Announcement

Collapse
No announcement yet.

Any way of checking registry to see if account has password?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Any way of checking registry to see if account has password?

    I have a non-bootable install of XP (part of a forensic job) and would like to be able to check if a local user account has a password (not interested in what it is, just if it is set). Does anyone know if this information is in the registry somewhere, if so, where?

    Not sure if its home or pro, but not a domain member anyway
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

  • #2
    Re: Any way of checking registry to see if account has password?

    Highly doubt it.
    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Any way of checking registry to see if account has password?

      Before booting, the accounts and passwords are not loaded in the registry at all, so that direction will not work. You need to unload the SAM file, copy that to an alternate system and inspect it there.
      "...if I turn out to be particularly clear, you've probably misunderstood what I've said” - Alan Greenspan

      Comment


      • #4
        Re: Any way of checking registry to see if account has password?

        OK, thanks
        Had hoped for a simple location, but I can read the SAM file (I think)
        I had thought it might be in one of the other registry hives
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Any way of checking registry to see if account has password?

          Before XP it was in the registry AFAIR
          But with the new security centric Microsoft, back in 2002, the accounts where only loaded in registry in one way encrypted format after bootup into XP. This supposedly helped avoid lifting the password by a mal program after logging in.
          "...if I turn out to be particularly clear, you've probably misunderstood what I've said” - Alan Greenspan

          Comment


          • #6
            Re: Any way of checking registry to see if account has password?

            Will this help?
            http://en.wikibooks.org/wiki/Reverse...s_XP_Passwords

            If the information retrieved from the pwdump consists of an empty first part, then the LM hash is not stored. This either means that the password is blank, in which case it would look like this:
            Administrator:500:0:
            _31,D6,CF,E0,D1,6A,E9,31,B7,3C,59,D7,E0,C0,89,C0,x xxxx:::
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: Any way of checking registry to see if account has password?

              Looks good -- now to see if I can find it in the SAM
              Tom Jones
              MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
              PhD, MSc, FIAP, MIITT
              IT Trainer / Consultant
              Ossian Ltd
              Scotland

              ** Remember to give credit where credit is due and leave reputation points where appropriate **

              Comment


              • #8
                Re: Any way of checking registry to see if account has password?

                Same webpage...
                The Windows XP passwords are hashed using LM hash and/or NTLM hash. The hashes are stored in c:\windows\system32\config\SAM. The SAM file is encrypted using c:\windows\system32\config\system and is locked when Windows is running. To get the passwords, you need to shutdown Windows, decrypt the SAM file, and then crack the hashes. You can also obtain the hashes using other software that does not require you to turn your computer off. If everything goes well, you'll have the passwords in 15 minutes.
                This might help too to decrypt the Sam file:
                http://www.irongeek.com/i.php?page=s...localsamcrack2
                Last edited by Dumber; 21st July 2010, 20:53.
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: Any way of checking registry to see if account has password?

                  Dont some linux live CDs allow you to see some details from the SAM file, I know they cant read the contents but I am sure I have seen them where they load the sam file and give information about whether there is a password set, account status (Enabled/Disabled) etc.

                  Comment


                  • #10
                    Re: Any way of checking registry to see if account has password?

                    Related to this, I noticed that a number of accounts have exactly the same "last password change" recorded (to the second). These are:
                    ASPNET, Guest, HelpAssistant, Support_3388945a and Administrator
                    This is not the same as the OS installation date/time

                    OS is XP MCE SP2, non domain

                    I am trying to find out if this is default behaviour with a blank administrator password as I cannot imagine a user changing the administrator password at exactly the same instant the system is changing other passwords!

                    I am pretty sure (at least in a domain environment) that this is not the behaviour for "password never expires"
                    Tom Jones
                    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                    PhD, MSc, FIAP, MIITT
                    IT Trainer / Consultant
                    Ossian Ltd
                    Scotland

                    ** Remember to give credit where credit is due and leave reputation points where appropriate **

                    Comment


                    • #11
                      Re: Any way of checking registry to see if account has password?

                      I'd wager that those accounts were all created at the same time when the OS was installed and never modified, hence the synchronization.
                      ** Remember to give credit where credit is due and leave reputation points where appropriate **

                      Comment


                      • #12
                        Re: Any way of checking registry to see if account has password?

                        I would agree -- but OS was installed in 2006 and password was changed in July 08
                        I know the guest etc. accounts have a password that is automatically changed by the OS
                        Tom Jones
                        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                        PhD, MSc, FIAP, MIITT
                        IT Trainer / Consultant
                        Ossian Ltd
                        Scotland

                        ** Remember to give credit where credit is due and leave reputation points where appropriate **

                        Comment


                        • #13
                          Re: Any way of checking registry to see if account has password?

                          Maybe a bit late for this but rather than trying to crack the SAM hashes, wouldn't enumerating the local user accounts for
                          Code:
                          & objItem.PasswordRequired
                          using WMI do the trick?
                          Example here: http://gallery.technet.microsoft.com...7-25c4afb444cd

                          And I am guessing the time skew has maybe happened when a SP or Hotfix was installed.
                          Caesar's cipher - 3

                          ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                          SFX JNRS FC U6 MNGR

                          Comment


                          • #14
                            Re: Any way of checking registry to see if account has password?

                            Forensic, so all I have is the files, not a working OS, unfortunately
                            Tom Jones
                            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                            PhD, MSc, FIAP, MIITT
                            IT Trainer / Consultant
                            Ossian Ltd
                            Scotland

                            ** Remember to give credit where credit is due and leave reputation points where appropriate **

                            Comment


                            • #15
                              Re: Any way of checking registry to see if account has password?

                              Originally posted by Ossian View Post
                              Related to this, I noticed that a number of accounts have exactly the same "last password change" recorded (to the second). These are:
                              ASPNET, Guest, HelpAssistant, Support_3388945a and Administrator
                              This is not the same as the OS installation date/time

                              OS is XP MCE SP2, non domain

                              I am trying to find out if this is default behaviour with a blank administrator password as I cannot imagine a user changing the administrator password at exactly the same instant the system is changing other passwords!

                              I am pretty sure (at least in a domain environment) that this is not the behaviour for "password never expires"
                              The "last password change" date not nessesarily mean the password was reset that time. I know when you check and apply then uncheck again the user's "user must change password at nex logon" property the date will be changed automatically to the current date-time. Maybe that an installation of some hotfix or a service pack for Windows could have caused that date changed for all user accounts.


                              Originally posted by g7rpo View Post
                              Dont some linux live CDs allow you to see some details from the SAM file, I know they cant read the contents but I am sure I have seen them where they load the sam file and give information about whether there is a password set, account status (Enabled/Disabled) etc.
                              You can try the "Offline NT Password & Registry Editor" by Petter N Hagen ?


                              Work with a clone of the Hard disk.

                              Download the Floppy bootdisk.
                              Boot from floppy (could be an usb-floppy drive) .
                              This will take a while, and meanwhile do take the time to read most of the information presented on screen.
                              Step 1, Select the partition,
                              Step 2, select Path and registry files
                              Step 3, select [option 1] 'Edit user data and passwords'

                              The usersaccounts are listed with details. If an account shows "*BLANC password*" then the password MAY be blanc OR, the password was more than 14 char long. OR, NoLMHash policy was active.
                              If the account does not show BLANC.. then it mostlikely had a password set.


                              \Rems

                              This posting is provided "AS IS" with no warranties, and confers no rights.

                              __________________

                              ** Remember to give credit where credit's due **
                              and leave Reputation Points for meaningful posts

                              Comment

                              Working...
                              X