Home page logo

basics logo Security Basics mailing list archives

RE: Unwanted programs on Win2K
From: "dave" <dave () netmedic net>
Date: Wed, 5 Feb 2003 16:33:44 -0500

Also If you run ERD from the Backup utility it will create
'%WinDir%\repair\regback' with the new SAM.

Remember if you do not store the passwords using the LMHash they are a lot
harder to crack.




-----Original Message-----
From: Pez Mohr [mailto:boredMDer74 () msn com]
Sent: Wednesday, February 05, 2003 15:19
To: Kamran Muzaffer; Gedi; security-basics () securityfocus com
Subject: Re: Unwanted programs on Win2K

Kamran Muzaffer wrote:
Hi Gedi,

I tried to _crack_ a .SAM file located in c:\WINNT\repair with LC4,
but it only shows Administrator and guest accounts and those are not
the current passwords either. I think windows saves the initial copy
of the password database there. That's the very reason why I think
its not that dangerous to leave that file there ( may be as a backup
) because if it is so simple to recover all the Windows passwords,
than curing it, would have been the first step in all Win security

I heard something in the past about when first installing Windows, it
save a backup copy of the SAM to '%WinDir%\repair'. Whenever you use
NTBACKUP, however, if you choose to backup 'System State', then it copies
the SAM and puts it in '%WinDir%\repair' (if this is incorrect, please
correct me). So if anyone has run NTBACKUP, be sure to head over to the
repair directory, and delete the backups contained there.

Pez Mohr
boredMDer74 () msn com
PGP Key: http://tinyurl.com/3rmk
Fingerprint: 35F0 4088 BCA3 457C FDE4  3ABC 4E02 1AD7 9EBE 09FE

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]