From: Ted Cabeen <cabeen@netcom.com>
Date: Tue, 12 Dec 1995 06:59:25 +0800
To: cypherpunks@toad.com
Subject: Re: Win NT proprietary pw encryption (Was: Re: Windows .PWL cracker...)
Message-ID: <2.2b7.32.19951211214329.002cc3a8@netcom4.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


At 11:39 AM 12/11/95 +0000, you wrote:
>Futplex wrote:
>> someone quoted:
>> Microsoft Knowledge Base article Q102716 says:
>> > Storage of the Passwords in the SAM Database
>> [...]
>> > The second encryption is decryptable by anyone who has access to the
>> > double-encrypted password, the user's RID, and the algorithm. The second
>> > encryption is used for obfuscation purposes.
>> 
>> Anyone feel like putting together some sample plaintext/ciphertext pairs ?
>
>This will be really difficult, and in practice rather pointless.  NT does
>not allow any user, priviliged or not, to gain access to any form (encrypted
>or not) of the passwords.  They are stored in a protected area of the system
>registry that only the OS itself can access.  The best that you can do is
>to ask the OS whether a given username/password pair is valid or not, and it
>took until version 3.51 before MS let you do even that!
I took a quick look in my NT registry and you can get access to the Account
Manager section of the registry by manually changing the permissions and
giving yourself access.  I didn't have the time to look at all of the
entries in the registry, but there's a lot of stuff there and I wouldn't be
suprised if the encryted passwords were available.  Of course, you have to
be an administrator to change the permissions, but it is possible.
_____________________________________________________________________________
Ted Cabeen                                                  cabeen@netcom.com
Finger for PGP Public Key                        secabeen@midway.uchicago.edu
"I have taken all knowledge to be my province."            cococabeen@aol.com