RE: LC4 (L0phtCrack) error "Couldn't open SAM\Domains\Account\Users in SAM file. Possibly improper format."

From: Damage (dam.age@ntlworld.com)
Date: Mon Apr 21 2003 - 18:02:38 EDT


NT(SE), W2K(SE), XP(SE) and exchange SE are all Compaq products. They seem
to keep it fairly low key - and I always find it hard to locate on the web
site, but try this for an overview:

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo
.pl?productNumber=T2333AAE

The OS products modify the algorithm between you typing in your password and
its storage in the SAM. IIRC, NT works with a modified advapi32.dll, while
later ones lever the crypto API stuff. a range of algorithms are available -
some from CESG in the UK for UK MOD use. I would not have expected the
format to be altered - just the stored data to be different as it uses a
different algorithm (although I haven't looked so I could be wrong!).

You can download a demo version (but I can't find it yet!) that has a dummy
algorithm which will still defeat LC.

Sorry I can't help more at the moment.

John Haines

-----Original Message-----
From: Chris McNab [mailto:chris.mcnab@trustmatta.com]
Sent: 17 April 2003 18:43
To: pen-test@securityfocus.com
Subject: Re: LC4 (L0phtCrack) error "Couldn't open
SAM\Domains\Account\Users in SAM file. Possibly improper format."

Hey,

I am aware that in the UK at least, Ministry of Defence (MOD) and other
government systems holding classified or restricted data often run NTSE (NT
Secure Edition), which apparently is a government build of NT that doesn't
use the standard SAM cryptographic format, and has been quoted as 'not
vulnerable to L0phtCrack attacks' as the RC4-based stuff is. I can't find
any reference to the CESG (UK government Communications and Electronic
Security Group) NTSE build details on the web, so can't dig up any
supporting evidence right now.

Are these government or corporate systems that are supposed to be hardened
in this fashion? If not, have you tried using the pwdump3.exe command-line
tool to extract the hashes into an ASCII text file, then transport them?

Regards,

Chris

-----Original Message-----
From: flexicon33@yahoo.com [mailto:flexicon33@yahoo.com]
Sent: Wednesday, April 16, 2003 2:25 PM
To: pen-test@securityfocus.com
Subject: LC4 (L0phtCrack) error "Couldn't open SAM\Domains\Account\Users in
SAM file. Possibly improper format."

Hi,
I'm trying to import some SAM files into LC4, and for some reason LC4
doesn't like the format. I get the above error for any of 5 SAM files I'm
trying.

For a pen test, I got these sam files by senging a 'tptp put' command to
the SQL server (had no 'sa' password) so the SAM files were sent to my tftp
server. There were 5 of these servers, so I got 5 SAM files to try. LC4
doesn't like any of them.

However, LC4 works for other SAM files... I tested with my own SAM file
(w2k) and also another I downloaded from a machine via an http exploit...
LC4 had no problems opening those 2 and working on them.

Why does LC4 complain about these other SAM files? Does some other sam
format exist or did they get mangled somehow?
Thanks...
Flexicon33, CISSP

Chris McNab
Technical Director

Matta Security Limited
18 Noel Street
London W1F 8GN

Tel: 0870 077 1100
Mob: 0788 626 0878

This e-mail was sent from Matta Security Limited. The information contained
in this message is confidential, may be privileged, and is intended for the
addressee(s) only. If you have received this message in error please notify
the originator immediately. The unauthorised use, disclosure, copying or
alteration of this message is strictly forbidden. Matta Security Limited
does not warrant that any attachments are free from viruses or other
defects. Matta Security Limited will not be liable for direct, special,
indirect or consequential damages arising from alteration of the contents of
this message by a third party or as a result of any virus being passed on.

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-pen-test
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-pen-test
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:32 EDT