security accounts manager

<forewords>

this was not written for "good" or "bad" purposes; it was written for greater understanding, please respect that.

that first sentence needs repeating:

THIS WAS NOT WRITTEN FOR "GOOD" OR "BAD" PURPOSES; IT WAS WRITTEN FOR GREATER UNDERSTANDING, PLEASE RESPECT THAT.

network stuff is not yet properly covered. this article is based around a local system of nt5pro(2000) though a lot will apply to nt4 and nt5.1(xp)

directory paths are written as c:\winnt\system32 - some say it should be in the form of: %systemroot%\system32

this article has been written concisely and progressively, it is advisable _not_ to skim read.

while every effort was made to write accurate information, errors may be present. if you notice something that is incorrect please point it out. just because it is in writing, does not mean that it is right.

<legal stuff>

computer security is becoming quite complex in terms of computer and related law, because of this i have tried to investigate the legality of this research. i believe that it is "probably" legal, based on the following five reasons:

01. i have operated exclusively on my own equipment, with legal software.

02. i have not tried to obtain the source code (i wouldn't understand it anyhow) i have not decompiled or disassembled any binaries. the registry hives are generated databases which are not executable or program. i have not cracked any encryption algorithms. findings have been based on trial and error investigations.

03. i have not provided any code or binaries to exploit any possible insecurities. security information is two sided. one side it could be used to do something illegal. the other, prevent something illegal. the reader makes the chose, and i think that honest people would like to know so that they can do something about it.

04. all information contained on this webpage is provided on an "as is" basis, and you, the reader must understand that the author accepts no responsibility of the (use)misuse of any information contained on this webpage. the author will not assist in any illegal activities.

05. although i have foreworded this article with: "this was not written for "good" or "bad" purposes; it was written for greater understanding, please respect that." i hope that some "good" will result from it, i have included ways of increasing the security at the end. there is no malicious intent, it is purely research, with the hope of improvement through understanding.

n.b: if you are planning to use any of the information, think about the legality of your actions. in the uk you could be prosecuted under the computer misuse act 1990. for more info: http://www.hmso.gov.uk/acts/acts1990/Ukpga_19900018_en_1.htm

<usefull programs>

antexp:
http://www.elcomsoft.com/antexp.html
filemon:
http://www.sysinternals.com/ntw2k/source/filemon.shtml
filewatch:
http://kevin.gearhart.com/filewatch/
lc3:
http://www.atstake.com/research/lc3/
norton ghost:
http://www.symantec.com/sabu/ghost/ghost_personal/
ntfs for dos: (read)
http://www.sysinternals.com/ntw2k/freeware/NTFSDOS.shtml
ntfs for dos: (write)
http://www.sysinternals.com/ntw2k/freeware/ntfsdospro.shtml
ntfs for windows 98: (read)
http://www.sysinternals.com/ntw2k/freeware/ntfswin98.shtml
offline ntpassword & registry editor: (petter nordahl-hagen, this is amazing!!)
http://home.eunet.no/~pnordahl/ntpasswd/
it has just been found that this site is down :-( however a bootable cd version is available here: http://www.dmzs.com/tools/files/
performance test:
http://www.passmark.com
regmon: (quickest software reboot if run in xp?)
http://www.sysinternals.com/ntw2k/source/regmon.shtml
winhex: (stefan fleischmann, this is amazing!!)
http://www.winhex.com/winhex/

<intro>

commonly known as the sam file - it holds the users details for the machine. it contains usernames, password hashes and permission levels etc, and thus is important for its purpose.

the file is located: c:\winnt\system32\config\sam along with the other hives that make up the nt registry. within the registry it is located: hkey_local_machine\sam\sam\domains... there is also a link folder to the sam hive: hkey_local_machine\security\sam\sam\... nothing will be visiable if you browse via regedit, users are denied access. to view, use regedt32.exe and change the permissions on hkey_local_machine\sam\sam via security -> permissions. in xp right click on the key for permission options.

at startup, it is loaded after the full screen white windows logo screen (right after disk checking). if there are any *major* errors in the sam file, the machine will blue screen and reboot at this point.

