User passwords in t...
 
Notifications
Clear all

User passwords in the Registry

17 Posts
10 Users
0 Likes
4,900 Views
(@chrism)
Posts: 97
Trusted Member
Topic starter
 

Hey all,

How do you know if a user had a password on their account?

Seems like a simple question but I've been trying to understand the 'Last Reset' time in the SAM\Domains\Account\Users\

Will this time also change if the user removed their password? As technically it has 'changed' from having a password to not having one.

I just want to know if the user had a password or not, any help or guidance to find where this is stored I'd be very grateful.

 
Posted : 19/03/2010 2:10 pm
(@ssenyl)
Posts: 25
Eminent Member
 

If you look in the HKLM\SAM\SAM\Domains\Account\Names you will find a list of all user accounts on the machine. Select the one you are interested in and you will find the key contains a value (e.g 0x3E8). This is the Relative Identifier (RID).

Using that information go to HKLM\SAM\SAM\Domains\Account\Users which will contain a number of folders named such as 000003E8.

In this example this relates to the user 'Rob' identified in stage 1.

Select that key and you will find it contains a subkey named 'V'. Double click it and scroll doen to the location 00AC. If the value is 14 then a password is set.

Another subkey may be UserPasswordHint. Double click it and you will be able to read what the hint is.

Hope this helps?

 
Posted : 19/03/2010 3:49 pm
(@chrism)
Posts: 97
Trusted Member
Topic starter
 

I've found the subkey 'V' but what do you mean by 'location 00AC'?

I've found the value 00 AC in HEX and there are a few 14's scattered around the place, but these 14's are in HEX so I'm not sure - where do you find this location?

I'm using Access Data's Registry Viewer by the way.

 
Posted : 19/03/2010 4:14 pm
(@ssenyl)
Posts: 25
Eminent Member
 

00AC refers to the offset (172 decimal). I can't remember if Access Data Registry Viewer shows offsets in decimal or hex, but either way, if you have the V key open and get to the offset mentioned, the value 14 indicates that a password is present.

 
Posted : 19/03/2010 5:04 pm
(@woany)
Posts: 28
Eminent Member
 

Try my ForensicUserInfo tool, which was written for exactly this purpose

http//www.woanware.co.uk/forensicuserinfo/

To use it, you need to extract the SAM, SYSTEM and SOFTWARE hives. When you select the File->Open option, it will prompt three times once for each hive, it will tell you the required hive in the title bar of the Open File dialog.

There is a column called "Password Required" which will tell you the current password requirement for each user.

It is not as simple as just looking at the registry values, the stored registry values need to be deobfuscated using a number of algorithms including RC4 and DES, along with the SYSKEY to retrieve the NTLM and LANMAN hashes. Only then can it be determined if a password is required for a user.

 
Posted : 19/03/2010 11:22 pm
(@sierraindia)
Posts: 24
Eminent Member
 

If you can get the image to boot in a virtual machine then you can try to logon using each user account and see if you get a password prompt.

 
Posted : 21/03/2010 8:27 pm
(@paulo111)
Posts: 36
Eminent Member
 

Ophcrack would show you accounts without a password. You just export the SAM and import it into Ophcrack outside the case… The free rainbow tables are available, but I am not sure on the charge for the larger tables..

 
Posted : 23/03/2010 4:30 pm
JSkier
(@jskier)
Posts: 24
Eminent Member
 

Ophcrack would show you accounts without a password. You just export the SAM and import it into Ophcrack outside the case… The free rainbow tables are available, but I am not sure on the charge for the larger tables..

I love using ophcrack for this. However, how does it stand up in court? Anyone have experience testifying after using ophcrack to extract passwords (mostly looking for US criminal court exp)? Perhaps worth supplemental testing with LiveView to make sure it is accurate?

 
Posted : 15/05/2010 12:42 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

The "Password not required" flag in the user account does not tell you whether or not a user has a password…rather
http//windowsir.blogspot.com/2009/07/user-account-analysis.html

In order to determine if the user has a password on their account, extract the SAM and System hives and run then through SAMInside, or through pwdump7, and then John the Ripper, Cain, etc. If the password comes up blank, then the user had a blank password.

If you're not sure about that, boot the image via LiveView and test it.

 
Posted : 15/05/2010 4:44 am
(@rampage)
Posts: 354
Reputable Member
 

Ophcrack would show you accounts without a password. You just export the SAM and import it into Ophcrack outside the case… The free rainbow tables are available, but I am not sure on the charge for the larger tables..

I love using ophcrack for this. However, how does it stand up in court? Anyone have experience testifying after using ophcrack to extract passwords (mostly looking for US criminal court exp)? Perhaps worth supplemental testing with LiveView to make sure it is accurate?

I don't live in the US, so maybe it differs from here in Italy, but as long as
- you don't alter the original evidence
- you make the act repeatable
- you can demonstrate that ophcrack is a reliable way to determine if a user has a password set or not (and this is the difficult part couse you have to provide documentations about its reliability)

it can be used in court.

 
Posted : 15/05/2010 5:18 am
Page 1 / 2
Share: