Security Basics mailing list archives

Re: Syskey on Win2k

From: "Pez Mohr" <boredMDer74 () msn com>
Date: Wed, 5 Feb 2003 20:23:33 -0500

James Kelly wrote:

I may be wrong in this, but im pretty sure from previous "exercises"
that you can't copy the sam data when windows is running.  It can be
accessed however, when you have admin writes.  Which gives LC4 access
to the data, and as far as the technet claim, I have seen in my own
personal experience, LC4 get passwords in minutes.  If it does have to
bruteforce, this takes considerably longer...


Ah, yes, sorry about that. The SAM is indeed locked while Windows is running
because it is in use. However, the hashes can be dumped by a tool such as
pwdump  or such, and LC4 (and previous versions) also allowed the SAM
information to be extracted. How, I don't know.

Again, sorry, just a memory lapse. Been a while since I needed to grab the
SAM out of a 2k environment... (although this holds true for XP as well,
being locked while Windows is up...whatever)

Pez Mohr
boredMDer74 () msn com
PGP Key: http://tinyurl.com/3rmk
Fingerprint: 35F0 4088 BCA3 457C FDE4  3ABC 4E02 1AD7 9EBE 09FE

Current thread:

Syskey on Win2k Simon Taplin (Feb 05)
- Quote (was: Re: Syskey on Win2k Meritt James (Feb 05)
- Re: Syskey on Win2k Pez Mohr (Feb 05)
  - RE: Syskey on Win2k James Kelly (Feb 06)
    - Re: Syskey on Win2k Pez Mohr (Feb 06)
- Re: Syskey on Win2k ian tashima (Feb 06)
- <Possible follow-ups>
- RE: Syskey on Win2k Moeckel, Sharon (Feb 05)
- RE: Syskey on Win2k Hopkins, Joshua (Feb 07)
- RE: Syskey on Win2k Lachlan McGill (Feb 07)