manage to obtain a copy of the
Syskey-protected SAM, he would first need to conduct a brute-force
attack to
determine the Syskey, then conduct a brute-force attack against the
hashes
themselves.'
I don't know quite what you're asking, but it looks like you mean how
exactly would one get the SAM. Again, if you have appropriate
permissions,
one can merely copy over the SAM from '%WinDir%\system32\SAM' . If I've
been
unclear in any way, feel free to email me off-list so I can clear it up
a
bit.
Pez Mohr
boredMDer74@msn.com
PGP Key: http://tinyurl.com/3rmk
Fingerprint: 35F0 4088 BCA3 457C FDE4 3ABC 4E02 1AD7 9EBE 09FE
- Next message: Naman Latif: "VLAN Security"
- Previous message: John Hendren: "RE: adware showing up"
- Maybe in reply to: Simon Taplin: "Syskey on Win2k"
- Next in thread: Lachlan McGill: "RE: Syskey on Win2k"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