<entering of users - gui>

nt has two builtin user accounts. an administrator and a guest, each belonging to their respective groups. these accounts cannot be deleted (according to ms). they can be renamed. by default the guest account is disabled, however default security policies allow guest to logon locally if the account is enabled. the builtin administrator account cannot be disabled, but it can be denied logon locally via security policies. _be aware of that_ setting mentioned further down.

users can be added via the add button in "users and passwords" - found in control panel, or via computer management - found in control panel -> administrative tools, or right click on "my computer" and select: manage. right click in the right pane of "local users and groups\users" and select new user. direct files to run: c:\winnt\system32\compmgmt.msc or for just the users part: c:\winnt\system32\lusrmgr.msc. unsure which file is users and passwords dialog.

usernames can be >=1 and <=20 characters
usernames can contain letters, numbers, special, extended and control characters
usernames cannot be any names of any groups, of any case
usernames cannot be "authenticated users" nor "interactive", of any case, these usernames already exist - see computer management -> local users and groups -> groups -> users
usernames cannot be duplicated, of any case.

nt5pro (only) has an interesting problem creating an account using the local machine name for a username. on clicking finish, it will error with: "the user "machinename" could not be (granted "group" user access/added to the "group" group) because "machinename" does not exist." however the user is created of no group. usernames can be renamed to the local machine name.

fullnames can be >=0 and <=255 characters
descriptions can be >=0 and <=255 characters

passwords can be >=0 or <=256 characters
passwords can contain letters, numbers, special, extended and control characters
minimum length can be increased from 0, to a maximum of 14 character via security policies. by default users passwords expire after 42 days, oddly the builtin administrator and guest accounts are set to never expire. the user gets a prompt at login if the set time is exceeded.

2k has 6 main user groups. groups cannot be removed, though new ones can be added. groups set out what rights each user has when they logon. each user is assigned a number. user numbers start from 3e8/1,000 and increase by one, even if users are removed. this is because some permissions are set by user number. for nt5 the maximum number of users is about 4 billion.

group/description	group no.	user no. dec/hex
administrators: administrators have complete and unrestricted access to the computer/domain	no. 220 on disk: 00 00 20 02	builtin: 500/000001F4, else: >=1000/000003e8
users: users are prevented from making accidental or intentional system-wide changes. thus, users can run certified applications, but not most legacy applications	no. 221 on disk: 00 00 21 02	>=1000/000003e8
guests: guests have the same access as members of the users group by default, except for the guest account which is further restricted	no. 222 on disk: 00 00 22 02	builtin: 501/000001F5, else: >=1000/000003e8
power users: power users possess most administrative powers with some restrictions. thus, power users can run legacy applications in addition to certified applications	no. 223 on disk: 00 00 23 02	>=1000/000003e8
backup operators: backup operators can override security restrictions for the sole purpose of backing up or restoring files	no. 227 on disk: 00 00 27 02	>=1000/000003e8
replicator: supports file replication in a domain	no. 228 on disk: 00 00 28 02	>=1000/000003e8

<structure of the sam file>

the following sam file extracts were taken from a default setup of nt5pro.
"329068152-152049171-854245398" is the sidno. for my machine.
the sam file forms the following registry structure (values in brackets)
the sam hive by default has two different permission levels:
p1: 78,00,00,00 -> 00,00,00,78
p2: 78,01,00,00 -> 00,00,01,78
#################################################################################
hkey_local_machine
+-hardware
|-sam (p1)
|  |-sam (c)(p2)
|     |-domains (@)(p2)
|     |    |-account (f,v)(p2)
|     |    |    |-aliases (@)(p2)
|     |    |    |    |-members (@)(p2)
|     |    |    |    \-names (@)(p2)
|     |    |    |-groups (@)(p2)
|     |    |    |    |-00000201 (c)(p2)
|     |    |    |    |-names (@)(p2)
|     |    |    |        |-none (@)(p2)
|     |    |    |-users (@)(p2)
|     |    |        |-000001f4 (f,v)(p2)
|     |    |        |-000001f5 (f,v)(p2)
|     |    |        |-names (@)(p2)
|     |    |            |-administrator (@)(p2)
|     |    |            |-guest (@)(p2)
|     |    |-builtin (f,v)(p2)
|     |         |-aliases (@)(p2)
|     |         |    |-00000220 (c)(p2)
|     |         |    |-00000221 (c)(p2)
|     |         |    |-00000222 (c)(p2)
|     |         |    |-00000223 (c)(p2)
|     |         |    |-00000227 (c)(p2)
|     |         |    |-00000228 (c)(p2)
|     |         |    |-members (@)(p2)
|     |         |    |    |-s-1-5 (@)(p2)
|     |         |    |    |   |-00000004 (@)(p2)
|     |         |    |    |   \-0000000b (@)(p2)
|     |         |    |    |-s-1-5-21-329068152-152049171-854245398 (@)(p2)
|     |         |    |                         |-000001f4 (@)(p2)
|     |         |    |                         |-000001f5 (@)(p2)
|     |         |    |-names (@)(p2)
|     |         |        |-administrator (@)(p2)
|     |         |        |-backup operators (@)(p2)
|     |         |        |-guests (@)(p2)
|     |         |        |-power users (@)(p2)
|     |         |        |-replicator (@)(p2)
|     |         |        |-users (@)(p2)
|     |         |-groups (@)(p2)
|     |         |    \-names (@)(p2)
|     |         |-users (@)(p2)
|     |             |-names (@)(p2)
|     \-rxact (@)(p2)
#################################################################################
what some parts appears to do:

