Add to Technorati Favorites

So you got administrator privileges on a NT box and now want to take over the entire Network, but for that you need to get the list of accounts that you would use and their respective passwords. So, what do you do?

Well, the NT Security Accounts Manager or the SAM holds the key, and this manual explores how exactly you would go about the process of extracting and ‘cracking’ passwords from the Windows NT SAM and other related information.

The NT Security Accounts Manager or the NT SAM is to Windows NT what the /etc/passwd file is to Unix systems. The SAM stores the list of usernames of all accounts and their respective passwords in encrypted form of all Local Users or all users on that particular domain. (Varies according to what the system is used for.) Cracking the SAM or in other words cracking the encrypted passwords stored by it is all you need to do in your quest to control the entire Network.

Although the latest encryption algorithm implemented by Microsoft NT is quite good, there is a flaw or rather a backward compatibility feature, which can easily be exploited to crack the passwords. You see, this new algorithm has been adopted only recently. Earlier, Microsoft used to implement a one-way encryption standard or hashing. Now even the newer versions of the operating system in order to maintain backward compatibility with Windows 9x etc have to store the old hash along with the new. Now, the older hash function has already been reverse engineered or cracked and is widely used to crack the NT passwords.

L0phtcrack is the utility, which we will be using in this manual to crack the Windows NT passwords. It is available at http://www.l0pht.com/l0phtcrack L0phtcrack is probably the most easy to use and the most effective utility available to crack NT passwords. L0phtCrack can import the required SAM data in many forms. It can extract the SAM data from raw SAM files, from compressed backup SAM files (SAM._), from remote systems using administrator access and even by sniffing hashes being transferred over networks.

Before you actually get down to using L0phtCrack, you need to obtain the SAM file. Microsoft uses a file called SAM to store the SAM data on Windows NT. This file can be found at:

%systemroot%\system32\config

This particular directory is locked throughout the time when Windows NT is running. The information stored by this file has actually been extracted from the Windows NT registry. The original source of the data stored by this file is the following registry key:

HKEY_LOCAL_MACHINE\SAM

This key cannot be accessed by any account. Even the administrator account does not allow access to it. However, like all security features this feature too can be over-ridden. Infact there are several ways of getting the SAM data, and in this manual I will try and elaborate on all of these methods.

Getting the SAM from the Backup directory

When you use the NT Repair Utility (rdisk) with the /s argument to backup the important information regarding the system configuration to a floppy disk, then a compressed copy of the SAM data file is created in the %systemroot%\repair directory under the filename: SAM._

Although a good system administrator will not forget to delete this file, however, in some cases inexperienced system administrators do tend to forget to delete it. As this backup copy of the SAM file is in the compressed form, you need to expand it before you can use it. One can expand the compressed back copy of the SAM using the following command:

C:\>expand sam._ sam

NOTE: If you use the latest version of L0phtCrack, you need not go through the process of expanding the compressed backup copy of the SAM, as there is a built in option, which automatically does it for you.

Getting the SAM via another Operating System

The basis of this section is the fact that the SAM file is locked throughout the time Windows NT is running. So in other words, access to the SAM file should not be restricted when Windows NT is not running. Right? So, all you now need to do is boot into an alternate operating system, the most commonly used for such a purpose would be a DOS running on a floppy which has the COPY utility on it. So, basically what one needs to do is create a bootable floppy, which has DOS running on it. Then you need to change the BIOS settings and enable boot from the floppy disk. Once you have booted into DOS, you could use the Copy utility to get the SAM file.

However, this process is not as easy as it above, but again not too difficult. You see, more often than not a target system running Windows NT would be running on an NTFS-formatted partition. So, while you create the bootable floppy, what you need to keep in mind if the fact that it should be able to read NTFS partitions. There is a NTFS file system driver called NTFSDOS, which will do the trick in such scenarios. It basically works by mounting NTFS partitions as logical drives, in effect, making all the files on the target system vulnerable to being read (including the SAM file).

