±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 34815
New Yesterday: 8 Visitors: 187

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

NTLM missing

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

NTLM missing

Post Posted: Mon Apr 16, 2018 6:57 am

I have successfully managed to boot up a E01 file using Virtualbox.
Regripper told me that the account had no password requirements.
However when trying to login I get the message "No internet connection, please enter your last used password" apparently it is using Microsoft account to validat each login.

Since there is no password I can't find the NTLM hash in the SAM-hive. There should be an old password located in any other hives? Does anyone know exactly where?

Regards  

imsdal
Member
 
 
  

Re: NTLM missing

Post Posted: Mon Apr 16, 2018 7:34 am

Sounds like a Windows Live account is being used.
I cannot remember of the top of my head where the hashes are for those accounts, but its not the default location.
Have a Google for Windows Live account hash location.  

minime2k9
Senior Member
 
 
  

Re: NTLM missing

Post Posted: Mon Apr 16, 2018 9:58 am

I don't know if Windows Live accounts are treated the same, but domain account credentials are cached so that you can log in when your computer is offline or off your work network.

www.securusglobal.com/...edentials/  

tracedf
Senior Member
 
 
  

Re: NTLM missing

Post Posted: Mon Apr 16, 2018 12:30 pm

- imsdal

Regripper told me that the account had no password requirements.
However when trying to login I get the message "No internet connection, please enter your last used password" apparently it is using Microsoft account to validat each login.

Since there is no password I can't find the NTLM hash in the SAM-hive. There should be an old password located in any other hives? Does anyone know exactly where?


The issue is that what you saw doesn't mean what you think it means. Wink

windowsir.blogspot.com...parse.html

When the RegRipper samparse.pl plugin returns "Password Not Required", it's based on a flag check in the hive, and does NOT mean that the account doesn't have a password...it simply means that the account is not required to have a password. The distinction may seem subtle, but it's there.

Extract the System and SAM hives from the image, and use your favorite password extractor/cracker, like L0phtcrack or John the Ripper.  

keydet89
Senior Member
 
 
  

Re: NTLM missing

Post Posted: Mon Apr 16, 2018 12:32 pm

Another option is to use Peter Nordahl's boot disk: www.chntpw.com/download/

Change the settings of the VM to boot from the downloaded ISO, and use the utility to change the password. A non-technical friend of mine did exactly that with an older Win7 laptop this past weekend.  

keydet89
Senior Member
 
 
  

Re: NTLM missing

Post Posted: Mon Apr 16, 2018 12:39 pm

They are still in the SAM but on a path *like* (supposing to access an actual online SAM hive):
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000003a1

Where of course the 000003a1 is the RID of the user.
www.morgantechspace.co...id-in.html

I don't think there is an easy way (in case of multiple users) to find which RID is related to which user. Question

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: NTLM missing

Post Posted: Mon Apr 16, 2018 2:27 pm

- jaclaz
They are still in the SAM but on a path *like* (supposing to access an actual online SAM hive):
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000003a1

Where of course the 000003a1 is the RID of the user.
www.morgantechspace.co...id-in.html

I don't think there is an easy way (in case of multiple users) to find which RID is related to which user. Question

jaclaz


Actually, there is...or, are. Several.

First, this blog post illustrates the output of the samparse.pl plugin:

windowsir.blogspot.com...e-ups.html

Second, the ProfileList key in the Software hive maps SIDs to profile paths.

HTH  

keydet89
Senior Member
 
 

Page 1 of 2
Go to page 1, 2  Next