WIndows Password

[CyberCarsten]

Hi all!
Is there a way to retrieve the Windows Password??

------------------
Yours sincierly
CyberCarsten http://home18.inet.tele.dk/cyber/
carsten.h.thomsen@mail.tele.dk

[This message has been edited by CyberCarsten (edited 01-20-2000).]

[Bob Baddeley]

There is a program on the Windows CD called pwedit I believe. It should allow you to look at the *.pwl files.

[CyberCarsten]

Yes, but can't i do it from VB?


------------------
Yours sincierly
CyberCarsten
http://home18.inet.tele.dk/cyber/
carsten.h.thomsen@mail.tele.dk

[funkheads]

i definitely think it is possible from VB as long as you know the decryption method that would enable you to view the contents of the .pwl file that stores the passwords.

[KENNNY]

doubt its strong encryption, or any at all, knowing windows
probably just the letters in acsii codes

[CyberCarsten]

Do you know how to break them???

------------------
Yours sincierly
CyberCarsten
http://home18.inet.tele.dk/cyber/
carsten.h.thomsen@mail.tele.dk

Which windows passwords are you talking about?

The network passwords for NT or just Win95 stored passwords?

There is not a way to decrypt the passwords. To break them you need to cycle through a list of words and encrypt them in the same manner and see if the encrypted hashes match.

------------------
Boothman

There is a war out there and it is about who controls the information, it's all about the information.

[CyberCarsten]

The Win 95/98 stored Pw's

[vbsquare]

If cracking the Windows password files was so easy, I don't think that Microsoft would be doing quite so well. Also, the Win NT password system is more complex, and it has recently gained the C2 security level, so I don't think that the password files are going to be simple things to crack. Anyway, why on earth would you want to crack the password (unless of course you are breaking the law....)

------------------
"To the glory of God!"

Actually, windows password are exceptionally easy to crack. There are a dozen good crackers out on the internet.
The weakness of Microsoft is in the individual configurations. You have administrators who don't really know what they are doing and are winging it. They make it work not really knowing how to make it work correctly.
Many companies have pieced together many different systems with many differentadmins and have no handle on security.
They have security holes big enough to drive a truck through.
Not to mention that most people are gullible and fall for social engineering tactics.

As for the C2 rating that Microsoft received, that was on a non-networked system with no disk access (i.e. CD-ROM, Floppy).




------------------
Boothman

There is a war out there and it is about who controls the information, it's all about the information.

[Lui_Gui]

I have a similiar question. Howeverm, I dont want to crack the windows password.
I would like to provide a Login form to my users, but I'd like them to use there windows password (some are 98 and some are NT). Is there a way that I can sychronize passwords with windows. Or even is there a way to initiate the windows login dialogue without logging off of windows so that my app can verify the password also ? I want the user to be able to tell my app that they are going on a break or something and will return shortly. But when they return, I'd like them to Login to my app again without having to logoff of windows. Also, I am providing some Supervisor Override functions and would like my user to have a supervisor approve a function by entering their password. ... Any Ideas ?


------------------
Lou Santospirito
LSDP Consulting Services, Inc.
114 Cedar Pont Drive
West Islip, NY 11795
(516) 321-7906 (HomeOffice voice/fax)
SantLou@worldnet.att.net

[mwildam]

The only thing I found in the windows API a few days ago, as I wanted to run process under other user accounts was the following:

Declare Function CreateProcessAsUser Lib "kernel32" Alias "CreateProcessAsUserA" (ByVal hToken As Long, ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As SECURITY_ATTRIBUTES, ByVal lpThreadAttributes As SECURITY_ATTRIBUTES, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, ByVal lpEnvironment As String, ByVal lpCurrentDirectory As String, ByVal lpStartupInfo As STARTUPINFO, ByVal lpProcessInformation As PROCESS_INFORMATION) As Long

But I didn't found out how to use it correctly. So if anybody knows how one should do to get this to work, I would like to get informed...

[pcsmith]

There has to be an API out there for doing this... I think Dan Appleman's guild would be my first sujjestion as to where to look.

-PC Smith

[DoOMsdAY]

First of all, C2 is the LOWEST security ranking on the EPL. Second, this only applies to Windows NT. Third, as mentioned, this is only for an NT machine that is not networked and has been installed / configured a specific way. [Anonymous, Maximum Security, Page 381.] As for cracking the .pwl file, there is a program called Glide that comes with the 'c' source code on how to crack a 9x password - albeit I have never done so successfully with it. Also, there is another app I've found called 'Cain' that has a brute force method not requiring a dictionary file. It runs through every character in the alphabet, every letter, etc. as you see fit in the options box until it finds it. It also modifies local shares, decrypts screen saver passwords, and attacks remote shares with the same brute force method (or a dictionary file if you like.) If you're NOT trying to get the password and simply trying to log in (not on a network) as somone, simply delete (or rename) their .pwl file!

[DoOMsdAY]

...Almost forgot. PWL files only exist on a Win9x machine. WinNT has a large database called the SAM that stores the usernames and passwords. So this information is not at all applicable to a real machine (IE WinNT, Linux, Etc.) Albeit there is a util called NTFSDOS that allows you to access an NTFS drive via a boot disk thus bypassing all security. Neat, eh? (This is why NT can't get above a C2 rating. Their file system isn't even secure.) Check out http://ntsecurity.nu/ for some of the utils mentioned. (Go to the toolbox.)

P.S. Another way I found to bypass NT security (in case you need to access files on the drive while in NT) is to install NT on another drive, make it the master with the to-be-attacked as a slave, and boot. Since you're Administrator in the one you installed NT to, you can thus access all of the target drive with Administrative rights.

[CSMA-CD]

GOSH!!!

I'm surprised that people just can't focus on the trouble... There is a API Called "GetUserNameA" that get the logged user... That's what the first guy was asking!!!
About security in WinNT 4.0. The process of Crypting/decrypting tha SAM is a question that a lot of people chat for a LOOOONG time.
As long as I remember from NTBuGTRaQ, The process include MD5 hashes, DES Encription, and a MS Proprietary Encryption so it can be very frustrating for someone that don't spend enough time looking the API's for doing that.
BUT you can "not that easily" try to get the PASSWORDS using a BruteForce Attack with the CreateProcessAsUserA API. As everybody know, a simple net command or the ADSI interface can retrieve all the users from a PDC. Using this list with the API, you can get the passwds... But the things aren't that simple... as long you must logon to start the first process to retrieve the userlist, is not that simple to get a User that won't have trouble about a security audit since all failed logins will be logged...
Well, that was just my $0,02...

[Paul282]

Hang on!

What's to gain from a win95/98 password? Desktop access? Only in networking is it really used otherwise you can just press esc.

In networking however (just as a FYI) with an NT server (Workgroups are probably pretty easy though) they use NT challenge response which is quite clever. even if you view it over the network (packet sniffer) you don't get much info.

The NT server sends the client a random number then the client encrypts the password with it and sends it back. The NT server then does the same and compares.

not easy to crack. There are cracks on the net with source for Word6 passwords though. the encryption was just a 16bit hash table. so from the doc you can extract the password and probably find it's the password to all sorts of other things

[Bart]

You could use the following API call:
Declare Function WNetEnumCachedPasswords Lib "mpr.dll" (ByVal s As String, ByVal i As Integer, ByVal b As Byte, ByVal proc As Long, ByVal l As Long) As Long

If you don't know how to use it, mail me.

[DoOMsdAY]

The WNetEnumCachedPasswords is one of many obsolete APIs from Windows for Workgroups. About a year ago, I went looking for a simple API for Windows passwords, and came across those APIs. (WNetGetCachedPassword, etc.) Then after hours of headache, I searched Microsoft and found this document: http://msdn.microsoft.com/library/dd...twork_0228.htm Check it before you give yourself hell playing with obsolete APIs.

[DoOMsdAY]

Gaining the password to a PWL file gives you any Windows stored password the user has. I recently tried my hands at it via Cain and a brute-force crack, and found inside the username and password for internet dial-ups. Usernames and passwords for secure web sites. And (of course) these were not the same as the Windows login. I bet any usernames and passwords that were different from the "log in to Windows" username and password for network shares would be stored in there as well (although I need to check on that.) Once you have the PWL password, you pretty much have them all. Hence people's wish to crack them...

[Joe_Cabral]

There is a sample of the code to do this at
http://www.planet-source-code.com/vb...txtCodeId=2137

I tried it awhile back & as I remember it worked pretty good. Only for 95/98 tho.

[LivingLight]

I am having trouble on my network with the 2nd Windows Password Dialog box that pops up after logging in for the first time to the network. In 95, once I have configured a machine for a user, the first time that user logs into the domain, Windows pops up another password box for the Windows password. I have looked on Microsoft's site and they say that the second password box is for the Windows password and the first is for the network. Is there any VB Script or anything that can edit the registry or change something to keep this box from popping up the first time anyone logs in? I'm a newbie to VB, but I know it can do wonders. I appreciate your help.

[ipsteal]

I think this is what you may be asking for. Try it and see if it does what you are trying to do.

1) Open Control Panel
2) Open Network
3) Locate the "Primary Network Logon:" combobox
4) Change the selection to "Windows Logon"
5) typical windows reboot to activate changes

If this doesn't work or I am attacking the wrong question, sorry. Good luck!

[Mag-Net]

There is a trojan horse out there called "GirlFriend", it was written in delphi, and the source is available, and inside the source you see how it gets all teh cached passwords, and decrypts them, these include dial ups and stuff, but dont be stupid with it, please.

[LivingLight]

You may be on the right track, but I still need to maintain the ability to log on to the domain. With Windows Logon, it only logs you on to the machine, with no blank for domain. Technically, if the name and password were the same for both, it would not cause any problems, but I need to run Logon Scripts which would not run if the user did not log on to the domain. I appreciate your reply. If anyone is experienced in java or something that could clear the 2nd password dialog box and press enter that would be nice. Thanks.