usernames are stored as a keyname - what ever this is, it is the login username:
\sam\sam\domains\account\users\names\(username)
within this key is the user number - 4 byte @ value, eg 00,00,01,f4 this links to:
\sam\sam\domains\account\users\(userno.) within this key there is a v value which, towards the end also has the username (plus the fullname, description, and the lm/nt hashes). the dialog box "users and passwords" relies on these two user names matching up, if they don't the user is _not_ listed. if the usernamekey is changed computer management will not list that user in users (sp2?), but will error with "the following error occurred while attempting to read user properties: the user name could not be found." if the member list is viewed, for which the user is a member of, they will be listed - the name used will be the one from the v value.

users obtain their permissions by belonging to a group. the group(s) they are a member(s) of is specified at:
\sam\sam\domains\builtin\aliases\members\s-1-5-21-(sidno.)\(userno.)\@
if a user is not a member of any group, they will not have a userno. key here.
if they are members of more than one group, the @ value will list each one.
the @ is a four byte value that matches up with:
\sam\sam\domains\builtin\aliases\(groupno.)
within this key is a value named c. within it are some of the settings for that group, the description towards the end is used within the os.
users of no group will not appear in the dialog: users and passwords. a list of all users can be found in computer management. what user rights users of no groups have is unclear but they can logon.

\sam\sam\domains\builtin\aliases\(groupno.)\c holds the number of users for the group at offset 0x30 within the data of the value (first four bytes not included) this value *probably* has four bytes set aside (read backwards) giving a maximum: 4,294,967,295 for each group

\sam\sam\domains\builtin\aliases\names\(groupname) is the name used by the os for the group. within this key is an 4 byte @ value, such as 00,00,02,21 that links to: \sam\sam\domains\builtin\aliases\(groupno.) which in this case would be the user group.

user accounts can either be active or inactive. the difference being the ability to logon. this setting is located in:
\sam\sam\domains\account\users\(userno.)\F - the setting is at offset 38.
active = either 10 or 14
inactive = either 11 or 15
not sure of the difference, but if user are entered via computer management 10 is used, if via users and passwords - 14. though the builtin administrator account can be set "inactive", it does not disabled it.

the sam file keeps a log of how many times each user has logged on and the total for the machine.
\sam\sam\domains\account\f at offset 10-17 is the total for the machine. numbers adding from the left in hex.
\sam\sam\domains\account\user\(userno.)\f at offset 42-43 is the total for a user. also adding from the left.
when the maximum for a user is reached, the counter stops at ff,ff - for the machine it rolls back and continues from: 00,00,00,00,00,00,00,00 but that is a lot of logins!

the rxact key stands for "registry transaction package", unsure of purpose.

everyone	s-1-1-0
authenticated users	s-1-5-11
anonymous logon	s-1-5-7
batch	s-1-5-3
creator owner	s-1-3-0
creator group	s-1-3-1
dialup	s-1-5-1
interactive	s-1-5-4
network	s-1-5-2
service	s-1-5-6
system	s-1-5-18

administrator	s-1-5-21-(sid)-500
guest	s-1-5-21-(sid)-501
administrators	s-1-5-32-544
backup operators	s-1-5-32-551
guests	s-1-5-32-546
power users	s-1-5-32-547
replicator	s-1-5-32-552
users	s-1-5-32-545

workgroup

computer name folder

within these keys there are usually about four subkeys: actsysac, privilgs, secdesc and sid.

actsysac: a four byte value that gives details about logons. values for one option are listed. add for combinations. values are in hex. deny overrides allow.

