Decrypying SYSKEY password hashes on NT

[Evgeny]

Does anyone know if there is a program that can get Windows 2000/XP password hashes from a SAM file offline? They're encrypted with SYSKEY, of course. I know there are some programs that can do it online using DLL injection, like PWDUMP3 and LC3. But has anyone actually worked out how Windows decrypts them? The key is probably in the registry somewhere.

Evgeny

 

[n0cmonkey]

Lophtcrack can take a sam file and decrypt that at your liesure. Atleast I thought it could. If they put the key in the registry they do not deserve any money what so ever. Plus there should be a salt in there somewhere, so you would have to know how to get that.

 

[Evgeny]

Yes, L0phtcrack (LC3) can take a SAM file, but if it's encrypted with SYSKEY the hashes it reads will be garbage - it won't crack anything. Of course the SYSKEY master key has to be stored somewhere on the system unless you choose to type it in every time. If Windows can do it (decrypt the hashes), so can another program. The question is: has anyone written such a program yet?

Evgeny

 

[Woodie]

Actually, the syskey is stored in the registry, but not in a single entry. It is put across multiple entries, so NT has to reconstruct the key, rather than just read it.

Sadly, I don't remember the answer to the original question. Is there a reason why you can't just boot the system, and pull the information off it when NT has decrypted it for you?