RDISK also stores compressed backup copy of password in %SystemRoot%\repair\sam._.
Password cracking using pwdump
pwdump is the name of various Windows programs that output the LM and NTLM password hashes of local user accounts from the Security Account Manager (SAM).In order to work, it must be run under an Administrator account,or be able to access an Administrator account on the computer where the hashes are to be dumped; so pwdump does not compromise security.
LM-LM hash is one of the formats that Microsoft LAN Manager and Microsoft Windows versions previous to Windows Vista use to store user passwords that are fewer than 15 characters long.
NTLM-NTLM is used to authenticate logons to standalone computers with Windows 2000. NTLM uses a challenge-response mechanism for authentication, in which clients are able to prove their identities without sending a password to the server. It consists of three messages, commonly referred to as Type 1 (negotiation), Type 2 (challenge) and Type 3 (authentication).
pwdump dumps windows NT password in the format:
(user):(id):(lanman pw):(NT pw):comment:homedir:
NT Pw-
If there will be no password output will be as 'NO PASSWORD*****'
To use pwdump:
Generally every bloke has his own way of using pwdump.But dumping will work best when you will use another OS.1.Create regular UNIX users (in /etc/passwd)with the same UNIX account numbers as their NT RID - this will make replication of the smbpasswd file much easier later on.
(Since,these /etc/passwd accounts may have disabled password entries, prohibiting the NT users from logging onto the UNIX box via telnet.so after creating same UNIX account numbers as thier
NT RID this it will not prohibit them from using the Samba box as a server via Samba though.)
2.Copy the created smbpasswd file to the $SAMBA/private/smbpasswd file (where $SAMBA is the base directory you installed Samba into). If Samba is set up for user level security and encrypted passwords
(set :security = user encrypted passwords = yes in your smb.conf file) then Windows NT / 95 users who have logged on to the NT domain will be able to transparently access the resources on the Samba box as their correct UNIX user id's (the ones you originally created.
3. You can then set up a 'AT' job on your NT server to periodically dump your NT password database into a new smbpasswd file and copy it over (securely somehow) to the Samba server to keep the password databases on the two machines in sync.
The pwdump.exe utility can take a \\machine name as argument, it will then proceed to dump the password database from that machine instead of the local machine, if it has sufficient privileges to do so. By default it will dump the password database of the local machine.
To download pwdump.exe program click here
To download source code of pwdump click here
No comments:
Post a Comment