Monday, April 13, 2009

Someone uses RegRipper

I was pleasantly surprised the other day to receive a forwarded post from a list that I don't have access to where someone had successfully used RegRipper. I don't get a lot of these, so when I do, I like to see if the author would be willing to post their comments publicly, or grant me permission to do so. In this case, the author has said that I can post this, so here it is, in its entirety (and completely unsolicited)...

I thought the group might benefit from some interesting observations I have had with a Vista Home Basic edition machine.

#1 regarding user account Windows logon passwords: Three apps were used to evaluate logon passwords: 1) latest version of Ophcrack with Vista rainbow tables, 2) AccessData Registry Viewer, and 3) Harlan Carvey's Regripper. Ophcrack found 3 SIDs, each with NT passwords. 2 of the 3 shared the same password (the family last name followed by the digit "3"). The 3rd user's PW was "not found" in the rainbow table.

PRTK was used to attempt to recover the 3rd PW, but I stopped it after 5 days when nothing was recovered using a custom dictionary and profile constructed from the exported word list from FTK. Registry Viewer displays the date on which all user PW were changed, and lists the NT PW as "True" for all 3 users. Viewer also displays the "hint" for each user's PW, and
for all 3 it is "name + number." Hmmm......the plot thickens. :)

PRTK used again, this time to extract IE7 Intelliforms data. No success using PW supplied by Ophcrack. Multiple sessions with AccessData proved PRTK does extract this stuff EASILY, so I assumed I had a bad image, a bad export, the wrong index.dat files, etc. Days of retrying proved fruitless.

Ran Regripper against the SAM file, and it says the 2 accounts for which Ophcrack supplied a PW, don't require a PW. Remember, Viewer also said the PW was set to "True." For the 3rd user, Regripper said "Password does not expire." Okay, so I rerun PRTK to extract the IE7 Intelliforms data, and this time I leave the logon PW field blank (meaning no PW). Bingo! I get
it all.

So, Ophcrack says PW, Registry Viewer says PW, Regripper says PW not required, PRTK extracts Intelliforms data only when no PW is supplied. So, it look like Regripper wins! Go Harlan!! As for the 3rd user, I've tried the name + number PW and no PW, but still no success. It's not absolutely necessary for the case, so I'm not pursuing it any further.

#2 regarding groups to which SIDs are assigned: A few weeks back I posted to the listserv asking about how to tell if a user had Admin privileges. Several responses said to examine the "groups" key in the SAM file. I looked at these keys with AccessData Registry Viewer. Viewer listed the different groups available on the machine, but not which users were in each
group. I responded to the listserv with this result, but nobody came back at me with an answer. Well, Regripper lists the available groups on the machine, the number of users in each group, and the terminal segment of the SID for each user in the group. Wow! Harlan wins again!! Perhaps Viewer does provide this information, but it is not readily available or visible to
the user. So, if I am falsely accusing Viewer of not providing this information, please set me straight.

Okay, I think I've taken enough of your time. Hope all have a Happy Easter and a good Passover.


Louis M. Schlesinger,PI,CCE,CFC,CIFI,WCSI,ACE
CyForensics, LLC
A Licensed Investigative Agency
Macon, Georgia
Voice: 478-731-0752
Fax: 478-922-9020


Ken Pryor said...

I've said it before in your forums and I'll say it here, RegRipper is one fantastic tool. I use it all the time and always amazed at how useful it is. Glad to see others spreading the word as well. Thanks again, Harlan.

Keydet89 said...


Thanks! Having this stuff public, and visible in as many locations as possible, is immensely helpful in getting the word out.

Also, thanks to Louis, I updated the samparse plugin, as well. ;-)

Jimmy_Weg said...

RR can indeed be invaluable. In the recent versions of RV, the reporting of Password Required is incorrect. From what I recall, RV reports true when the NT hash is the null value: 31D6CFE0D16AE931B73C59D7E0C089C0. So, it's true that there is a password hash, but there is no password. I just checked again and RV reports as I mentioned, while RR (and SamInside) report correctly.

Concerning the Vista Intelliforms, it's important to remember that, absent values in the keys, there are no encrypted data. You have a key for passwords and forms, respectively. As Louis said, leaving out the password will get results, if there are encrypted values and there is no password.

I haven't used 0phtcrack, but something seems wrong if it's reporting an actual password. Perhaps load the "password" into a custom dictiionary and see what RV reports. I'd also check the password hashes.