Security Basics mailing list archives
RE: Syskey on Win2k
From: "Hopkins, Joshua" <joshua.hopkins () aruplab com>
Date: Thu, 6 Feb 2003 11:03:26 -0700
If you have the rights to the machine all you need to do is use the first version of pwdump on the machine that you are looking for and dump the sam into a txt file and then just import the dumped sam into LC4 Joshua R. Hopkins Information Security Analyst ARUP Laboratories Salt Lake City, UT tel. 801.583.2787 ext 3110 fax. 801.584.5108 josh.hopkins () aruplab com -----Original Message----- From: James Kelly [mailto:jim () essistants com] Sent: Wednesday, February 05, 2003 6:16 PM To: 'Pez Mohr'; simont () lantic net; 'Security-Basics' Subject: RE: Syskey on Win2k I may be wrong in this, but im pretty sure from previous "exercises" that you can't copy the sam data when windows is running. It can be accessed however, when you have admin writes. Which gives LC4 access to the data, and as far as the technet claim, I have seen in my own personal experience, LC4 get passwords in minutes. If it does have to bruteforce, this takes considerably longer... Jim -----Original Message----- From: Pez Mohr [mailto:boredMDer74 () msn com] Sent: Wednesday, February 05, 2003 3:11 PM To: simont () lantic net; Security-Basics Subject: Re: Syskey on Win2k Simon Taplin wrote:
On Windows 2000, Syskey is enabled by default, can I copy the .sam file from \winnt\system32 after booting from bootdisk and then running LC4 or do I need to run something else first. Just wondering since I know Syskey is supposed to be 128 encryption. Simon
AFAIK, Syskey encrypts the SAM with 128 bit encryption, not just when Windows is running. With appropriate permissions, grabbing the SAM after booting from a bootdisk would yield the same result as grabbing it when you were logged in to Windows. The following is taken from a TechNet page: 'Syskey thwarts this attack by encrypting the SAM database using strong encryption. Even if an attacker did manage to obtain a copy of the Syskey-protected SAM, he would first need to conduct a brute-force attack to determine the Syskey, then conduct a brute-force attack against the hashes themselves.' I don't know quite what you're asking, but it looks like you mean how exactly would one get the SAM. Again, if you have appropriate permissions, one can merely copy over the SAM from '%WinDir%\system32\SAM' . If I've been unclear in any way, feel free to email me off-list so I can clear it up a bit. Pez Mohr boredMDer74 () msn com PGP Key: http://tinyurl.com/3rmk Fingerprint: 35F0 4088 BCA3 457C FDE4 3ABC 4E02 1AD7 9EBE 09FE
Current thread:
- Syskey on Win2k Simon Taplin (Feb 05)
- Quote (was: Re: Syskey on Win2k Meritt James (Feb 05)
- Re: Syskey on Win2k Pez Mohr (Feb 05)
- RE: Syskey on Win2k James Kelly (Feb 06)
- Re: Syskey on Win2k Pez Mohr (Feb 06)
- RE: Syskey on Win2k James Kelly (Feb 06)
- Re: Syskey on Win2k ian tashima (Feb 06)
- <Possible follow-ups>
- RE: Syskey on Win2k Moeckel, Sharon (Feb 05)
- RE: Syskey on Win2k Hopkins, Joshua (Feb 07)
- RE: Syskey on Win2k Lachlan McGill (Feb 07)