OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Aaron Bennett (sec_newbieyahoo.com)
Date: Tue Dec 18 2001 - 12:21:06 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    OMAR, i'm curious... how were you able to retrieve the
    admin password through a null session? if i recall
    correctly, the only thing you can do with a null
    session is enumerate info on the host. however, if
    i'm wrong please correct me.

    cheers
    -ab

    From: "Omar Koudsi" <omarkjeeran.com> | Block Address
     | Add to Address Book
    To: Matt.Carpenteralticor.com, mshawwwisp.com
    CC: focus-mssecurityfocus.com
    Subject: RE: question regarding SAM file / l0phtcrack
    / pwdump2
    Date: Tue, 18 Dec 2001 04:44:02 +0200
             

    I am running a similar audit on a machine, I was able
    to retrieve the
    admin password through a NULL session and then
    retrieve the SAM file
    using PWDUMP3. However, I was not able to use
    l0phtcrack to start
    cracking the password, what is the procedure you
    followed to decrypt
    the
    passwords?

    -----------
    Omar Koudsi
    IT Architect
    Network Security Center
    Special Systems Company
    http://security.sscjo.com
    omarksscjo.com
    Tel: (9626) 5664221
    Fax: (9626) 5681557

    -----Original Message-----
    From: Matt.Carpenteralticor.com
    [mailto:Matt.Carpenteralticor.com]
    Sent: Monday, December 17, 2001 11:42 PM
    To: mshawwwisp.com
    Cc: focus-mssecurityfocus.com
    Subject: Re: question regarding SAM file / l0phtcrack
    / pwdump2

    I ran pwdump (I believe it was version 3) on a Win2k
    server recently
    andas long as I was connected with admin rights, it
    pulled the SAM
    immediately and I was able to run l0phtcrack (which
    indeed took a
    while)
    and decrypt most everything within a relatively short
    amount of time.
    I
    did NOT do the NTFS-DOS route, so I am not certain
    about that issue.

     

                        Mike Shaw

                        <mshawwwisp. To:
    focus-mssecurityfocus.com
               
                        com> cc:

                                             Subject:
    question
    regarding
    SAM file / l0phtcrack / pwdump2
                        12/17/2001

                        04:01 PM

     

     

    I'm currently in a quandry over a password audit.

    The servers are all win2k.

    I tried running pwdump2 and pwdump3. They both stop
    at the blinking
    cursor

    and never report anything back (waited 1.5 hours).
    After that, the
    server becomes unstable after awhile and a reboot is
    required (which
    needless to say made the admin very happy). This
    happens on
    workstations too. The only common thread is norton
    anti-virus. Anyone
    else observed this?

    I can boot to dos and snag the SAM file, but it seems
    very old. When I
    actually extracted the info it was only the local
    account info--not
    domain.

    I assume that Active Directory user information is
    stored differently
    even on a PDC?

    I've also sniffed the hashes, but this proves way to
    time consuming.
    The double whammy here is when they ask why they have
    to have secure
    passwords when the system seems impervious to the
    common pw dumping
    tools.

    Has anyone else run into this issue? If so what did
    you do to get
    around it?

    -Mike

    __________________________________________________
    Do You Yahoo!?
    Check out Yahoo! Shopping and Yahoo! Auctions for all of
    your unique holiday gifts! Buy at http://shopping.yahoo.com
    or bid at http://auctions.yahoo.com