From: Nicolas RUFF (nicolas.ruff@gmail.com)
Date: Fri Apr 13 2007 - 17:42:38 EDT
> Yea if you used pwdump you need admin privledges to dump the hashes. If
> you manage to get a reverse shell you can ftp the sam from the repair
> folder and the system part of the registry. Then import them into L0pht
> or LCP. If I am not mistaken, the sam file is sysked at level 1 by
> default for 2k3? Could someone verify that for me?
SYSKEY has been enabled by default since Windows 2000.
By the way, "SYSKEY" and "REPAIR" things are of no use on a Domain
Controller (since the original question was about domain password
policy). All user information (including password) is stored in Active
Directory - namely the "NTDS.DIT" file, which is of undocumented format.
By accessing the SAM file on a Domain Controller, you would gain access
to local accounts that existed on the server before DC promotion. If I
remember well, some emergency utilities (like Directory Restore Mode)
make use of this password, but that's all.
Regards,
- Nicolas RUFF
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:44 EDT