00,00,00,00 - if none of the following settings - maynot be a key if so
01,00,00,00 - logon locally
02,00,00,00 - access this computer from the network
04,00,00,00 - logon on as a batch job
10,00,00,00 - logon as a service
80,00,00,00 - deny access to this computer from the network
00,01,00,00 - deny logon as a batch job
00,02,00,00 - deny logon as a service
40,00,00,00 - deny logon locally

privilgs: of varible length from 19 bytes, it covers the remaining options in "user rights assignment" the first byte determines the number of privileges the user(group) has. the first privilege is located at offset 8 and then at c(12) intervals thereafter. the values appear to be in no particular order. space inbetween is filled with 00, which unless they are used for something is quite a waste of data. the entry is filled with 00 untill the end of that c block.

07 - act as part of the operating system
06 - add workstations to domain
11 - backup files and directories
17 - bypass traverse checking
0c - change the system time
0f - create a pagefile
02 - create a token object
10 - create permanent shared objects
14 - debug programs
1b - enable computer and user accounts to be trusted for delegation
18 - force shutdown from a remote system
15 - generate security audits
05 - increase quotas
0e - increase scheduling priority
0a - load and unload device drivers
04 - lock pages in memory
08 - manage auditing and security log
16 - modify firmware environment values
0d - profile single process
0b - profile system performance
19 - remove computer from docking station
03 - replace a process level token
12 - restore file and directories
13 - shut down the system
1a - synchronize directory service data
09 - take ownership of files or other objects

secdesc: unsure - almost matches the value in security\policy\secdec\

sid: unsure, the last 4 bytes is the user(group) number - omitted in the everyone group?

\security\policy\polacdmn\ holds the netbios computer name at offset 8 within the data of the @value. the name is stored in unicode. the first byte states the length (in bytes) that the name takes up, the maximum being 15. the real computer name can be longer however. it cannot contain any special characters and must contain at least one letter. the computer name and the workgroup are not allowed to be the same. however it has problems if the computer name is longer than 15, the name shortened for netbios and then the workgroup named the same as the first 15 of the computer name. - the specified workgroup name is invalid

\security\policy\polefdat\ holds the efs file encryption certificate as viewable in security settings\public key policies\encrypted data recovery agents\administrator

\security\policy\polprdmn holds the workgroup name, same style as polacdmn.

\security\policy\polsecretencryptionkey i'll give you one guess :-) holds an interesting 64 byte key, mentioned later in the article, strangely enough ;-)

<sam and security (and general nt hives) - ground zero>

the registry appears to be made up of 7 different types of entries:
01. nk = (sub)keys (links to the following 4 types)
02. if = subkey list
03. xx = value list (links to type no. 6)
04. sk = permissions
05. xx = class info

06. vk = value (links to type no. 7 though data can be within the value)
07. xx = data

n.b: offsets are read backwards and 0x1000 needs to be added for the offset within the file, as offsets are relative to the start of entries - 0x1000
################################################################################
key/subkeys appear to have the following layout:

0 1 2 3 4 5 6 7 8 9 A B C D E F ASCII
00 A8FFFFFF6E6B2C000055EF85BA60C101 ¨ÿÿÿnk,..Uï…º`Á.
10 00000000F00300000100000000000000 ....ð...........
20 F0010000FFFFFFFF00000000FFFFFFFF ð...ÿÿÿÿ....ÿÿÿÿ
30 78000000FFFFFFFF0600000000000000 x...ÿÿÿÿ........
40 00000000000000000000000003000000 ................
50 53414d0000000000 SAM.....

specifying the length of the entry, see below

some kind of marker. all keys seem to have this "nk"

states the keytype. 2c = a root key. 20 = a subkey.

