Re: loopholes in win 2000 & how we can break sam file

From: Miha Pihler (mihap-news_at_atlantis.si)
Date: 09/16/04 

Date: Thu, 16 Sep 2004 15:09:41 +0200

Hi,

Yes, you can dump LM and NTLM Hashes from SAM database. There are few ways
to do it. One is copy it off from the server, but this will require a
physical access to the server and a reboot. This method doesn't require any
permission at all, except physical access -- this is why physical access to
e.g. DC is very important. Next option is to use tools like pwdump2, but
this will require administrator privileges on computer where SAM database
is.

Once you have LM "Hashes" you can use tools like LC5 or older or some
on-line tools that will crack the hash to password.

What you can do about this is:
* Use NTLM Hash (LM Hash is vulnerable by design -- IBM designed it few
decades ago)
* Even with NTLM hash you have to use strong hard to guess passwords. If I
can run a dictionary attack against your passwords then it doesn't matter
what kind of Hash you use for your password storage

How to prevent Windows from storing a LAN manager hash of your password in
Active Directory and local SAM databases
http://support.microsoft.com/default.aspx?scid=kb;en-us;299656&Product=win2000

Account Passwords and Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

I hope this helps,

Mike

"suresh bhargav" <anonymous@discussions.microsoft.com> wrote in message
news:357101c49be9$8cb2a660$a501280a@phx.gbl...
> few pepole argue with me regarding the win 2000
> security.according to them it is breakable just enlight me
> about it's possibility.if it's true then how?

Relevant Pages

  • Re: Symantec A/V - netscan password in registry
    ... It's not NT, because NTLM is just MD4/Unicode, so still this hash is too ... exploitable situation with the antivirus in the server. ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: Password hashes
    ... There are only LM and NTLM hashes. ... There is an NTLMv2 hash but it is not stored. ... authenticating to the network. ... Auditing and reviewing the security logs ...
    (microsoft.public.windowsxp.security_admin)
  • Re: technetID KB321728: NO kerberos support for proxy servers
    ... you're not replacing your password hash in your XP ... My personal suggestion would be to implement the mainframe sync from AD - I ... microsoft is still incorperating NTLM ... here it is- our PROXY server using NTLM won't work as ...
    (microsoft.public.isa)
  • Re: NTLM v2 implementation
    ... >Well it even seems strange to me that whatever i do (implement NTLM v2, ... >presence of the SAM and the LM Hash in it. ... So far I can put a 15 characters password on my admin account ... So while the admins of the workstations could indeed dump all the users you ...
    (Focus-Microsoft)
  • Re: No LM Hash - no really
    ... but it has LM "Hash" and not NTLM hash. ... actually attack first 7 characters separately from second 7 characters (LH ... Even with NTLM hash you will still need password complexity -- NTLM does no ... You mentioned that you have the policy set at Default Domain Policy. ...
    (microsoft.public.win2000.security)