You can get NTFSDOS from http://www.sysinternals.com/

*********************
HACKING TRUTH: NTFSDOS makes all files on the target system vulnerable to being read. Now, wouldn’t it be wonderful if you could write to the target system as well. Well, NTRecover and NTLocksmith again from http://www.sysinternals.com/ give you limited write capabilities.

*********************

There is yet another way of in which booting into an alternate OS can be helpful. One could also boot into say a Linux boot disk and carry out the same procedure.

Extracting Hashes from the SAM

If you have administrator privileges on a Windows NT system, then you could easily dump the password hashes from the SAM hive in the registry into a UNIX password file format. (The format followed by the /etc/passwd file)

The most commonly used utility, which can accomplish this task, is pwdump. The newer versions of L0phtCrack again have a built in feature, which extracts hashes directly from the registry.

So how can one protect the SAM hive from getting dehashed? (Is that a word?) Until Service Pack 2 was released, Windows NT was using a 40-bit encryption key. However, this was easily and widely cracked. With the release of Service Pack 2, a nifty feature was introduced which was aimed at enhancing the SAM encryption. It was called SYSKEY. It replaced the original 40-bit encryption key with the 128-bit encryption key. One can run SYSKEY by the following the below process:

Click on Start > Run

Type ‘syskey’ (without the quotes) in the space provided.

Both pwdump and L0phtCrack fail to surpass the encryption key established by SYSKEY. So is a system with SYSKEY established not vulnerable to being dehashed? Well, no. Pwdump2, which is a sort of a sequel to pwdump is easily able to surpass SYSKEY’s enhanced encryption key.

*********************

HACKING TRUTH: Ok, I am really scared, is there any way in which I can make the task of the attacker a bit difficult. Well yes. If the attacker is using L0phtcrack, then performing the following trick can help to a great extent. You see, L0phtcrack does not show Nonprintable ASCII characters. What I mean by that is if certain Nonprintable ASCII characters are places in a password, then they are not showed when viewed in L0phtcrack. Some examples of Nonprintable ASCII characters are: (NUM LOCK) ALT-255 or (NUM LOCK) ALT-129

********************

Other Popular NT holes

Besides playing with the SAM, the most widely used NT exploit, is the getadmin exploit. It is basically a utility, which adds a user to the local Administrator group. It uses a process called DLL injection to edit a process (winlogin), which has the ability to add users to the Administrator group. For complete details and information regarding the ‘getadmin’ exploit visit: http://www.ntsecurity.net/security/getadmin.htm

A post SP-3 hotfix has fixed the ‘getadmin’ hole. For more information regarding the fix and the exploit, read Knowledge Base article Q146965.

Another popular Windows NT exploit is the ‘sechole’ exploit. It too has working similar to the ‘getadmin’ exploit and adds a user to the Administrator group. . For complete details and information regarding the ‘getadmin’ exploit visit: http://www.ntsecurity.net/security/sechole.htm One can easily fix the sechole hole by following fix made available by Microsoft. For more details read Knowledge Base article Q190288.

Well, that is all for now. Till next time, bye.

___________

Have you sent me an email, which I haven’t replied yet? Well, this kindly read following:

I apologize for not being able to get back to you. But, I assure you I will reply to you as soon as possible, please bear with me. In order to release the congestion of emails, you can now contact me via Instant Messaging Software. I use MSN Messenger and the email address which I use is: ankit_fadia@hotmail.com (Do Not send mail to this address. I do not check this account.) . Simply download MSN Messenger or a Multi Messenger Platforms software and search for the above email address and add it to your contact list. Then the next time I am online you will be informed and you can post your question ot me. However, that doesn’t mean I will not be answering my emails. I try and answer all my emails except questions like How to Hack Hotmail etc. However, most of the times my replies come real slow. Sorry. J

Add to My AOL Add to Google Reader or Homepage Add to netomat Hub I heart FeedBurner Subscribe in NewsGator Online Subscribe in a reader

1 comments

  1. Anonymous // January 18, 2013 at 2:01 PM  

    top [url=http://www.c-online-casino.co.uk/]uk casinos[/url] hinder the latest [url=http://www.realcazinoz.com/]casino bonus[/url] manumitted no store bonus at the leading [url=http://www.baywatchcasino.com/]casino
    [/url].