Notifications
Clear all

NTLM missing

13 Posts
6 Users
0 Likes
1,829 Views
(@imsdal)
Posts: 17
Active Member
Topic starter
 

I have successfully managed to boot up a E01 file using Virtualbox.
Regripper told me that the account had no password requirements.
However when trying to login I get the message "No internet connection, please enter your last used password" apparently it is using Microsoft account to validat each login.

Since there is no password I can't find the NTLM hash in the SAM-hive. There should be an old password located in any other hives? Does anyone know exactly where?

Regards

 
Posted : 16/04/2018 12:57 pm
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

Sounds like a Windows Live account is being used.
I cannot remember of the top of my head where the hashes are for those accounts, but its not the default location.
Have a Google for Windows Live account hash location.

 
Posted : 16/04/2018 1:34 pm
tracedf
(@tracedf)
Posts: 169
Estimable Member
 

I don't know if Windows Live accounts are treated the same, but domain account credentials are cached so that you can log in when your computer is offline or off your work network.

https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/

 
Posted : 16/04/2018 3:58 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Regripper told me that the account had no password requirements.
However when trying to login I get the message "No internet connection, please enter your last used password" apparently it is using Microsoft account to validat each login.

Since there is no password I can't find the NTLM hash in the SAM-hive. There should be an old password located in any other hives? Does anyone know exactly where?

The issue is that what you saw doesn't mean what you think it means. 😉

http//windowsir.blogspot.com/2013/05/plugin-samparse.html

When the RegRipper samparse.pl plugin returns "Password Not Required", it's based on a flag check in the hive, and does NOT mean that the account doesn't have a password…it simply means that the account is not required to have a password. The distinction may seem subtle, but it's there.

Extract the System and SAM hives from the image, and use your favorite password extractor/cracker, like L0phtcrack or John the Ripper.

 
Posted : 16/04/2018 6:30 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Another option is to use Peter Nordahl's boot disk http//www.chntpw.com/download/

Change the settings of the VM to boot from the downloaded ISO, and use the utility to change the password. A non-technical friend of mine did exactly that with an older Win7 laptop this past weekend.

 
Posted : 16/04/2018 6:32 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

They are still in the SAM but on a path *like* (supposing to access an actual online SAM hive)
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000003a1

Where of course the 000003a1 is the RID of the user.
https://www.morgantechspace.com/2013/10/difference-between-rid-and-sid-in.html

I don't think there is an easy way (in case of multiple users) to find which RID is related to which user. ?

jaclaz

 
Posted : 16/04/2018 6:39 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

They are still in the SAM but on a path *like* (supposing to access an actual online SAM hive)
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000003a1

Where of course the 000003a1 is the RID of the user.
https://www.morgantechspace.com/2013/10/difference-between-rid-and-sid-in.html

I don't think there is an easy way (in case of multiple users) to find which RID is related to which user. ?

jaclaz

Actually, there is…or, are. Several.

First, this blog post illustrates the output of the samparse.pl plugin

http//windowsir.blogspot.com/2010/02/more-on-av-write-ups.html

Second, the ProfileList key in the Software hive maps SIDs to profile paths.

HTH

 
Posted : 16/04/2018 8:27 pm
(@imsdal)
Posts: 17
Active Member
Topic starter
 

Regripper told me that the account had no password requirements.
However when trying to login I get the message "No internet connection, please enter your last used password" apparently it is using Microsoft account to validat each login.

Since there is no password I can't find the NTLM hash in the SAM-hive. There should be an old password located in any other hives? Does anyone know exactly where?

The issue is that what you saw doesn't mean what you think it means. 😉

http//windowsir.blogspot.com/2013/05/plugin-samparse.html

When the RegRipper samparse.pl plugin returns "Password Not Required", it's based on a flag check in the hive, and does NOT mean that the account doesn't have a password…it simply means that the account is not required to have a password. The distinction may seem subtle, but it's there.

Extract the System and SAM hives from the image, and use your favorite password extractor/cracker, like L0phtcrack or John the Ripper.

Great info! Thanks! However the NTLM hash when dropping the hives into ophcrack is 31d6cfe0d16ae931b73c59d7e0c089c0, hence no password, right?

 
Posted : 17/04/2018 7:04 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Second, the ProfileList key in the Software hive maps SIDs to profile paths.

HTH

Sure ) , we only use a different definition of "easy".

Re-checking it, it is actually "easy" wink .

Below the
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users
besides the keys *like*
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5

there is a key
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names

Where there is a key for each user, i.e. (example)
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\Administrator
which default value is (binary) is 0x1f4
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\Guest
which default value is (binary) is 0x1f5

and 0x1F4 converted to decimal is 500, 0x1F5 501, etc..

jaclaz

 
Posted : 17/04/2018 9:40 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Great info! Thanks! However the NTLM hash when dropping the hives into ophcrack is 31d6cfe0d16ae931b73c59d7e0c089c0, hence no password, right?

I'm not sure I follow the logic there…did you try cracking it?

 
Posted : 17/04/2018 2:35 pm
Page 1 / 2
Share: