Re: Password decryption of User accounts From PDC registry

Thu, 06 Sep 2001 04:26:45 -0700 

OK, there are a number of steps you need to take.
First off, you need to grab the hashes from the registry but the key has
SYSYEM only perms on it - as an admin you need to give admin read perms on
HKLM/Security.   Then grab the hashes out of there
(HKLM/Security/SAM/Domains/Account/Users or something AFAIR, not having an
NT box about ;-)   The hashes are created in the following way :

LANMAN hash
If password < 14 chars pad with NULL's to 14 chars
If password > 14 chars truncate it to 14 chars
Convert password to uppercase
Split password into two 7 char halves (What were they thinking ;-)
Create an odd parity 8 byte DES key from both halves
An 8 byte fixed value is encrypted with each key
Concatenate the two values to form a 16 byte hash
The fixed value that it encrypted with each of the DES keys is the
decryption
of the value 0xAAD3B435B51404EE with a key of all zeros (yes, that is a bit
of an arse-about-face way of describing it, but once upon a time MS were
talking about copyright issues with the actual value - well, so word has it
;-)

NT Hash
Convert password to Unicode
MD4 hash it to 16 byte value

One thing to watch is that the unicode conversion used does not set the last
NULL byte, ie "A" is just 0x41 0x00 rather than 0x41 0x00 0x00 0x00.   Have
a look at the L0phtcrack source code from
http://packetstormsecurity.org/Crackers/NT/l0phtcrack/lcsrc.zip and the
PutUniCode function in util.c for the full details - everything you need is
in that sourceball.

Cheers.

----- Original Message -----
From: "Veeraraju_Mareddi" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, September 06, 2001 6:40 AM
Subject: Password decryption of User accounts From PDC registry


> Dear All,
>
> I want to decrypt some user account's passwords in NT4 registry on PDC. Is
> there any module that helps in this regards. I cant do it with
> Wi32::TieRegistry. Please suggest me some possible ways..
>
> Thanks in Advance
>
> With regards
> Raju
> _______________________________________________
> Perl-Win32-Admin mailing list
> [EMAIL PROTECTED]
> http://listserv.ActiveState.com/mailman/listinfo/perl-win32-admin
>


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to