Saturday, July 11, 2009

User Account Analysis

Something I picked up on recently (albeit not directly at the SANS Summit) was how to determine if a password had been set on a system, when all you have is an image to analyze. Brendan has provided tools to use with Volatility to extract Registry hives from Windows XP memory dumps, and subsequently to extract hashes, but what if you only have an image of a system? Well, one of the user flags extracted by the RegRipper samparse plugin is "Password not required", this does NOT mean that the account doesn't have a password.

What I got from someone at MS is as follows:
That specifies that the password-length and complexity policy settings do not apply to this user. If you do not set a password then you should be able to enable the account and logon with just the user account. If you set a password for the account, then you will need to provide that password at logon. Setting this flag on an existing account with a password does not allow you to logon to the account without the password.

Another thing you can do is extract the System and SAM hives and run them through SAMInside. If you like CLI tools better, try using's got the same functionality.

Where something like this won't work is when the system is accessed by domain users, as their user account information isn't stored in the local SAM hive file.

No comments: