Windows passwords stored in memory...LOL

JerryMungo

Honorary Master
Joined
Jul 18, 2008
Messages
37,541
Reaction score
6,288
So Windows hashes and stores your password in non-reversible hash format on the hard drive (SAM files). This is somewhat secure as it means when you log in, it simply hashes the password you supply and compares the hashed version with the stored hashed password. If it's a match, you're in. The idea is to not store the password in any reversible format on the drive...

That can easily be bypassed with many utilities - while you can't decrypt the hash to get the password, you can clear the password or set it to something else if you can boot from the PC using one of many security distros....

Enter Mimikatz...
http://blog.gentilkiwi.com/mimikatz

Run that little console utility and enter:
Code:
privilege:debug
sekurlsa::logonPasswords full
And there you have it...
I'll leave that for you to test (run the binary as administrator).

I was surprised after learning all about the security behind hashing and not storing the PW in any reversible format on the drive... turns out it is indeed stored in memory in reversible format. I've tested on Windows 8.1 using a Microsoft account linked user.
 
Last edited by a moderator:
Not to be offensive, but this is old news.
The whole SAM files thing was there, from as late as I can remember, W2K.
 
This is no different than any linux distro, which is just as easy to clear a password on with a boot cd
 
Not to be offensive, but this is old news.
The whole SAM files thing was there, from as late as I can remember, W2K.

Not offended in any way. The age of news is all relative. Microsoft knew about it before you got your copy of windoze... let alone when you first heard about it ;)
 
This is no different than any linux distro, which is just as easy to clear a password on with a boot cd

This is not clearing passwords with a boot CD. This is revealing the password in plain text on your screen :) No need to boot up with anything, just run a portable app off flash and there you have it.
 
while you can't decrypt the hash to get the password

Try OPHcrack:
Ophcrack is a free Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. It comes with a Graphical User Interface and runs on multiple platforms.
 
You said you cant decrypt the password from the hash OPHCrack does just that and you don't need to be logged onto the computer.

OPHCrack does not decrypt the password. It's not possible to decrypt the hash. It compares hashes for known passwords with the hashes stored on the drive.
Have a read regarding rainbow tables...
http://blog.ircmaxell.com/2011/08/rainbow-table-is-dead.html

Code:
Length Of Password           Number Of Possibilities     Size Of Table
4 characters                      35,153,041                    913 MB
5 characters                      2,706,784,157                70 GB
6 characters                      208,422,380,089             5.4 TB
7 characters                      16,048,523,266,853         417 TB
8 characters                      1,235,736,291,547,681     32 PB (PetaBytes, 10^15)
Don't you love the size of the rainbow table for an 8 character PW lol
 
Last edited by a moderator:
OPHCrack does not decrypt the password. It's not possible to decrypt the hash. It compares hashes for known passwords with the hashes stored on the drive.

Always possible
 
Always possible

You're going to have to back that up a little.
Here's an analogy...
I give you some glucose (hash) extracted from a natural source. Can you reverse the process to determine exactly what it was extracted from (password)?
You can get the same glucose (hash) from a number of sources (passwords), but you can't, given only glucose (hash), tell what the source (password) of that glucose is.

Feel free to rebut.
 
Last edited by a moderator:
Until we move into the cloud OS (OSaaS) sphere, local password visibility will always be a possibility (and in various reasons due to recovery principles).
 
Until we move into the cloud OS (OSaaS) sphere, local password visibility will always be a possibility (and in various reasons due to recovery principles).

I don't get the point of storing the PW in a reversable format in RAM when you take the trouble to store hashes on the drive. If someone can get your windows password, chances are better that they can figure out other passwords.
 
Always possible

You're going to have to back that up a little.

Negative.

Difference between cracking and decrypting.

Decrypting here would refer to using a formula to get the password from the hash. I.e. it will work for any hash, with the same number of steps.

Hacking would refer to what OPHCrack does: it takes a password, encrypt it, and store the password and hash. Then it takes the next password, encrypt, store... Eventually you have a large database of passwords with their hashes, so you simply have to lookup your hash to see the password. If you don't have the hash yet, you'll have to wait for your PC to eventually get to a correct password to generate that hash.
 
Difference between cracking and decrypting.

Decrypting here would refer to using a formula to get the password from the hash. I.e. it will work for any hash, with the same number of steps.

Hacking would refer to what OPHCrack does: it takes a password, encrypt it, and store the password and hash. Then it takes the next password, encrypt, store... Eventually you have a large database of passwords with their hashes, so you simply have to lookup your hash to see the password. If you don't have the hash yet, you'll have to wait for your PC to eventually get to a correct password to generate that hash.

I disagree with the bolded bit. It gets you a password, not the password.

Per definition, decryption is the reverse process of encryption. Again, per definition, hashing does not qualify as encryption, as the original input to the hashing algorithm cannot reliably be obtained, only input with an identical hash output.
 
Difference between cracking and decrypting.

Decrypting here would refer to using a formula to get the password from the hash. I.e. it will work for any hash, with the same number of steps.

Hacking would refer to what OPHCrack does: it takes a password, encrypt it, and store the password and hash. Then it takes the next password, encrypt, store... Eventually you have a large database of passwords with their hashes, so you simply have to lookup your hash to see the password. If you don't have the hash yet, you'll have to wait for your PC to eventually get to a correct password to generate that hash.

Not to nit-pick, but both are hacking. The second is brute force (in the example you gave). OPHCrack can also use existing rainbow tables where a number of hashes are already generated and can be dowloaded. It then simply needs to look up the hash in the tables and return the corresponding password. The real issue with that is the size of those rainbow tables as in previous post... not very practical. Either way, Windows can be hacked in a number of ways, the OP was more to demonstrate that what we often hear about Windows' approach to security is not necessarily correct - passwords are in fact stored in reversible format.

I disagree with the bolded bit. It gets you a password, not the password.

Per definition, decryption is the reverse process of encryption. Again, per definition, hashing does not qualify as encryption, as the original input to the hashing algorithm cannot reliably be obtained, only input with an identical hash output.

Agree in principle. Since most people use passwords that can easily be recalled from memory, chances are that any dictionary based attack (including rainbow tables based on dictionary passwords) would reveal the actual password....
 
Last edited by a moderator:
Don't worry about nit-picking - it's always good to learn something new, or to correct one's knowledge where faulty. I regarded hashing as encryption.

Aah, gotcha! Yeah, the subtleties seem pedantic sometimes.
 
Top
Sign up to the MyBroadband newsletter
X