Jump to content


Photo
- - - - -

Copy Window SAM While Running Live


  • Please log in to reply
6 replies to this topic

#1 lickfrog

lickfrog

    Will I break 10 posts?

  • Members
  • 4 posts
  • Gender:Not Telling

Posted 09 May 2011 - 07:50 PM

::Is it possible to copy or read the Win SAM file while running Windows?

I was wondering if its possible to programmatically copy or read the Windows SAM file while Windows is still running? If so, would it just be a matter of writing a low-level copy function; can this be done using python? Most of my programming knowledge is in python but i do have some experience with C++ so if not than i think i could figure it out. I know its possible to use third-party utilities and bootable media to do this but would really like to learn how to do it on my own.


BTY: This is my first post on the forum (total noob) and I wasn't sure if this was the right place to post. Im a network science major so i have some experience and general knowledge of the topics on this forum so feel free to correct me if ever Im wrong.

Edited by lickfrog, 09 May 2011 - 10:25 PM.


#2 TheFunk

TheFunk

    SUP3R 31337

  • Binrev Financier
  • 185 posts
  • Country:
  • Gender:Male

Posted 09 May 2011 - 09:23 PM

I've never tried but I've heard that something like PWDump might be able to do that for you. My guess though is that it would be annoyingly hard to do, and nothing like simple file copying. I've always just used a Linux live distro. Also you're going to need to get the syskey (system file) as well if you want to be able to crack the password hashes from the SAM. I recently wrote a simple Java file-copy program, maybe it's worth giving a go. Hopefully that helps some?

#3 lickfrog

lickfrog

    Will I break 10 posts?

  • Members
  • 4 posts
  • Gender:Not Telling

Posted 09 May 2011 - 10:39 PM

I've never tried but I've heard that something like PWDump might be able to do that for you. My guess though is that it would be annoyingly hard to do, and nothing like simple file copying. I've always just used a Linux live distro. Also you're going to need to get the syskey (system file) as well if you want to be able to crack the password hashes from the SAM. I recently wrote a simple Java file-copy program, maybe it's worth giving a go. Hopefully that helps some?


I just started learning Java. I don't think I'll be able to make much of it but would be interested in the code for learning. I was hoping it would be possible to read the SAM in binary form but now that I think about it, it would be pretty hard without system level permissions since the memory address space would be protected. Would it be to difficult to assume system level writes and read the contents from memory? Come to think of it, how would I even find the memory address for the SAM or syskey files assuming I could read them?

Edited by lickfrog, 09 May 2011 - 10:41 PM.


#4 serrath

serrath

    SUP3R 31337

  • Members
  • 181 posts
  • Country:
  • Gender:Male

Posted 11 May 2011 - 02:47 AM

Doesn't Cain read or dump SAM?

#5 lickfrog

lickfrog

    Will I break 10 posts?

  • Members
  • 4 posts
  • Gender:Not Telling

Posted 11 May 2011 - 01:38 PM

Doesn't Cain read or dump SAM?


Yes... the idea here, is to dump the SAM and SYSKEY w/o conventional utilities.

Anyone interested in using a precompiled utility should reference irongeek.com or Link

I'd like to be able to dump the SAM and SYSKEY from memory using either python or C++ without using any precompiled/third-party utilities. I realize that with my limited programming experience that this could be a little outside my ability but thought it would be fun to learn anyway!

Edited by lickfrog, 11 May 2011 - 01:38 PM.


#6 serrath

serrath

    SUP3R 31337

  • Members
  • 181 posts
  • Country:
  • Gender:Male

Posted 14 May 2011 - 11:12 PM

My point was that it's certainly possible if Cain does it, I assumed you'd want to integrate it into some other program. You might check for info around oxid.it on how to get that done.

#7 ph0b1a

ph0b1a

    Will I break 10 posts?

  • Members
  • 9 posts
  • Gender:Male

Posted 19 May 2011 - 01:26 AM

windows stores the SAM file in a folder called TMP/TEMP, i cant remember witch, anyway if u can find the file then u can copy it if u have the rights on the account but windows tends to hide this file from all users even admins so your best bet in finding it is to either use an app that can retrieve the file, or boot off a live disk of linux, the last time i did this all i had to do was boot an ubuntu live cd (10.04) and mount the internal drive and just browse to the tmp folder on the C:/ drive and copy it flash drive.




BinRev is hosted by the great people at Lunarpages!