Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug?

[robmann () INAME COM]

This looks like the F and V-struct's stored in the SAM hive of the registry.  The one that will be of interest to you 
is the V-struct (contains a obstificated LM hash).

To get to a l0pth'able hash you need to DES decrypt a 16byte portion of the V-struct with the users RID as the key.  IE 
if it was the administrator's account you would use a key of 0x01f4.

I wrote a bit of code (most of it copied from Petter Nordahl-Hagen's chntpw) to convert raw SAM V-struct's to hashs but 
it's extremely messy.  If you really need to get the hashes out email me offline.

Out of interest, what method did you use to obtain the V-structs in the first place?  I almost got there remotely using 
MS-SQL's extended stored procedure but unfortunately it can read almost any key except for a V-struct.

Rob


-----Mensagem original-----
De: Renato Ettisberger [mailto:renato.ettisberger () CH PWCGLOBAL COM]
Enviada em: Tuesday, March 27, 2001 4:48 AM
Para: PEN-TEST () SECURITYFOCUS COM
Assunto: Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug?
BTW: My question is, how can I crack the password hash, when it comes in
the following form:

F:0x020020000000000000000000....
V:0x00000000a800000......



-----------------------------------------------------
Get free personalized email at http://email.lycos.com