timestamp - see below for details

parent key offset, what the root key points to is unclear

number of subkeys within key, unsure of maximum, if none - filled with 00000000

(if)subkey list offset, if there are none this section is filled with ffffffff

number of values within key, unsure of maximum, if none - filled with 00000000

values list offset, if there are none this section is filled with ffffffff

(sk)permissions offset

class entry offset, if there are none this section is filled with ffffffff

keyname length

class length (max = d0,07 -> 07,d0 = 2,000 - max class = 1,000:unicode)

keyname - keys are stored in acsii format. ignore surplus bytes, length is stated

keys are 80 bytes (50h) in size. the name of the key is appended, adding to the length.

entry length:
the first four bytes specify the length of the entry. eg a8,ff,ff,ff.
first flip: a8,ff,ff,ff -> ff,ff,ff,a8
minus from: ff,ff,ff,ff - ff,ff,ff,a8 = 57
57 is how much data is set aside for the entry. (+1 for winhex selection size)

timestamp:
8 bytes are set aside. the timestamp is to an accuracy of 10 millionth of a second from the start of 1601, possibly to create an unique id for each key. the timestamp is set at key creation and modified the key is renamed or if values within are added or changed. the timestamp will not change for any subkey changes.

98,96,80 = 10,000,000 = one second
23,c3,46,00 = 600,000,000 = one minute
08,61,c4,68,00 = 36,000,000,000 = one hour
c9,2a,69,c0,00 = 864,000,000,000 = one day

date         time       debug view                 flipped (real) view
01/01/1601 - 12:00 AM = 00,00,00,00,00,00,00,00 -> 00,00,00,00,00,00,00,00
01/01/2000 - 12:00 AM = 00,40,6d,25,eb,53,bf,01 -> 01,bf,53,eb,25,6d,40,00
01/01/2001 - 12:00 AM = 00,c0,9d,c8,85,73,c0,01 -> 01,c0,73,85,c8,9d,c0,00
01/01/2002 - 12:00 AM = 00,80,64,41,57,92,c1,01 -> 01,c1,92,57,41,64,80,00
################################################################################
subkey list:

    0 1 2 3 4 5 6 7 8 9 A B C D E F      ASCII
00 E8FFFFFF6C660200500A000030303030 èÿÿÿlf..P...0000
10 B80E000030303030                 ¸...0000

specifying the length of the entry, as above

some kind of marker. all subkey lists seem to have this "if"

seems to state the number of subkeys, this information can be obtained from the key though

subkey offsets

the first four character of the subkey, as viewable in the diagram there is no "tilding" if this part is the same as other subkeys, a quick look at xp shows this part removed.

################################################################################
values list:

0 1 2 3 4 5 6 7 8 9 A B C D E F ASCII
00 F0FFFFFF48040000200500005C51FEBF ðÿÿÿH... ...\Qþ¿

specifying the length of the entry, as above

offset to the first value

offset to the second value, the last offset in the list is sometimes duplicated.

old data, from before the entry was created, ignore - obtain the number of values from the key

################################################################################
permissions:

0 1 2 3 4 5 6 7 8 9 A B C D E F ASCII
00 58FFFFFF736BFFFF7801000078010000 Xÿÿÿskÿÿx...x...
10 010000008C0000000100048070000000 ....Œ......€p...
20 80000000000000001400000002005C00 €.............\.
30 04000000000214003F000F0001010000 ........?.......
40 0000000512000000000218003F000F00 ............?...
50 01020000000000052000000020020000 ........ ... ...
60 00021400190002000101000000000001 ................
70 00000000000214001900020001010000 ................
80 000000050C0000000102000000000005 ................
90 20000000200200000101000000000005 ... ...........
A0 1200000000000000 ........

specifying the length of the entry, as above

some kind of marker. all security information entries seem to have this "sk"

this is going to be finished. first impressions show owner information at the end of the key and each user permissions inbetween.
################################################################################
class info:

0 1 2 3 4 5 6 7 8 9 A B C D E F ASCII
00 E8FFFFFF630066003300330064003500 èÿÿÿc.f.3.3.d.5.
10 3400660000000000 4.f.....

specifying the length of the entry, as above

the information - in unicode. the length is stated in the key, ignore surplus

################################################################################
values - there seem to be 3 different layouts:

01. @values - values with no name that link to data:

0 1 2 3 4 5 6 7 8 9 A B C D E F ASCII
00 E8FFFFFF766B00004C000000B0130000 èÿÿÿvk..L...°...
10 0000000000000000 ........

