SAM Files and NT Password Hashes

By: Grifter (2600 Salt Lake City)

§ Introduction

I know that this topic has been covered by others on more than one occasion, but I
figured I'd go over it yet again and throw in an update or two. Let me start with
what this is all about: SAM Files & NT Password Hashes.

NT Password Hashes - When you type your password into a Windows NT, 2000, or XP login
Windows encrypts your password using an encryption scheme that turns your password
into something that looks like this:

7524248b4d2c9a9eadd3b435c51404ee

This is a password Hash. This is what is actually being checked against when you
type your password in. It encrypts what you typed and bounces it against what is
stored in the Registry and/or SAM File.

SAM File - Holds the user names and password hashes for every account on the local
machine, or domain if it is a domain controller. Simple enough wouldn't you say?

§ Where do I find the SAM/Hashes?

You can find what you're looking for in several locations on a given machine.

It can be found on the hard drive in the folder %systemroot%system32config.
However this folder is locked to all accounts including Administrator while the
machine is running. The only account that can access the SAM file during operation
is the "System" account.

You may also be able to find the SAM file stored in %systemroot%
epair if the NT
Repair Disk Utility a.k.a. rdisk has been run and the Administrator has not removed
the backed up SAM file.

The final location of the SAM or corresponding hashes can be found in the registry.
It can be found under HKEY_LOCAL_MACHINESAM. This is also locked to all users,
including Administrator, while the machine is in use.

So the three locations of the SAMHashes are:

- %systemroot%system32config

- %systemroot%
epair (but only if rdisk has been run)

- In the registry under HKEY_LOCAL_MACHINESAM

§ Obtaining the SAMPassword Hashes

Wow, how wonderful. Now we know where the goods are, and the problem is this...
"How do I get my hands on those hashes?" The answer is "One of four ways."

1) Probably the easiest way to do this is to boot your target machine to an
alternate OS like NTFSDOS or Linux and just copy the SAM from the
%systemroot%system32config folder. It's quick, it's easy, and it's effective.
You can get a copy of NTFSDOS from Sysinternals(http://www.sysinternals.com)
The regular version of NTFSDOS is freeware, which is always nice, but only allows
for Read-Only access. This should be fine for what you want to do, however, if
you're the kind of person that just has to have total control and has some money to
burn. NTFSDOS Pro, which is also by Sysinternals has read/write access but it'll
cost you $299.

2) Once again, you may be able to obtain the SAM from %systemroot%
epair if rdisk
has been run and you are lucky enough to have a sloppy admin.

3) You can also get password hashes by using pwdump2. pwdump uses .DLL injection in
order to use the system account to view the password hashes stored in the registry.
It then pulls the hashes from the registry and stores them in a handy little text
file that you can then import into a password cracking utility like l0phtcrack.

4) The final way to obtain password hashes is to listen directly to the network
traffic as it floats by your computer and grab hashes using the above mentioned
l0phtcrack.

§ Cracking Password Hashes

With the hashes in hand and an eagerness to find out what passwords lie waiting.
Let's get cracking. While there are numerous programs available for the use of
password cracking I will quickly cover two of the most popular ones.

John the Ripper -
John the Ripper is to many, the old standby password cracker. It is command line
which makes it nice if you're doing some scripting, and best of all it's free.
The only real thing that JtR is lacking is the ability to launch Brute Force attacks
against your password file. But look at it this way, even though it is only a
dictionary cracker, that will probably be all you need. I would say that in my
experience I can find about 85-90% of the passwords in a given file by using just a
dictionary attack. Not bad, not bad at all.

L0phtCrack -
Probably the most wildly popular password cracker out there. L0phtCrack is sold
by the folks at @Stake. And with a pricetag of $249 for a single user license it
sure seems like every one owns it. Boy, @Stake must be making a killing. :) This
is probably the nicest password cracker you will ever see. With the ability to
import hashes directly from the registry ala pwdump and dictionary, hybrid, and
brute-force capabilities. No password should last long. Well, I shouldn't say
"no password". But almost all will fall to L0phtCrack given enough time.

§ Injecting Password Hashes into the SAM

Probably one of my favorite and easiest ways to gain Administrator privileges on a
machine, is by injecting password hashes into the SAM file. In order to do this you
will need physical access to the machine and a brain larger than a peanut. Using a
utility called "chntpw" by Petter Nordhal-Hagen you can inject whatever password you
wish into the SAM file of any NT, 2000, or XP machine thereby giving you total
control. I would suggest backing up the SAM file first by using an alternate OS.
Go in, inject the password of your choosing. Login using your new password. Do what
you need to do. Then restore the original SAM so no one knows you were there.

§ Password Strength

By looking at the methods above, you can see the importance in keeping strong
passwords. Someone may be able to get there hands on your hashes, but it's whether
or not they can crack them that is the real test. Don't make it easy on them.

When I create a password I like to use the first letter of each word in a phrase.
Like "Password Strength is important so I pick good passwords" would be "psiisipgp".
Now you have a 9 character password that isn't in any dictionary I know of. Bye Bye
John the Ripper.

Now I like to flank passwords in special characters like "@$%?", now your password
is ?psiisipgp?. This will ensure L0phtCrack takes a long time cracking it,
giving you time to change it if you discover a breach, or just change your passwords
regularly.

If you want to get insane, like I do, you can add non-printable ascii characters to
your passwords. Using the Alt key and the numbers on your number pad, hold Alt and
key in 149. you should get a character like this "ò". Flank your password with this
before your question marks and now you've got a secure password. ?òpsiisipgpò? can't
be cracked by L0phtCrack since it doesn't allow for non-printable ascii characters.
Bye Bye L0phtCrack.

I know this may seem like a lot to do, but let's face it, a weak password is a
cracked password.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

NTFSDOS - (http://www.sysinternals.com)

pwdump2 - (http://www.webspan.net/~tas/pwdump2/)

John the Ripper - (http://www.openwall.com/john/)

L0phtCrack - (http://www.atstake.com/research/lc3/)

chntpw - (http://home.eunet.no/~pnordahl/ntpasswd/)

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-

© 2600SLC.ORG 2002

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

1.) The Linux Hackers Intro to assembly language (Pt. 1) - argc

2.) Intro to PGP on Windows - madirish

3.) Hacking Windows Shares from Linux with Samba - madirish

4.) DVD Ripping the Right Way - A

5.) SAM Files and NT Password Hashes - Grifter

6.) SQL Interjection Attack - Fiend

7.) Raw Socket Access in Windows XP - Tierra

8.) The Tuxtendo's Tuxkit Rootkit Analysis - Spoonfork