Can LC3 decypher passwords on a machine with SYSKEY installed such as Win2K?

[MrWhiteUK]

This is an copy/paste from the documentation of LC3 (l0phtcrack3):


<< this approach will not allow you to obtain password hashes from most Windows 2000 systems, as Windows 2000 uses SYSKEY by default. SYSKEY was introduced in Windows NT Service Pack 3, but was not turned on by default, so SAM access works on most Windows NT systems. SYSKEY provides an additional layer of encryption to password hashes. Interestingly, you can't tell by looking at the SAM or at the password hashes whether they've been encrypted with SYSKEY or not. LC3 cannot crack SYSKEY-encrypted password hashes. >>


I have recently taken an intrest in Windows security and decided to take a look at l0phtcrack as it is mentioned frequently at NT security sites.

Now on the main page for LC3 it says support for machines w/ SYSKEY but looking at the manual it says otherwise.

What confuses me more is I am able to retrieve my Admin password from the SAM file just using the dictionary search. I chose a simple word likely to be in the dictionary to test and it found it in about 30 secs.

Windows 2000 has the advanced encryption algorithm SYSKEY by default doesn't it? So why does it work on my comp?

Also is Windows 2000 vulnerable to the 'GetAdmin' program?


Many thanks.

 

[Woodie]

Syskey, as implemented in NT4 was pretty laughable. To get it into a format that LC2.5 could read required the use of their utility: pwdump2, instead of the older pwdump.

Since LC3 was able to crack you pword, then clearly, syskey is irrelevant. (in our testing we showed syskey to be an almost laughable security measure, even in password prompt mode)

On &quot;GetAdmin&quot;, I don't remember. I don't think so, but I haven't researched it (yet).

--Woodie

 

[MrWhiteUK]

I just went back and double checked what I had done and realised I was not retrieving the password hashes from the sam file but from the system (registry?) which needs admin privalleges. I tryed importing the sam file from the /REPAIR dir and it didn't come up with a password. I also went into dos (I use fat32) copied the SAM file from the C:\Winnt\System32\Config dir booted back into Windows and imported the SAM file into LC3 nothing.

So LC3 does have trouble with SYSKEY on my machine.

I then looked at PWDUMP3 at their site which supposedly, like you said can retrieve hashes even if SYSKEY is used,compatible with LC. PWDUMP needs admin privalleges.

So am I correct in saying it is impossibe (very difficult?) to retrieve passwords on a win2k (or NT w/SYSKEY) machine WITHOUT admin rights?

I hope I am not overstepping the mark as to what is considered hacking.

Thanks for the input, much apreciated.

 

[Woodie]

LC was always dependant on the users ability to capture the SAM. Normally, yes, only an Admin can get to those files, and the active one can't be grabbed while it's in use.

The key is to get to the repair directory, or any other directory that a SysAdmin saves old copies of the SAM to. Those tend to not be restricted to the Administrators group, since often that group is not available, which is why you have the backup . Restore an old SAM from a tape backup or something like that, and you now have access to the SAM, w/o being a local admin.

As you stated, getting the SAM w/o Admin is more difficult, but it is certainly not impossible.

I'll venture a guess here: LC is used primarily by SysAdmins, who are using it to check the strength of users passwords. It's very impressive to walk in to a CIO's office, and say: &quot;I cracked 80% of your user passwords, and 100% of your Administrator's passwords in 12 minutes.&quot;

--Woodie

 

[Woodie]

Forgot to address &quot;hacking&quot;:

If you are working on a device that you own, you're probably OK. If you don't own it, but are responsible for, you're in a gray area. The &quot;right&quot; way is to tell the owner of the machine that you'd like to do this, and get their permission. That would move your activities into the category of &quot;ethical hacking&quot;.

I do this quite frequently at work (it's my job), but I can't do anything, until I get permission from my boss or the &quot;owner&quot; of the device.

I hope this helps.

--Woodie

 

[MrWhiteUK]

I can retrieve the SAM file from two separate places on my machine without admin rights, one in the repair directory and the other by booting into DOS and copying to a disk from the config dir.

The problem is LC3 can't crack them (due to SYSKEY?)

PWDUMP supposedly does away with SYSKEY encrypted hashes but that needs admin rights.

So is there anyway to crack passwords on a comp w/SYSKEY without Admin rights? I can't seem to do it.

This is only a bit of extra knowledge for me btw mister moderator, I'm not hacking into anything! Well my own comp.

 

[Woodie]

I'd have to try it...but copy the sam to another computer. Log in as admin to that comp, and try pwdump again. Doens't pwdump run against the active SAM, rather than a file? I don't have the doc in front of me.

--Woodie

 

[MrWhiteUK]

I didn't think of that I'll give it a go.

Thanks

 

[MrWhiteUK]

I can't see any way to run PWDUMP against a SAM file....hmmmmm