specifying the length of the entry, see above

some kind of marker. all values seem to have this "vk"

states the length of the value name

the length of the data entry - not including the 4bytes at the beginning

offset to the data entry

########################################
02. @values - values with no name that contain data (do not link to data):

0 1 2 3 4 5 6 7 8 9 A B C D E F ASCII
00 E8FFFFFF766B00000400008020020000 èÿÿÿvk.....€ ...
10 0100000000000000 ........

specifying the length of the entry, see above

some kind of marker. all values seem to have this "vk"

states the length of the value name

*seems* to be the length of the data

marks the start of the data within the value, probably a key type

*seems to be the data within the value*

value type, see table

########################################
03. values with names that link to data:

0 1 2 3 4 5 6 7 8 9 A B C D E F ASCII
00 E0FFFFFF766B030062EA000020400000 àÿÿÿvk..bê.. @..
10 0100000001000000666F6F0000000000 ........foo.....

specifying the length of the entry, see above

some kind of marker. all values seem to have this "vk"

states the length of the value name

the length of the data entry - not including the 4bytes at the beginning

offset to the data entry

value type, see table

value name, ignore surplus

value type:

debug	regedt32.exe	regedit.exe
01	reg_sz	string
02	reg_expand_sz
03	reg_binary	binary
04	reg_dword	dword
07	reg_multi_sz

################################################################################
data:

0 1 2 3 4 5 6 7 8 9 A B C D E F ASCII
00 B0FFFFFF010000000100000000000000 °ÿÿÿ............
10 444B6C3BC155B2F4B73C9E4A5177DACD DKl;ÁU²ô·<žJQwÚÍ
20 BABDB5A3ABE81D6D1A04E56A1CB8894D º½µ£«è.m..åj.¸‰M
30 F826F262D7D701AE283EBE6B13A2D61F ø&òb××.®(>¾k.¢Ö.
40 AEC1EE73583FF925A6AD751CA46AA708 ®ÁîsX?ù%¦u.¤j§.

specifying the length of the entry, as above

the data - right to the end. if there are blocks missing your browser cannot display some special characters, the last one being  :-)

################################################################################
examples of hives:
click here for a hexlevel annotated sam file
click here for a hexlevel annotated security file

<security of the sam file>

the sam file appears to be "fairly" secure - however if physical access to the machine is possible it is not so secure. i believe even microsoft have admitted this.

the sam file is locked. it is not possible to delete/copy/move/rename it within windows via explorer. access to ram is also restricted if not in the administrator group. disk hexeditors can only be used within windows if logged in with administrative privileges, else direct disk access is denied. administrative privileges are needed to defragment a volume. the sam file may need assembling if direct access of the disk is used. if the machine can be (re)booted from a different device eg, floppy or the hard disk removed and/or copied, there are possibilities.

if the sam file is deleted, windows onboot will simply recreate one - 1 administrator and 1 guest with blank passwords, guest disabled.

passwords are not stored in the sam file. password hashes are. this means that the password has to be hashed and then compared - passwords cannot be directly extracted. once the hashes have been obtained, they can be tested with dictionary files or for all possible combinations. the time this takes depends on the complexity and length of the password for the account. to prevent simple dumping of the hashes from the registry, syskey.exe - sam lock tool was introduced into service pack >=3 for nt4. enabling syskey is a one way process, once enabled it cannot be disabled - according to microsoft. service pack 3 did not automatically enable syskey, the administrator had to set it. in nt5+ it is enabled by default. syskey adds an extra level of encryption to the hashes.

syskey can work in three different ways: (only one way can be enabled at a time)

secureboot = 1	store startup key locally	stores a key as part of the operating system, and no interaction is required during system start
secureboot = 2	password startup	requires a password to be entered during system start
secureboot = 3	store startup key on floppy disk	requires a floppy disk to be inserted during system start

a record of which option is enabled is recorded in:
hkey_local_machine\system\controlset001\control\lsa\secureboot = x
this value does not determine the option selected though.

if option 2 or 3 is chosen a prompt will appear at startup, just as the mouse appears. either the correct floppy disk needs to be in the drive or the correct password entered to proceed to the regular login. if option 3 is chosen a 16byte file will be saved to floppy disk by the name of "startkey.key" by default 1 is selected in nt5 and it is believed this is the most commonly used option.

although the passwords are encrypted once again the correct hashes can be obtained by the user via lsass.exe if logged on in the administrators group.

