This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.
Posted: Fri Jul 06, 2012 4:01 pm Post subject: User not present in SAM
Hi guys!
I'm new to Computer Forensics and I have encountered an issue that some of you may find really trivial. Nevertheless... I am trying to extract users passwords hashes from the SAM file I got off the machine under investigation. The problem is that I only see three accounts in the SAM file:
Administrator
Guest (not active)
ASPNET
And I can't see the main user's account - the one I need to find the password to! Why is this account not in the SAM file? Where can I find it and the hash of it's password?
PS: to examine the SAM file I have been using "SAMInside" and "Cain and Abel" - both programs see ONLY the three users listed above, and none see the user I need.
Posted: Fri Jul 06, 2012 5:35 pm Post subject: Re: User not present in SAM
dttafor wrote:
And I can't see the main user's account - the one I need to find the password to! Why is this account not in the SAM file? Where can I find it and the hash of it's password?
SAM is what defines user accounts on a Windows system ... if you don't find the account where you are looking, it is not an current account on the system. (It may have been one in the past, though.)
Alternatively ... you're looking in the wrong place. The account you want to find is perhaps not a local account, but a domain account. In that case, you'll find the relevant SAM on the domain controller.
Posted: Mon Jul 09, 2012 9:29 am Post subject: Re: User not present in SAM
athulin wrote:
Alternatively ... you're looking in the wrong place. The account you want to find is perhaps not a local account, but a domain account. In that case, you'll find the relevant SAM on the domain controller.
Thanks for your prompt reply and I apologize for not getting back to you over the weekend.
Most probably, you are right and it is a domain account, because this is a user in a large corporate office and these accounts are all created centrally by the IT department. Nevertheless, the question persists: if the hash for the password is not in the local SAM file, where can this hash be found locally on the machine?
It is certain that the hash of the password is present on the machine, because the user can login into the system even when the laptop is offline. We don't have access to the SAM of the domain controller, therefore we have to find the hash on the machine.
Any help/links to knowledge on this issue will be appreciated.
Thank you.
One of many Technet articles on cached credentials.
Thank you for the link, the info looks useful to understand the underpinning principles but it does not pinpoint the system location to look at. Maybe you are aware of other knowledge that can point directly to where the hash is stored?
I tend to rely on Encase for extracting this information -- alternatively tools like dumpcache etc. I think Cain (from oxid . it) allows for importing cached passwords from registry hives as well, but it's ages since I used it, as it is difficult to export data from Cain.
I tend to rely on Encase for extracting this information -- alternatively tools like dumpcache etc. I think Cain (from oxid . it) allows for importing cached passwords from registry hives as well, but it's ages since I used it, as it is difficult to export data from Cain.
athulin, thanks so much for your help!
The domain user was indeed in the indicated keys
HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL$1 through NL$10
And the link on domain cached passwords was very very helpful. Especially the "Network Password Recovery Wizard" program. Even the trial version retrieves the hash for you, which I am going to decrypt in another program now.
I just have three minor questions left now:
1. Cain and Abel requires txt input of hash in the following format:
Username:RID:LMHash:NTLMHash::
where RID is the relative identifier (RID). When I retrieve hash from the SAM file using SAMInside, it indicates the RID right there. For example, admin's RID is always 500 and the guest user's RID is 501.
But when I use NPRW, it doesn't have a column "RID", but instead has "User ID" - please see images below.
Therefore, I wanted to ask whether RID and User ID are the same thing. If not, then where do I find the RID for domain users?
2. More importantly, could somebody please recommend me a free tool for decrypting NTLM hash via broot force? I was planning on using Cain and Abel, but it lacks smart brute force decryption. What I mean is, that I know that the password starts with the letter "R", followed by 5-6 non-capital letters, and the last two symbols are a digit and an exclamation mark. I'm looking for a tool that would allow to specify this format of the password (i.e. the types of symbols not only for the whole password, but for every symbol of the password separately), and hence, reduce the number of combinations to be tested.
3. Likewise, I would greatly appreciate directions toward the best tool for NTLM decryption via dictionaries and the best tool for NTLM decryption via rainbow tables. Also, preferably free tools.
More importantly, could somebody please recommend me a free tool for decrypting NTLM hash via broot force? I was planning on using Cain and Abel, but it lacks smart brute force decryption. What I mean is, that I know that the password starts with the letter "R", followed by 5-6 non-capital letters, and the last two symbols are a digit and an exclamation mark. I'm looking for a tool that would allow to specify this format of the password (i.e. the types of symbols not only for the whole password, but for every symbol of the password separately), and hence, reduce the number of combinations to be tested.
Joined: Nov 01, 2005 Posts: 435 Location: Marion, Indiana, USA
Posted: Fri Jul 20, 2012 11:44 am Post subject:
With the time you have been spending on trying to find an app that would allow you to specify the format as such, you could have already used a set of rainbow tables and cracked it.
With the time you have been spending on trying to find an app that would allow you to specify the format as such, you could have already used a set of rainbow tables and cracked it.
Does this mean that the preferred method is rainbow tables? Are they more efficient?
Joined: Nov 01, 2005 Posts: 435 Location: Marion, Indiana, USA
Posted: Mon Jul 23, 2012 11:03 am Post subject:
I am sincerely concerned about your situation. If there is any chance at all of a case landing in court, your lack of knowledge to this point is going to make anything you try to present as evidence questionable at best. You should really consult with a local collegue and get them to help you even if that means turning the case over to them. It is quite obvious that you are in way over your head here.
I am sincerely concerned about your situation. If there is any chance at all of a case landing in court, your lack of knowledge to this point is going to make anything you try to present as evidence questionable at best. You should really consult with a local collegue and get them to help you even if that means turning the case over to them. It is quite obvious that you are in way over your head here.
Yes, that's because I'm learning. This is not a court case. I thought I could get some advice on this forum that would direct my skill development. Is it that much to ask?
Yes, that's because I'm learning. This is not a court case. I thought I could get some advice on this forum that would direct my skill development. Is it that much to ask?
People are plenty willing to assist, however it is exasperating to not get all the facts up front.
People are plenty willing to assist, however it is exasperating to not get all the facts up front.
What facts are you implying??
All I'm asking is to direct me to a tool that can do this:
Quote:
could somebody please recommend me a free tool for decrypting NTLM hash via broot force? I was planning on using Cain and Abel, but it lacks smart brute force decryption. What I mean is, that I know that the password starts with the letter "R", followed by 5-6 non-capital letters, and the last two symbols are a digit and an exclamation mark. I'm looking for a tool that would allow to specify this format of the password (i.e. the types of symbols not only for the whole password, but for every symbol of the password separately), and hence, reduce the number of combinations to be tested.
Joined: Nov 01, 2005 Posts: 435 Location: Marion, Indiana, USA
Posted: Tue Jul 31, 2012 11:36 am Post subject:
The biggest problem you are going to find with your software request involves the word "free". What you are seeking requires complex algorithms and a whole lot of development and testing time. Just forget the "smart" part and crack it with something like ophcrack that uses rainbow tables.
I would be happy to write you a "smart" password cracking tool, but I seriously doubt you would be willing to cover the development costs.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Forum FAQ
Search
Usergroups
Profile
Log in to check your private messages
Log in
