SAM cracking

[Guillaume]

Hi,
i work for a public school and i'm having problems with some students.
It seems they love to boot from cd or from another partition, copy the SAM
file and crack within a few minutes with rainbow tables for example. And it's
really getting on my nerve! Is there a way in Windows XP SP2 to truly secur
this SAM file??? By encrypting it or something? Apparently it is VERY easy to
crack any Windows local account. So any help would be very appreciated!

Thanks in advance for everything!

 

[Malke]

Hi,
i work for a public school and i'm having problems with some students.
It seems they love to boot from cd or from another partition, copy the SAM
file and crack within a few minutes with rainbow tables for example. And it's
really getting on my nerve! Is there a way in Windows XP SP2 to truly secur
this SAM file??? By encrypting it or something? Apparently it is VERY easy to
crack any Windows local account. So any help would be very appreciated!

Thanks in advance for everything!

You have not properly secured your workstations. I'm not saying this to
hurt your feelings but since you didn't know to at least do #1 and #2
below, you might want to get a professional computer person on-site to
go over your security and set you up correctly. This will not be your
local version of BigComputerStore/GeekSquad.

Here is general security information. Not everything may be applicable
to you so take the bits that are:

*****
Any computer running any operating system can be accessed by someone
with 1) physical access; 2) time; 3) skill; 4) tools. There are a few
things you can do to make it a bit harder though:

1. Set a password in the BIOS that must be entered before booting the
operating system. Also set the Supervisor password in the BIOS so BIOS
Setup can't be entered without it.

2. From the BIOS, change the boot order to hard drive first.

3. Set strong passwords on all accounts, including the built-in
Administrator account.

4. If you leave your own account logged in, use the Windows Key + L to
lock the computer (and/or set the screensaver/power saving) when you
step away from the computer and require a password to resume.

5. Make other users Limited accounts in XP Home, regular user accounts
in XP Pro.

6. Set user permissions/restrictions:

a. If you have XP Pro, you can set user permissions/restrictions with
Group Policy (Start>Run>gpedit.msc [enter]) but be careful. Using the
Policy Editor can be tricksy. Questions about Group Policy should be
posted in its newsgroup: microsoft.public.windows.group_policy.

b. If you have XP Home, you can use MVP Doug Knox's Security Console or
the MS Steady State.

http://www.dougknox.com
Steady State -
http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx

Please understand that these are technical responses to what is
basically a non-technical problem and there are ways around all of these
precautions. This is a family/interpersonal issue that can't be solved
by technical means.
*****

Malke

 

[Brian Komar]

Futher to Malke's answer, it is time to invest in a server and get AD
running.
Local SAM databases will always be vulnerable to attack.
Moving the accounts to AD will definitely help your scenario
Brian

Hi, i work for a public school and i'm having problems with some
students. It seems they love to boot from cd or from another partition,
copy the SAM file and crack within a few minutes with rainbow tables for
example. And it's really getting on my nerve! Is there a way in Windows
XP SP2 to truly secur this SAM file??? By encrypting it or something?
Apparently it is VERY easy to crack any Windows local account. So any
help would be very appreciated!

Thanks in advance for everything!

You have not properly secured your workstations. I'm not saying this to
hurt your feelings but since you didn't know to at least do #1 and #2
below, you might want to get a professional computer person on-site to go
over your security and set you up correctly. This will not be your local
version of BigComputerStore/GeekSquad.

Here is general security information. Not everything may be applicable to
you so take the bits that are:

*****
Any computer running any operating system can be accessed by someone with
1) physical access; 2) time; 3) skill; 4) tools. There are a few things
you can do to make it a bit harder though:

1. Set a password in the BIOS that must be entered before booting the
operating system. Also set the Supervisor password in the BIOS so BIOS
Setup can't be entered without it.

2. From the BIOS, change the boot order to hard drive first.

3. Set strong passwords on all accounts, including the built-in
Administrator account.

4. If you leave your own account logged in, use the Windows Key + L to
lock the computer (and/or set the screensaver/power saving) when you step
away from the computer and require a password to resume.

