?
Solved

SAM / Recover Password

Posted on 2009-02-16
8
Medium Priority
?
332 Views
Last Modified: 2012-05-06
Considering a criminal had stole a corporate laptop. What techniques do hackers use these days to get hold of the actual password for the PC's local users / profiles. The Laptop is XP OS and when on the network logs into our active directory. I have read local user passwords live in the SAM hive.

Fortunately, we have not had any laptops stolen (yet), and are looking into disc encryption. We can engage an external pen tester to see how susceptible our group policies are to passwords being obtained by a malicious source. But if I could find out which settings help protect a users password that would be a good starting point.
0
Comment
Question by:pma111
  • 4
  • 3
8 Comments
 
LVL 16

Assisted Solution

by:speshalyst
speshalyst earned 300 total points
ID: 23650555
this should help you get started..
http://support.microsoft.com/kb/310105/ 
0
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 700 total points
ID: 23650839
My favorite tool for finding passwords is either NToffline recovery or 0phcrack live cd.

youve probably heard of NToffline it lets you change or blank out a local password.
http://home.eunet.no/pnordahl/ntpasswd/

This functionality is also available in tools like ERD commander, ultimate boot cd, or BartPE cds.

My favorite tool is the 0phcrack live cd. This will actually go through the sam and try to uncover the plaintext of the password. The free live cd will only work on weak passwords (no special characters) but you can get tables that cover all characters.
http://ophcrack.sourceforge.net/
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 23650867
also forgot to mention it is not really necesary for them to break the password to get to the files. They can simpy use a live linux cd to go in and browse any directories on the computer. As mentioned above BartPE, Knoppix, and any other live CD distribution out there.

They could also simply take the hard drive out of the laptop/desktop and slave it into another system. Then it acts just like any other storage device.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 3

Author Comment

by:pma111
ID: 23651948
Is there anything to do that would prevent any of the above mentioned cracking techniques.

Interesting you mention slaving, I did think about a cracker just adding it onto their ribbon cable and setting the jumpers to slave, but I wasnt sure if the NTFS permissions / share permissions remained in place though?
0
 
LVL 3

Author Comment

by:pma111
ID: 23651975
And can you use the boot CD's you mention and copy files out to attached storage drive, or just browse directories?
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 23670280
Well in regards to your questions.

1. As far as I know there isnt really a defense against the NT offline password recovery. The link speshalyst posted may be able to defeat it but I do not have any experience testing against it.

2. The rainbow table attack can be minimized although not completely defeated. Basically the long and more complex the password the larger the rainbow table needs to be to expand all of those possible cobinations. The following link while not specific to windows will give you an idea of the sizes of rainbow tables needed for certain character sets. I have seen windows cracking tables on torrent sites where some are larger than 50, 100, 150 gb.  
http://www.rainbowtables.net/products.php#LM

3. I think that when you slave the drive you may be able to access the files regardless of the NTFS permissions. However I may be wrong on this.

4. With bootable CDs you can copy the files to other media wether it is a usb stick, usb hdd, network share, and some even come with cd/dvd burning utilities. I know for sure tha NTFS permissions are completely disregarded when using most of these as alot are linux based.

Hope this helps.
0
 
LVL 3

Author Comment

by:pma111
ID: 23671057
I'll get reading on the slave / master thing. Thanks for your advice. Will try and get some of these linux discs see whats what on them.
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 23671191
Id reccomend knoppix and ultimate boot cd 4 windows. I have used these in the past. I know thye have file browsers and can remove data from drives. The ultimate boot CD has an unlocker program i believe. Once you start looking at the live CDS im sure youll find some with hacking abilities.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question