User passwords in t...
 
Notifications
Clear all

User passwords in the Registry  

Page 1 / 2
  RSS
chrism
(@chrism)
Member

Hey all,

How do you know if a user had a password on their account?

Seems like a simple question but I've been trying to understand the 'Last Reset' time in the SAM\Domains\Account\Users\

Will this time also change if the user removed their password? As technically it has 'changed' from having a password to not having one.

I just want to know if the user had a password or not, any help or guidance to find where this is stored I'd be very grateful.

Quote
Posted : 19/03/2010 2:10 pm
ssenyl
(@ssenyl)
Junior Member

If you look in the HKLM\SAM\SAM\Domains\Account\Names you will find a list of all user accounts on the machine. Select the one you are interested in and you will find the key contains a value (e.g 0x3E8). This is the Relative Identifier (RID).

Using that information go to HKLM\SAM\SAM\Domains\Account\Users which will contain a number of folders named such as 000003E8.

In this example this relates to the user 'Rob' identified in stage 1.

Select that key and you will find it contains a subkey named 'V'. Double click it and scroll doen to the location 00AC. If the value is 14 then a password is set.

Another subkey may be UserPasswordHint. Double click it and you will be able to read what the hint is.

Hope this helps?

ReplyQuote
Posted : 19/03/2010 3:49 pm
chrism
(@chrism)
Member

I've found the subkey 'V' but what do you mean by 'location 00AC'?

I've found the value 00 AC in HEX and there are a few 14's scattered around the place, but these 14's are in HEX so I'm not sure - where do you find this location?

I'm using Access Data's Registry Viewer by the way.

ReplyQuote
Posted : 19/03/2010 4:14 pm
ssenyl
(@ssenyl)
Junior Member

00AC refers to the offset (172 decimal). I can't remember if Access Data Registry Viewer shows offsets in decimal or hex, but either way, if you have the V key open and get to the offset mentioned, the value 14 indicates that a password is present.

ReplyQuote
Posted : 19/03/2010 5:04 pm
woany
(@woany)
Junior Member

Try my ForensicUserInfo tool, which was written for exactly this purpose

http//www.woanware.co.uk/forensicuserinfo/

To use it, you need to extract the SAM, SYSTEM and SOFTWARE hives. When you select the File->Open option, it will prompt three times once for each hive, it will tell you the required hive in the title bar of the Open File dialog.

There is a column called "Password Required" which will tell you the current password requirement for each user.

It is not as simple as just looking at the registry values, the stored registry values need to be deobfuscated using a number of algorithms including RC4 and DES, along with the SYSKEY to retrieve the NTLM and LANMAN hashes. Only then can it be determined if a password is required for a user.

ReplyQuote
Posted : 19/03/2010 11:22 pm
sierraindia
(@sierraindia)
New Member

If you can get the image to boot in a virtual machine then you can try to logon using each user account and see if you get a password prompt.

ReplyQuote
Posted : 21/03/2010 8:27 pm
paulo111
(@paulo111)
Junior Member

Ophcrack would show you accounts without a password. You just export the SAM and import it into Ophcrack outside the case… The free rainbow tables are available, but I am not sure on the charge for the larger tables..

ReplyQuote
Posted : 23/03/2010 4:30 pm
JSkier
(@jskier)
New Member

Ophcrack would show you accounts without a password. You just export the SAM and import it into Ophcrack outside the case… The free rainbow tables are available, but I am not sure on the charge for the larger tables..

I love using ophcrack for this. However, how does it stand up in court? Anyone have experience testifying after using ophcrack to extract passwords (mostly looking for US criminal court exp)? Perhaps worth supplemental testing with LiveView to make sure it is accurate?

ReplyQuote
Posted : 15/05/2010 1:42 am
keydet89
(@keydet89)
Community Legend

The "Password not required" flag in the user account does not tell you whether or not a user has a password…rather
http//windowsir.blogspot.com/2009/07/user-account-analysis.html

In order to determine if the user has a password on their account, extract the SAM and System hives and run then through SAMInside, or through pwdump7, and then John the Ripper, Cain, etc. If the password comes up blank, then the user had a blank password.

If you're not sure about that, boot the image via LiveView and test it.

