Someone uses RegRipper
I was pleasantly surprised the other day to receive a forwarded post from a list that I don't have access to where someone had successfully used RegRipper. I don't get a lot of these, so when I do, I like to see if the author would be willing to post their comments publicly, or grant me permission to do so. In this case, the author has said that I can post this, so here it is, in its entirety (and completely unsolicited)...
I thought the group might benefit from some interesting observations I have had with a Vista Home Basic edition machine.
#1 regarding user account Windows logon passwords: Three apps were used to evaluate logon passwords: 1) latest version of Ophcrack with Vista rainbow tables, 2) AccessData Registry Viewer, and 3) Harlan Carvey's Regripper. Ophcrack found 3 SIDs, each with NT passwords. 2 of the 3 shared the same password (the family last name followed by the digit "3"). The 3rd user's PW was "not found" in the rainbow table.
PRTK was used to attempt to recover the 3rd PW, but I stopped it after 5 days when nothing was recovered using a custom dictionary and profile constructed from the exported word list from FTK. Registry Viewer displays the date on which all user PW were changed, and lists the NT PW as "True" for all 3 users. Viewer also displays the "hint" for each user's PW, and
for all 3 it is "name + number." Hmmm......the plot thickens. :)
PRTK used again, this time to extract IE7 Intelliforms data. No success using PW supplied by Ophcrack. Multiple sessions with AccessData proved PRTK does extract this stuff EASILY, so I assumed I had a bad image, a bad export, the wrong index.dat files, etc. Days of retrying proved fruitless.
Ran Regripper against the SAM file, and it says the 2 accounts for which Ophcrack supplied a PW, don't require a PW. Remember, Viewer also said the PW was set to "True." For the 3rd user, Regripper said "Password does not expire." Okay, so I rerun PRTK to extract the IE7 Intelliforms data, and this time I leave the logon PW field blank (meaning no PW). Bingo! I get
it all.
So, Ophcrack says PW, Registry Viewer says PW, Regripper says PW not required, PRTK extracts Intelliforms data only when no PW is supplied. So, it look like Regripper wins! Go Harlan!! As for the 3rd user, I've tried the name + number PW and no PW, but still no success. It's not absolutely necessary for the case, so I'm not pursuing it any further.
#2 regarding groups to which SIDs are assigned: A few weeks back I posted to the listserv asking about how to tell if a user had Admin privileges. Several responses said to examine the "groups" key in the SAM file. I looked at these keys with AccessData Registry Viewer. Viewer listed the different groups available on the machine, but not which users were in each
group. I responded to the listserv with this result, but nobody came back at me with an answer. Well, Regripper lists the available groups on the machine, the number of users in each group, and the terminal segment of the SID for each user in the group. Wow! Harlan wins again!! Perhaps Viewer does provide this information, but it is not readily available or visible to
the user. So, if I am falsely accusing Viewer of not providing this information, please set me straight.
Okay, I think I've taken enough of your time. Hope all have a Happy Easter and a good Passover.
Regards,
Louis M. Schlesinger,PI,CCE,CFC,CIFI,WCSI,ACE
CyForensics, LLC
A Licensed Investigative Agency
Macon, Georgia
Voice: 478-731-0752
Fax: 478-922-9020
Email: cyforensics@cyforensics.com
Website: www.cyforensics.com
I thought the group might benefit from some interesting observations I have had with a Vista Home Basic edition machine.
#1 regarding user account Windows logon passwords: Three apps were used to evaluate logon passwords: 1) latest version of Ophcrack with Vista rainbow tables, 2) AccessData Registry Viewer, and 3) Harlan Carvey's Regripper. Ophcrack found 3 SIDs, each with NT passwords. 2 of the 3 shared the same password (the family last name followed by the digit "3"). The 3rd user's PW was "not found" in the rainbow table.
PRTK was used to attempt to recover the 3rd PW, but I stopped it after 5 days when nothing was recovered using a custom dictionary and profile constructed from the exported word list from FTK. Registry Viewer displays the date on which all user PW were changed, and lists the NT PW as "True" for all 3 users. Viewer also displays the "hint" for each user's PW, and
for all 3 it is "name + number." Hmmm......the plot thickens. :)
PRTK used again, this time to extract IE7 Intelliforms data. No success using PW supplied by Ophcrack. Multiple sessions with AccessData proved PRTK does extract this stuff EASILY, so I assumed I had a bad image, a bad export, the wrong index.dat files, etc. Days of retrying proved fruitless.
Ran Regripper against the SAM file, and it says the 2 accounts for which Ophcrack supplied a PW, don't require a PW. Remember, Viewer also said the PW was set to "True." For the 3rd user, Regripper said "Password does not expire." Okay, so I rerun PRTK to extract the IE7 Intelliforms data, and this time I leave the logon PW field blank (meaning no PW). Bingo! I get
it all.
So, Ophcrack says PW, Registry Viewer says PW, Regripper says PW not required, PRTK extracts Intelliforms data only when no PW is supplied. So, it look like Regripper wins! Go Harlan!! As for the 3rd user, I've tried the name + number PW and no PW, but still no success. It's not absolutely necessary for the case, so I'm not pursuing it any further.
#2 regarding groups to which SIDs are assigned: A few weeks back I posted to the listserv asking about how to tell if a user had Admin privileges. Several responses said to examine the "groups" key in the SAM file. I looked at these keys with AccessData Registry Viewer. Viewer listed the different groups available on the machine, but not which users were in each
group. I responded to the listserv with this result, but nobody came back at me with an answer. Well, Regripper lists the available groups on the machine, the number of users in each group, and the terminal segment of the SID for each user in the group. Wow! Harlan wins again!! Perhaps Viewer does provide this information, but it is not readily available or visible to
the user. So, if I am falsely accusing Viewer of not providing this information, please set me straight.
Okay, I think I've taken enough of your time. Hope all have a Happy Easter and a good Passover.
Regards,
Louis M. Schlesinger,PI,CCE,CFC,CIFI,WCSI,ACE
CyForensics, LLC
A Licensed Investigative Agency
Macon, Georgia
Voice: 478-731-0752
Fax: 478-922-9020
Email: cyforensics@cyforensics.com
Website: www.cyforensics.com