I have successfully managed to boot up a E01 file using Virtualbox.
Regripper told me that the account had no password requirements.
However when trying to login I get the message "No internet connection, please enter your last used password" apparently it is using Microsoft account to validat each login.
Since there is no password I can't find the NTLM hash in the SAM-hive. There should be an old password located in any other hives? Does anyone know exactly where?
Regards
Sounds like a Windows Live account is being used.
I cannot remember of the top of my head where the hashes are for those accounts, but its not the default location.
Have a Google for Windows Live account hash location.
I don't know if Windows Live accounts are treated the same, but domain account credentials are cached so that you can log in when your computer is offline or off your work network.
https://
Regripper told me that the account had no password requirements.
However when trying to login I get the message "No internet connection, please enter your last used password" apparently it is using Microsoft account to validat each login.Since there is no password I can't find the NTLM hash in the SAM-hive. There should be an old password located in any other hives? Does anyone know exactly where?
The issue is that what you saw doesn't mean what you think it means. 😉
http//
When the RegRipper samparse.pl plugin returns "Password Not Required", it's based on a flag check in the hive, and does NOT mean that the account doesn't have a password…it simply means that the account is not required to have a password. The distinction may seem subtle, but it's there.
Extract the System and SAM hives from the image, and use your favorite password extractor/cracker, like L0phtcrack or John the Ripper.
Another option is to use Peter Nordahl's boot disk http//
Change the settings of the VM to boot from the downloaded ISO, and use the utility to change the password. A non-technical friend of mine did exactly that with an older Win7 laptop this past weekend.
They are still in the SAM but on a path *like* (supposing to access an actual online SAM hive)
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000003a1
Where of course the 000003a1 is the RID of the user.
https://
I don't think there is an easy way (in case of multiple users) to find which RID is related to which user. ?
jaclaz
They are still in the SAM but on a path *like* (supposing to access an actual online SAM hive)
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000003a1Where of course the 000003a1 is the RID of the user.
https://www.morgantechspace.com/2013/10/difference-between-rid-and-sid-in.html I don't think there is an easy way (in case of multiple users) to find which RID is related to which user. ?
jaclaz
Actually, there is…or, are. Several.
First, this blog post illustrates the output of the samparse.pl plugin
http//
Second, the ProfileList key in the Software hive maps SIDs to profile paths.
HTH
Regripper told me that the account had no password requirements.
However when trying to login I get the message "No internet connection, please enter your last used password" apparently it is using Microsoft account to validat each login.Since there is no password I can't find the NTLM hash in the SAM-hive. There should be an old password located in any other hives? Does anyone know exactly where?
The issue is that what you saw doesn't mean what you think it means. 😉
http//
windowsir.blogspot.com/2013/05/plugin-samparse.html When the RegRipper samparse.pl plugin returns "Password Not Required", it's based on a flag check in the hive, and does NOT mean that the account doesn't have a password…it simply means that the account is not required to have a password. The distinction may seem subtle, but it's there.
Extract the System and SAM hives from the image, and use your favorite password extractor/cracker, like L0phtcrack or John the Ripper.
Great info! Thanks! However the NTLM hash when dropping the hives into ophcrack is 31d6cfe0d16ae931b73c59d7e0c089c0, hence no password, right?
Second, the ProfileList key in the Software hive maps SIDs to profile paths.
HTH
Sure ) , we only use a different definition of "easy".
Re-checking it, it is actually "easy" wink .
Below the
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users
besides the keys *like*
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5
there is a key
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names
Where there is a key for each user, i.e. (example)
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\Administrator
which default value is (binary) is 0x1f4
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\Guest
which default value is (binary) is 0x1f5
and 0x1F4 converted to decimal is 500, 0x1F5 501, etc..
jaclaz
Great info! Thanks! However the NTLM hash when dropping the hives into ophcrack is 31d6cfe0d16ae931b73c59d7e0c089c0, hence no password, right?
I'm not sure I follow the logic there…did you try cracking it?