Summary:
- Identify the location of the file
- Learn what type of data the Security Account Manager (SAM) file stores
- Learn how to parse them
- Understand how to corroborate findings in the registry with files on the source device
- Attempt to crack the users in the SAM
To begin this exercise I launched a Windows OS virtual machine and logged into the administrator account.
Once logged into the VM I launched the application FTK Imager from the Windows menu and became familiar with the applications menus by locating the Evidence Tree, File List, Properties, and View Pane.
I next selected a file from the C Drive to upload the file as evidence.
This allowed me to add the file to the Evidence Tree Pane and nagivate throughout the file.
I next moved throughout the file to the root folder, then within the root folder I moved to the WINDOWS folder, then within the WINDOWS folder I moved to the system32 folder. Within the system32 folder, I was able to locate the config folder.
Once inside the config folder, I changed my focus to the File List Pane where I located and exported the SAM and system files to a newly created file on the Desktop called “shared”.
I then navigated to the Desktop and launched the shared folders properties window and in advance sharing I reduced the number of users that can access the shared folder to one.
For the next portion of the exercise, I launched a Kali Linux virtual machine and logged into the root account and launched terminal emulator.
From here I created a folder similar to the WinOS with the command:
I then mounted the shared folder from the Windows VM to the created folder in Kali Linux with the command:
- sudo mount -t cifs -v -o user=Administrator,password=Train1ng$,vers=2.1 //192.168.0.20/Users/Administrator/Desktop/shared /root/Desktop/share/
I then created a new folder named Lab22 and copied the contents from share to the newly created folder:
I next began to extract passwords from the SAM file by launching the application samdump2.
Once the terminal emulator application was open I entered the command:
- samdump2 -o Desktop/Lab22/hash.txt Desktop/Lab22/system Desktop/Lab22/SAM
This command fetches the SYSKEY and extracts the hashes from the SAM file, and outputs the parsed data to the provided file.
I then looked at the parsed results by navigating the Lab22 folder and opening hash.txt
From here I recognized that for Mr. Evil and the Admin account both hashes are the same. This means that the passwords are identical.
I then returned to the terminal emulator and entered the command:
- john –format=LM –wordlist= /usr/share/john/password.lst Desktop/Lab22/hash.txt
which resulted in:
This showed me that the results indicate that the password is: 123456