<obtaining the correct hashes>

note: the c:\winnt\repair\ method has not been looked at yet.

it was found that there were two methods of going about this:
################################################################################
"method one" - privilege escalation:

if access to a account in administrators groups is not available, raise the user level of an existing one. there maybe many to chose from, but assume that there is not. one account that is probably always available is the builtin guest.

the computer needs to be booted from a different device. either from a fd/cd (bios may need altering/cracking) or remove the disk and temporarily connect to another machine to make the changes. more stealthy is to dd the target disk and carry out the procedure on a similar machine elsewhere.

boot from either petter's linux disk or from dos. 4 nt5 (ntfs enabled) setup disks can be made - on setup select repair and then console mode. rw access to the disk is given but the administrators password is needed :-( sysinternals make ntfs boot disks, but the rw version is not free. petter's disk is sufficient - windowsonly users read up on "mount" btw cp = copy

(maybe done in different order)
01. make a copy of the sam and security hives, or note all changes made

02.	make a copy of the following files found in c:\winnt\system32\config: application log - appevent.evt security log - secevent.evt system log - sysevent.evt

03. check the username, if it has an unknown password set one
04. activate the guest or user account
05. change the permission level to administrator
06. increase the number of administrators
07. check security policies, can the user logon? - change if not

login as guest/user and dump the correct hashes. reboot and restore all files to their original state and start testing the hashes.
################################################################################
"method two" - export syskey:

the sys part of syskey does not refer to the hardware, thus it can be moved to another system. this method also requires booting from a different device, (see method one) but actual booting of the target disk is not needed which makes this method quicker - if a program did the procedure, and more stealthy.

bootup and copy the following information:

01. \sam\sam\domains\accounts\f - data of
02. \sam\sam\domains\account\users\000001f4(or userno.)\v - data of
03. \security\policy\polsecretencryptionkey\@ - data of
04. \system\controlset001\control\lsa\data\ - class of
05. \system\controlset001\control\lsa\gbg\ - class of
06. \system\controlset001\control\lsa\jd\ - class of
07. \system\controlset001\control\lsa\skew1\ - class of

restore target system its original state. on a second system - (this was tested on a default install of nt5) enable the guest account and raise the privileges to administrator. reboot from a floppy disk or second partition and write in the obtained information. not all the data needs to be written in. 01 is a 48 byte key, roughly in the middle or end (depending on the system) quite obvious on sight. 02 - only the hashes towards the end, about 36 bytes. 03 - the last 64 bytes and the class info is only 16 bytes each. reboot and login as guest - no password, and dump the correct hashes. seems to work across different oses too. a desktop install of xppro was successfully exported to a laptop install of 2000 - nt4 untested.

testing the hashes

wordlists are very effective on weak passwords. a 3.39mb file contains 349,900 words and common passwords. all these can be checked in seconds. lc3 can run hybrid tests. using the wordlist, combinations of numbers and special are appended to the end of each tested word. this is also very effective. an improvement here would to test also for "letters like numbers" example: 0=o 1=l 3=e 5=s

passwords that are "completely random" can take more time.

there are two different 16 byte hashes generated from the password. the lan manager (lanman or lm) hash and the nt hash. the lm hash is des (data encryption standard) and the nt hash is md4 (message digest). the method of lm hashing is not that secure. letters are converted into uppercase, reducing letter combinations by 26. the password is then split into two sets of 7 and hashed _independently_ of each other. programs test the des hash first, then test nt hash for the correct case. the latter part takes very little time.

the same passwords create the same hashes from whatever machine they are extracted from, thus a database *could* be formed of all possible hashes. the advantages of this would be pretty much instant passwords every time using minimal processor power, the main disadvantage is space. such a database would be huge - hundreds+ of terabytes in size.

test os: default install of windows 2000 pro (no other programs installed/running)
software: Advanced NT Security Explorer 2.00 (priority set to high)
machine: 1x amd athlon @ 1ghz, performance test determines approx: 445 megaflops (for comparison with supercomputers)

order of testing -->
| letters | numbers | special |
ABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789 !@#$%^&*()_+-=<>,./?[]{}~:;`'|"\
note that the "space" is not included in the special character range.

in this benchmark all keys on a uk keyboard are tested for (euro sign not included)
<special> !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~£¬</special> - total of 35 instead of 32. this has been done via a custom charset. while the times are greatly increased, the special character set probably could be shorten due to human nature. people are more likely to use: <common> !#$*.?@_</common> just 9.

the times are the maximum - all combinations up to and including that length. most of the tests have only been carried out once. a few were double checked but it was found that the times only varied by a few seconds. passwords >=15 characters in length cannot be tested via antexp.exe

when the test is carried out, you have to specify the level of complexity at the beginning. an improvement here would be to test progressively. first test letters only, then test combinations with letters _and_ numbers, as just letters have already been tested. special character could also be tested progressively, many people would probably only use one or two special characters. once letters and numbers have been tested for that length add in each special character individually - then increase the number of special characters to test for the remaining combinations.

letters only:

length	permutations	1x amd athlon @ 1 ghz
01	26	very short time
02	676	very short time
03	17,576	very short time
04	456,976	very short time
05	11,881,376	04 seconds
06	308,915,776	02 minutes 19 seconds
07	8,031,810,176	01 hour 06 minutes 08 seconds
08	208,827,064,576	01 hour 06 minutes 05 seconds
09	5,429,503,678,976	01 hour 06 minutes 02 seconds
10	141,167,095,653,376	01 hour 06 minutes 05 seconds
11	3,670,344,486,987,776	01 hour 06 minutes 03 seconds
12	95,428,956,661,682,176	01 hour 06 minutes 05 seconds
13	2,481,152,873,203,736,576	01 hour 06 minutes 12 seconds
14	64,509,974,703,297,150,976	01 hour 10 minutes 14 seconds

letters and numbers:

length	permutations	1x amd athlon @ 1 ghz
01	36	very short time
02	1,296	very short time
03	46,656	very short time
04	1,679,616	very short time
05	60,466,176	24 seconds
06	2,176,782,336	16 minutes 18 seconds
07	78,364,164,096	10 hours 41 minutes 57 seconds
08	2,821,109,907,456	10 hours 41 minutes 38 seconds
09	101,559,956,668,416	10 hours 41 minutes 48 seconds
10	3,656,158,440,062,976	10 hours 42 minutes 43 seconds
11	131,621,703,842,267,136	10 hours 41 minutes 48 seconds
12	4,738,381,338,321,616,896	10 hours 43 minutes 04 seconds
13	170,581,728,179,578,208,256	10 hours 44 minutes 33 seconds
14	6,140,942,214,464,815,497,216	11 hours 22 minutes 48 seconds

letters, numbers and (uk)special characters:

length	permutations	1x amd athlon @ 1 ghz
01	71	very short time
02	5,041	very short time
03	357,911	very short time
04	25,411,681	09 seconds
05	1,804,229,351	12 minutes 27 seconds
06	128,100,283,921	16 hours 20 minutes 47 seconds
07	9,095,120,158,391	approx: 52 days, not fully tested

now you can see why hashing two sections independently makes slightly longer passwords no more secure. where does your password fit into and when was the last time you changed it? remember this is only one standard machine.

nt has unicode support. not only control and extended characters be used, but all the second byte combinations of unicode. antexp.exe don't seem to be able to correctly recover passwords of this nature. many cannot be tested for even if entered into the custom character set. for 0-255 a 7 character length password has: 72,057,594,037,927,936 combinations. for 0-65535 a 7 character length password has: 5,192,296,858,534,827,628,530,496,329,220,100 combinations. (lowercase included) lightbased processor anyone? although the ime is disabled when entering passwords, letters can be entered via the alt+numpad (alt+fn+numpad on laptops) method.
<possible sam file improvements>

make the sam hive smaller, fully encrypt it using properly implemented "strong" encryption algorithms and include checksums for critical sections. remove "security=1" style settings. remove old lanman hashes (service pack 2 does cover this) - release a update for existing networked windows boxes. sign the encryption with hardware codes and have a secure resign option for upgrades or use product keys - there suppose to be unique are they not?.

this has not been properly researched: improve the file encryption on ntfs, doesn't the builtin administrator account have access to all efs data? this offers no protection against stolen computers, especially laptops.

written by NullAck - who will _not_ reply to questions on how to do it - rtfm!!
however comments, errors and ideas are welcomed - not network stuff.

network stuff is being headed up by another member of neworder and should be available soon. contact V1C3

Credits:

http://neworder.box.sk/