Re: Pwdump3, LC4, SysKey & SAM with win2k passwords
From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 12/06/02
- Next message: Travis: "Netwoking WinXP with Win98se problems"
- Previous message: Karl Levinson [x y] mvp: "Re: Null Sessions - Restrict Anonymous"
- In reply to: Scott: "Pwdump3, LC4, SysKey & SAM with win2k passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] mvp" <levinson_k@excite.com> Date: Fri, 6 Dec 2002 13:06:10 -0500
"Scott" <zugget@AOL.COM> wrote in message
news:27e1765b.0212051815.7d9fbd8c@posting.google.com...
> I have two laptops running win2k. On laptop #1 I have administrator
> rights, pwdump3 and Lopthcrack. On Laptop #2 I do not have
> administrator rights. My goal is to get the administrator password
> for laptop#2 without reseting the adminstrator password or installing
> another version of win2k.
I'm not sure why I'm helping answer this. It doesn't sound like you're
doing anything kosher.
I would recommend using one of the standard password reset boot disks and
find one that permits insertion of a new user into the SAM. [I think there
is at least one out there that will do this]. Then, as long as this user is
admin-equivalent, you can log in and run pwdump3 to get the SAM, get the
original admin password and then delete the user you added. If it works, I
feel that would be the easiest method I can think of.
http://securityadmin.info/faq.htm#password
> So far I have obtained the SAM file from Laptop #2 but as we all know
> LC4 cannot do anything with it because it is SYSKEY encrypted. I read
> that there is a loophole with earlier versions of SYSKEY. Does
> anybody know if I can do a HEX dump of the SAM file and Xor the hashes
> together to remove the encyrption?
I'd be surprised if it was that easy. I would think they're probably
talking about NT 4.0 Syskey for the most serious vulnerabilities.
> I know I can use pwdump3 to remotely access a SAM file but do I need
> administrator rights on both laptops?
I would think you would need administrator [or possibly system] privileges
on the target laptop. You could use a number of privilege escalation
attacks to gain administrator privileges. Try seeing if IIS is running and
has vulnerabilities that could permit running code as System.
> Finally, can I replace the SAM file on Laptop#1 with the SAM file on
> Laptop#2 and run lopthcrack without doing any major damage to Laptop
> #1.
I don't think so. I think you'd need to replace the SAM file outside of
Windows, and then even if it did work, you'd need to know an
administrator-equivalent password to be able to log into the laptop and run
pwdump3 to extract the SAM.
- Next message: Travis: "Netwoking WinXP with Win98se problems"
- Previous message: Karl Levinson [x y] mvp: "Re: Null Sessions - Restrict Anonymous"
- In reply to: Scott: "Pwdump3, LC4, SysKey & SAM with win2k passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