5. Make other users Limited accounts in XP Home, regular user accounts in
XP Pro.

6. Set user permissions/restrictions:

a. If you have XP Pro, you can set user permissions/restrictions with
Group Policy (Start>Run>gpedit.msc [enter]) but be careful. Using the
Policy Editor can be tricksy. Questions about Group Policy should be
posted in its newsgroup: microsoft.public.windows.group_policy.

b. If you have XP Home, you can use MVP Doug Knox's Security Console or
the MS Steady State.

http://www.dougknox.com
Steady State -
http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx

Please understand that these are technical responses to what is basically
a non-technical problem and there are ways around all of these
precautions. This is a family/interpersonal issue that can't be solved by
technical means.
*****

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

 

[Niniel]

Since he's at a school though, wouldn't it be sufficient to prevent booting
from other media by password-protecting the BIOS setup? It's not like the
students are going to take the boxes home and remove the CMOS battery. (Or
are they?)

And if you boot another OS, say Linux, from a USB stick via VM, say QEMU,
won't that VM still be subject to the restrictions of the account it's
running in? (That's a question.)

Btw, I found this on the web:

http://www.hftonline.com/forum/archive/index.php/t-11372.html
http://support.microsoft.com/kb/310105

Hope this helps.

 

[Guillaume]

Hi,
first of all thanks for the help. But it's not very usefull at all.
Since i work for a publi school our computers must be usable without having
to type in a bios password at boot. I'm not talking here about the password
to get in the BIOS! We also need to install some OS that the students are
administrator for the learning purpose. And we use Novell on our network. So
Active Directory is out of the question! Here's the details...

Any computer running any operating system can be accessed by someone
with 1) physical access; 2) time; 3) skill; 4) tools.

True indeed. But the way the local SAM is encrypted is very stupid to
bypass. Just download on torrents for example any rainbow tables and you then
just need the SAM file and a few minutes. You don't even need to be near the
pc you want to get in to do the cracking part. If Microsoft could implement a
true and more solid encryption like on Linux/Unix system with the
Salt+Encryption (see this:
http://tldp.org/HOWTO/Shadow-Password-HOWTO-2.html). It would help to block
any script kiddies to simply download a few files and crack the system!

1. Set a password in the BIOS that must be entered before booting the
operating system. Also set the Supervisor password in the BIOS so BIOS
Setup can't be entered without it.

Not possible to use BIOS boot password. And we already use an BIOS
administrator password.

2. From the BIOS, change the boot order to hard drive first.

We use floppy disk and cd to boot our pcs for "ghosting" so it's not possible.

3. Set strong passwords on all accounts, including the built-in
Administrator account.

Already done. We use password of minimum 16 characters for any administrator
accounts including letters, numbers and special characters. We also rename
the Administrator account and disable the LN manager hashe.

4. If you leave your own account logged in, use the Windows Key + L to
lock the computer (and/or set the screensaver/power saving) when you
step away from the computer and require a password to resume.

We never use our own account in the labs. We use special test accounts with
very limited privileges. We do that because of possible key loggers, root
kits, etc.

5. Make other users Limited accounts in XP Home, regular user accounts
in XP Pro.

We don't use Windows XP Home Edition anywhere.

6. Set user permissions/restrictions:

Already done by different ways. For example, we use gpedit, local policy, etc.

So is there any other way we could encrypt the drive so that no boot cd or
other partition OS can copy the SAM file? Or is it a lost cause because the
way Windows XP is built isn't just secure enough? Don't want to sound rough
here just stating the facts. And yes it's possible to get the passwd file
from a linux OS. But at least the encryption is stronger than the joke
Windows XP Pro implement :-( Any new patch could help us maybie?

Thanks again for any help!

 

[Niniel]

Bad http://www.openwall.com/passwords/microsoft-windows-nt-2000-xp-2003

http://www.fastcrack.com/faq.html:

"Q: What if my SAM database is encrypted with Syskey?
A: If you use pwdump you’ll skip the problem because pwdump reads the SAM
database not from file but directly from memory, where it is kept
unencrypted. Otherwise you need first to retrieve the key from the registry
and decrypt the SAM. Then you'll be able to exctract the hashes. We are
currently preparing a small script to do this with freeware and shareware
tools.
Q: What if I don’t have physical access nor admin privileges?
A: That’s not good. Your best bet is probably the ERD floppy disk, which may
have a recent copy of your SAM database and SYSTEM file. If this is the case,
you can easily run on them one of the many hash extraction tools available.
Q: I have extracted the hashes but I don’t see in them the account I need to
crack.
A: That probably means that the account your are referring to is not local
but it’s a domain account. In this case you need to retrieve the hashes not
from your machine’s SAM but from the domain controller/Active Directory. If
you use the latest version of pwdump (pwdump2) you’ll be able to extract
password hashes from Active Directory."

But have you looked into using Novell Netware to help you? I thought they
had a user manager as well that can administer workstation in the network.