Plugin: SAMParse
I thought I'd take a moment to discuss the samparse.pl plugin. This plugin parses the SAM hive file for information regarding user accounts local to the system itself, as well as their group membership, both of which can be very valuable and provide a good amount of insight for the analyst, depending upon the case. The information retrieved by this plugin should be correlated against the output of the profilelist.pl plugin, as well as the user profiles found within the file system.
One of the initial sources for parsing the binary data maintained within the SAM hive is the Offline Windows Password and Registry Editor. There is also a good deal of useful information in this AccessData PDF document.
An interesting piece of information displayed by this plugin, if available, is the user password hint. This capability was part of the plugin starting on 20 Oct 2009 (the capability was included in XP), and discussed by SpiderLabs almost 3 years later. This may provide useful information for an analyst...I have actually seen what turned out to be the user's password here!
Perhaps one of the most confusing bits of information in the output of the samparse.pl plugin is the "Password not required" entry. This is based on a check of a flag value, and means just that...that a password is not required. It does NOT mean that the account does not have a password...it simply means that one is not required. As such, you may find that the account does, indeed, have a password. I've seen posts to various forums and lists that either ask about this setting, or simply state that the output of RegRipper is incorrect. I am always glad to entertain and consider issues where the interpretation of a Registry value or data flag setting is incorrect, particularly if it is supported with solid data.
If you're analyzing a Vista or Windows 7 system and run across something suspicious regarding the local user accounts, remember that you will have a copy of the SAM hive in the Windows\system32\config\RegBack folder that you can incorporate into your analysis, and that you may also have older SAM hives in available VSCs.
Finally, there's a version of this plugin that provides timeline (TLN) output for various bits of time stamped date, to include account creation date, the password reset date, the last password failure date, and the last login. Incorporating this into your timeline, along with the historical information available in other Registry resources (such as those mentioned in the above paragraph), can provide considerable insight into user activity on the system.
Resources
MS KB305144 -
Scripting Guy blog, 7/7/2006
One of the initial sources for parsing the binary data maintained within the SAM hive is the Offline Windows Password and Registry Editor. There is also a good deal of useful information in this AccessData PDF document.
An interesting piece of information displayed by this plugin, if available, is the user password hint. This capability was part of the plugin starting on 20 Oct 2009 (the capability was included in XP), and discussed by SpiderLabs almost 3 years later. This may provide useful information for an analyst...I have actually seen what turned out to be the user's password here!
Perhaps one of the most confusing bits of information in the output of the samparse.pl plugin is the "Password not required" entry. This is based on a check of a flag value, and means just that...that a password is not required. It does NOT mean that the account does not have a password...it simply means that one is not required. As such, you may find that the account does, indeed, have a password. I've seen posts to various forums and lists that either ask about this setting, or simply state that the output of RegRipper is incorrect. I am always glad to entertain and consider issues where the interpretation of a Registry value or data flag setting is incorrect, particularly if it is supported with solid data.
If you're analyzing a Vista or Windows 7 system and run across something suspicious regarding the local user accounts, remember that you will have a copy of the SAM hive in the Windows\system32\config\RegBack folder that you can incorporate into your analysis, and that you may also have older SAM hives in available VSCs.
Finally, there's a version of this plugin that provides timeline (TLN) output for various bits of time stamped date, to include account creation date, the password reset date, the last password failure date, and the last login. Incorporating this into your timeline, along with the historical information available in other Registry resources (such as those mentioned in the above paragraph), can provide considerable insight into user activity on the system.
Resources
MS KB305144 -
Scripting Guy blog, 7/7/2006