Bruce – SamDump (Win2K/XP)

Topic

New Reply

This is a Command line utility — taken from LOphtCrack — that reportedly ‘dumps’ your SAM passwords. (Meaning it displays them, not deletes them). Obviously, only for Win2K/XP. I would be interested in seeing if it works — perhaps it could have been useful in determining the strange password problems in the past…

Reply | Quote

Replies

I unzipped/downloaded and got the exe. When I click it, I get a flash of a dos prompt for a fraction of a second. Is their a step to downloading this so I can try it, R2? I have the exe in my unzipped foler and the zip in downloads, but that’s as far as I can get with it.

Thanks,

SMBP

Reply | Quote

Ummm…you gotta run it from the command line, and specify the name of the SAM file you want it to look at. If you don’t it just pops up the syntax in a command window and closes it right after that.

Reply | Quote

It does indeed work, and parses out the user accounts on the system – along with their descriptions. But it doesn’t display the passwords in plain text, instead spewing out what appears to be a long hex string. I wasn’t able to decode it with a hex editor into anything meaningful. I was relieved to see that, because if my password could be parsed that easily I’d be quite worried.

This also requires access to the SAM database, which you can’t open while the system is running, and thus I would think it would mean you’d need access to the console. I’m leery of such things because of the potential for malicious use, but this seems more of a system administrator’s tool than anything else.

Reply | Quote

I think if you have disabled lower-security LANMAN passwords, the cracking tool has more difficulty. Also, our antivirus software attacks as soon as you try to run it.

Reply | Quote

Natch. NAV took a dive on me a few days ago and refuses to uninstall or reinstall. What AV software did you test with Jefferson?

Reply | Quote

Actually, I haven’t tested myself, but I’ve seen it in the Firm’s logs. We run Trend Micro OfficeScan; I suspect PC-Cillin uses the same pattern file and also would try to quarantine or rename the executable.

Reply | Quote

Mark–

Not sure what caused your Norton problem, but as you have probably seen there are uninstalls from the registry in a string of Norton KB’s that can have you deleting entries for a long time–if I remember you have System Works. I had a box pop up saying “you aren’t the Norton administrator” problem that Symantec says was a rare Windows Explorer in XP conflict and it wouldn’t let me uninstall from Add/Remove or from Norton’s Program entry for System Works, and after getting it from the registry I got all of System Works and NIS in except for NAV (Version 8.07) which refused to install, and had to copy it to the hard drive from the System Works folder in Explorer.

I have found that the “Solutions” steps listed in this “Auto Protect Disabled” doc (although aimed at a specific error) are common to and used in several of the ‘problems uninstalling NAV’ KB’s[/i] and one are all of them (updating symyvent drivers, and at the bottom of this sheet under “Windows XP” going to C:Program FilesCommon FilesSymantec Shared folder and deleting “Virus Defs”) got NSW with NAV uninstalled and reinstalled intact in the three situations where NAV needed uninstalling to fix it whatever other Norton KB’s were attached to those errors. Reinstalling IE listed has never been necessary for me. Updating Symyvent Files also can help with uninstalling and Uninstalling NSW in Windows XP–and the “Instant Wireless Utility” in a Linksys network can get in the way of a Norton uninstall.

SMBP

Reply | Quote

Thanks for looking into this. Perhaps the entire program is able to give out the passwords in a readable fashion. In case you are interested:

LC4: Download

Reply | Quote

Hi,
Yes it will show you passwords in readable fashion – I have used it to audit network passwords in the past. To do that of course you need to be an admin anyway to get the SAM from the Domain Controller. It can be quite alarming if/when you see that almost all the passwords in use on your network are cracked in about 3 seconds flat!

Reply | Quote