win 7 home sam file...
 
Notifications
Clear all

win 7 home sam file for admin and user password discovery

13 Posts
10 Users
0 Likes
1,724 Views
(@soleil)
Posts: 6
Active Member
Topic starter
 

Dear colleagues,
i have a dd image of a win7 Home premium with two user profile.
One is admin, the other one is a normal user.
Analyzing SAM file with RegRipper i discover that both users have no passwd (the phrase is password not required) and going in user\appdata\local\microsoft\credential any file is present.
So I think both admin and user have no password….can anybody suggest me other info on how to discover password for user profile?
Thanks

 
Posted : 21/12/2014 3:58 pm
(@thepm)
Posts: 253
Reputable Member
 

You could download Ophcrack (open source/free) along with the free NTLM rainbow tables. Then you can feed it with the SAM and SYSTEM registry files. It will indeed tell you which user profiles are on the machine. If no password is set, it should tell you right away. If some passwords are set, it will try cracking it for you.

However, the free tables are quite limited. They have "commercial" tables that cover a wider range of characters and number of chars but they may be a bit expensive (about 1000$ last time I checked.)

 
Posted : 21/12/2014 6:58 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

Want to be sure?

Image the machine, fire it up in a VM, login. If no password works, then the user account has no password.

 
Posted : 22/12/2014 2:51 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Image the machine, fire it up in a VM, login.

… provided it does "fire up" and it does not stop with a BSOD, often a 0x0000007b one. 😯
Some intermediate Physical to Virtual conversion steps might well be needed.

jaclaz

 
Posted : 22/12/2014 3:44 pm
(@miket065)
Posts: 187
Estimable Member
 

Be careful misinterpreting the "password not required" flag.

http//windowsir.blogspot.com/search?q=password+not+required

 
Posted : 22/12/2014 4:41 pm
(@soleil)
Posts: 6
Active Member
Topic starter
 

I think if there isn' t any file in appdata\microsoft\windows\credential it means no password is set…, perhaps it is better to boot up the image in VM or using ophcrack or something similar

 
Posted : 22/12/2014 5:04 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I think if there isn' t any file in appdata\microsoft\windows\credential it means no password is set…,

WHY? ?
That is not about login password, it is about stored credentials (for external logins/access, like Domain ones)
http//www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Saving-Credentials-Windows-Computers.html

The Windows login password is still in the SAM hive.

Can't you simply try running SAMINSIDE
http//en.wikipedia.org/wiki/SAMInside
https://web.archive.org/web/20140208003941/http//www.insidepro.com/eng/saminside.shtml

and have a look at what it finds on a copy of the SAM and SYSTEM Registry hives?

jaclaz

 
Posted : 22/12/2014 5:35 pm
(@miket065)
Posts: 187
Estimable Member
 

Also, cracking the password, in some situations may have probative value and/or offer insight into the psyche of the password creator.

 
Posted : 22/12/2014 6:19 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

I had a case where the laptop owner created a new user account (Windows 7), then used ccleaner to delete volume shadow copies, and then finally he deleted the user account which he used to delete the VSCs.

Early on in my analysis, I thought it was very strange that there was so little evidence being recovered from a five year old laptop.

I was seeing different Windows SIDs depending on which tool I used to reveal and identify RIDs (-500 / -1000 / -1001 / -1001_1001 / etc.) which confused me at first, but led me to use one of TZWorks tools to carve unallocated space in the MFT, thus leading to the identification of the previously deleted SID.

So, it may be worth listing up your SID account numbers in at least a few tools to see if all of your tools report the same number of accounts.

If you have the coin, I also highly recommend purchasing Passmark's OSForensics tool at $500 USD. OSForensics will create a full text index of your image and automatically create project specific dictionary attacks in its password module. This has worked a charm for me more than once.

OSForensics module will also provide an easy report on the SID user account encrypted password values in case you want to try to crack them elsewhere. If there is no encrypted password exposed in OSForensics, then perhaps there is no password to recover.

I think the demo version will allow you to at least pull out the SIDs it sees in the SAM file and display a (encrypted) password if there is one.

I have no professional affiliation with nor interests in Passmark, but am gently pressuring them to roll out certification process. This tool is the best economic deal in forensics in my humble opinion, but does not seem to get the exposure it deserves.

 
Posted : 22/12/2014 10:53 pm
(@randomaccess)
Posts: 385
Reputable Member
 

+1 for ophcrack and then double check with firing up a vm.
For vm stuff look at justaskweg or download liveview (or whatever the names been changed to now)

side note, has anyone created a test where they put a password hint on the machine and then disabled the password. if the hint field is cleared when the password is removed then that would be a decent test to say that there was a password on the machine (but not to say there wasnt a password)

 
Posted : 25/12/2014 12:55 pm
Page 1 / 2
Share: