Jump to content

Why would a SAM file password be in clear text in memory?

Paper Tiger

Recommended Posts

long story short: I had a box at work get compromised at and I pulled it off the network then initiated a forensic investigation. When the vendor came back with the report one section showed a memory dump of all the accounts on the box. All except one account showed their passwords encrypted, that last account showed the password in clear text in memory. What can I start looking up to understand how or why this would happen? I figured this would be a good place to ask this question. The PC is windows 7 and the account that had it's PW in clear text in the memory dump was domain admin.

Link to comment
Share on other sites

My first thinking is that the pwning of the box resulted in a program being resident in memory with the unencrypted domain admin password at its disposal. So it's not so much the OS that had it in plain text but rather the attacker.

Even storing the actual password, encrypted or not, is a bad idea. The user should provide it and the target platform should retain information about it without actually storing the thing itself (a.k.a. a password hash).

Link to comment
Share on other sites

Not really (really not). But it shouldn't be hard to consider what I'm saying.

My assumption is that, as you say, Windows only retains the hashed password on disk - never unencrypted. You have a memory dump on disk which I'm assuming to be the full memory. So not just the Windows OS relevant bits but the whole shebang. If there's a program running at the time of the dump that, for whatever reason, had the string "BendOverAndTakeItLikeAConvict" in memory, and this program hadn't been swapped out to disk yet, it would show that exact string somewhere in the memory dump.

If you think this string was in memory because of some program you yourself wrote, there are ways to prevent them from ending up in swap:


Windows & Linux (2nd answer)

Your friends at IBM provide some more details on how to do it in code and, specifically, in managed languages like Python and Java.

Link to comment
Share on other sites

have you found any tools left behind? A virus scan might show the location where the guy made him self feel at home...

Try to recover deleted files from the locations discovered...

This sounds like alot of fun... I'm sure a publicly available tool was uploaded to the windows 7 machine to crack the password. But the exploits used would be exciting to hunt down... or what if it was done from a person in the building... boot up the windows 7 machine with kali and give me ssh :-)

Link to comment
Share on other sites

I know right I love this detective stuff. Too bad Management took the PC and turned it over to an outside vendor before I could complete the decryption process and use bootable tools. :( However they did tell me that they're going to pay for my OSCP to get more of this going on in house. OSCP is a good start....

Scanning didn't show anything, and carbon black was ineffective too. the only way we knew the box was compromised was from insider threat software setting off an alarm from a time when the user was out of the office. I scanned that PC with a bunch of free tools and didn't find anything.

Link to comment
Share on other sites

  • 3 months later...
  • 2 weeks later...
  • 3 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...