ReplyQuote
Posted : 15/05/2010 5:44 am
Rampage
(@rampage)
Active Member

Ophcrack would show you accounts without a password. You just export the SAM and import it into Ophcrack outside the case… The free rainbow tables are available, but I am not sure on the charge for the larger tables..

I love using ophcrack for this. However, how does it stand up in court? Anyone have experience testifying after using ophcrack to extract passwords (mostly looking for US criminal court exp)? Perhaps worth supplemental testing with LiveView to make sure it is accurate?

I don't live in the US, so maybe it differs from here in Italy, but as long as
- you don't alter the original evidence
- you make the act repeatable
- you can demonstrate that ophcrack is a reliable way to determine if a user has a password set or not (and this is the difficult part couse you have to provide documentations about its reliability)

it can be used in court.

ReplyQuote
Posted : 15/05/2010 6:18 am
keydet89
(@keydet89)
Community Legend

More to the point, if you thoroughly document what you do, and your findings can be reproduced, why wouldn't they be able to be used in court?

I still believe that far too many folks are stuck on the question of "can it be used in court", without ever considering that there are plenty of things that at one point were not used in court, but are now commonplace…fingerprints, DNA, etc.

The difference is that rather than being frozen into inaction by the question, the folks who brought those types of evidence forward realized the value of the evidence, and applied rigor and structure to the analysis and the evidence so that the findings could be reproduced.

ReplyQuote
Posted : 15/05/2010 5:53 pm
Rampage
(@rampage)
Active Member

KeyDet for president \o/

ReplyQuote
Posted : 15/05/2010 6:22 pm
ehuber
(@ehuber)
Member

The difference is that rather than being frozen into inaction by the question, the folks who brought those types of evidence forward realized the value of the evidence, and applied rigor and structure to the analysis and the evidence so that the findings could be reproduced.

And for those who don't know, Harlan was one of the leading voices along with folks like Rob Lee and others who led the community on this issue. When people like Harlan get an idea in their head and decide to advocate for it, it's a good thing for all of the rest of us. Harlan was the one who opened my eyes up to the possibilities relating to memory forensics.

I recently completed SANS SEC508 OnDemand with Rob Lee. Rob mentioned something that really has stuck with me that I'd like to share. He made a very important point about how in most circumstances, it's not a matter of if your response is going to change the evidence, but how it's going to change it.

Think about it. Rob points out that the old school method was to just pull the plug to preserve the evidence on the hard disk, but that also destroys all of the really good data in memory. These days, that means we're talking about gigabytes of data lost by pulling that plug. In light of that, is it really so awful changing some of the data on a disk by doing something like using FTK Imager Lite to image to a USB device that you installed in a machine or to a network share somewhere?

I think it might have been Ovie Carroll (someone correct me if I'm getting the attribution wrong on this) who pondered whether some attorney someday will make the case that by not preserving memory a mistake was made in the evidence collection process.

ReplyQuote
Posted : 15/05/2010 9:39 pm
DaveAllen
(@daveallen)
New Member

I've used ForensicUserInfo from http//www.woanware.co.uk/ for this. It's free and just needs to be pointed at the extracted registry files.

ReplyQuote
Posted : 15/05/2010 10:26 pm
keydet89
(@keydet89)
Community Legend

I recently completed SANS SEC508 OnDemand with Rob Lee. Rob mentioned something that really has stuck with me that I'd like to share. He made a very important point about how in most circumstances, it's not a matter of if your response is going to change the evidence, but how it's going to change it.

Excellent point.

Also, keep in mind that a responder's inaction can be as detrimental to response as their actions, even misguided ones (ie, running AV, deleting files, etc.). A great deal occurs on a system when you do nothing more than just watch it…processes complete executing, network connections change state/terminate, and in general, volatile data decays.

On Windows XP in particular, every 24 hrs, a System Restore Point is created, and if appropriate, one or more may be deleted. Every three days, a limited defrag of the disk is run. Both of these are documented behaviors…documented by MS.

Rob's dead on point…responders need to understand what effect their actions will have on systems.

I think it might have been Ovie Carroll (someone correct me if I'm getting the attribution wrong on this) who pondered whether some attorney someday will make the case that by not preserving memory a mistake was made in the evidence collection process.

I'd think that this would occur sooner rather than later.

ReplyQuote
Posted : 15/05/2010 11:49 pm
Page 1 / 2
Share: