Recoving password from SAM file (Win200)

[Hornet]

Hi all,

I'm emulating a Windows 2000 SP3 virtual server using VMWare, and the one and only account is being protected by password, intentionally. It is an assingment task actually, for us to find out any vulnerabilities of this virtual server, and if possible, gain access into it.

The tools my lecturer provided is brute force password cracking, which I doubt will work as we don't even know the length of it.

So I was wondering if is there anyway to extract or read the SAM file from this virtual server and recover the passowrd from it?

Thank you very much.

 

[CoW]8(0)]

Is the assignment to find the password? Because I don't believe that's possible. IIRC, the SAM file stores a hash of the password. And since the hashing operation is asymmetrical, you can't readily 'decrypt' it.

You could overwrite the SAM file (after backing up the one already on machine) and set your own password to get in. And then rewrite the old one back when you're finished.

But that's not a vulnerability ANY operating system can protect itself against.

 

[qfour20]

Brute force cracking of a password is nowhere near as difficult as it used to be thanks to today's substantially faster hardware. You should be able to leave L0phtcrack running overnight (or many other tools that do the same) and have most of the 8 character keyboard mapped combinations tested against that hash by the time you're drinking your coffee in the morning.

I'm curious if the assignment is more tailored towards using the password cracking tool your lecturer gave you, or if it is more about the actual obtaining of the hash to run the cracker against. If the account that you have access to does not have rights to read the SAM file (and the assignment states that you must treat the VM image as though it were a real, live system), then you'll have to try to get the hashes out of the SAM by other methods.

The only thing that springs to mind immediately for me (used in penetration testing in the past) is SQL server. If it's a win2k box and has a poorly installed SQL server instance on it, you may be able to use that to your advantage. If I recall correctly, visio from the same era instaled SQL server under the covers and left a default install as well. The default password for the "sa" account in sql server 2000 was "" (null). This allows you to connect in to the database with the highest privileges that the database allows. The SAM, per its definition (Security Accounts Master DATABASE) is a database. Mount it up and run SQL queries against it to extract the hashes. Google will help you with this.

Good luck.

-q

 

[Hornet]

Thank you guys for the reply.

In our assingment instruction, we basically are allowed to any method of either brute force attack or pre-computed hash attack using Rainbow Tables.

 

[Azhar]

Gosh, Windows 200 is 1807 years old. Get with the times