Jump to content

LM Hashes?


Recommended Posts

So, I'm first going to give the scenario here and hope that I'm not flamed as I have read many

posts looking for asnwers before desperately just posting my own and this isnt exactly the most

pleasant place to get help, but what tech board is? so with out further prolongment my situation

is as follows. . .

. . .  in school one of my teachers lets us watch movies

pretty much ALL THE TIME, remotely educational ones I might add, only we have to watch

them on a television.

At first, one might think so whats abnormal about that, well nothing except the fact that in

the classroom is a school imaged laptop with a lovely projector, basically WE WANNA WATCH


The next you might be wondering is, how on earth is this related to lm hashes?

well here we go, now the scenario aswell as the attack are more than easy to understand in theory

First some background information: Now, this year is alittle bit different then my previous ones at

this school, I was actually on the schools help desk if you will, and therefore trusted with the admin

password to all the computers, unfortunately that program was taken out of the school so no more

students with admin privs.  This presents a problem because I cant do all the things I used to be spoiled


Now, not to stray too far away from my actual goal. . .  to be able to watch movies on the lappy in the

classroom.  I noticed in the years before that we were unable to watch movies even on computers with

DVD-ROMS, didnt take me long to figure out that well these banged up XP wanna-be images on the computers

have the DVD ROMS disabled in the local policy, so what do I do? I just enable them again in the local policy

editor. . .  DUH!

one problem with that = you need to be logged as administrator

sooooooo. . .

with some research including articles, tutorials, videos, and alittle self experience I've concluded that the

most effective way to achieve knowledge of a local users password is using rainbow tables to find a lm

hashs' plain-text.

now, my first approach was to use backtrack and pwdump BUT. . .  the boot sequence on the

machines is HD 1st and the BIOS is password protected, now if I was really desperate yes of

course I could pull the jumper but I mean what are the chances of me opening up a computer

in the middle of class and not getting erm. . .  disciplined for it? so, the next thing that caught my

eye was that nifty little "USB Switchblade" hack I must say its brilliant.

I actually have downloaded and ran it off my thumbdrive with success on a dummy target, now

I understand that you need admin privelages to even get the hashes, but seeing as almost the

entire school alumni knows me well as being computer knowledgable, I'm sure getting a staff member

to log in as administrator FOR me while I secretly take the hashes wont be much of a task with my

cunning and social engineering prone personality.

so heres the problem, I watched the hak. 5 episode when this exploit is shown but with the package

that I downloaded, and as a matter of fact I've tried all of them I get useless (well not exactly useless,

but not significant to my dilema) information, for example saved browser passwords etc.  all of that stuff

is just lovely and was well noted for perhaps a later exploit but all I want is some lm hashes to the local

users of the system

so I'm asking this as humbly as I know how in hopes that it is recognized and

returned back in the following posts, anyone got the switchblade package with a

utility that DOES grab lm hashes that I can download.  I tried making my own batchfile

which is alittle less stealth but hardly suspicious to the idiots running my school however

I'm not very successful getting pwdump to work either =[

Thank you in advance,

                        A troubled teen :???:

Link to comment
Share on other sites

okay, so I mentioned in the last post that I didnt have the best luck with pwdump

when I look in the logfile, this is what I get from SAM dump

Logon to$ failed: code 53

maybe I do have the right package installed on my drive

perhaps theres just some type of parameter missing or

incorrectly typed in the bat file? I'm unsure and not to

sound impatient I'm getting a bit frustrated as I already

promised the teacher that I WOULD get this DVD player

to work since i already knew what the problem was from

previous experience, I just cant do anything about it without

admin privs  :-x

Link to comment
Share on other sites

hmm well, i dont kno what the problem is ...

my old non-u3 payload still grabs the hashes etc without giving me errors as long as the person is logged in as admin.

(you can check if its still up on the wiki , i just hope u can still get it past the virus scan)

but also in your last post you say'd

I already

promised the teacher that I WOULD get this DVD player

to work

by that i presume you have your teachers permission , so couldn't you just go get the head of IT (or whoevever does that kinda thing there) to turn it on, log in, and make it play ?

anyway if all else fails you could try and boot a version of linux off a stick & play the dvd useing vlc ...

(if it'll boot off the stick ..)

Link to comment
Share on other sites

thanx for that, I mean the laptop is a pretty new model and I'm sure the BIOS supports booting USB

however, I dont know the proper procedure on booting a linux iso from your thumbdrive and even if

I did... I would still need access to the BIOS to change the boot sequence,

wouldn't I?

and some of the movies... no most of the movies we watch in class the principal wouldnt exactly agree with I'm more than certain of that,

so I can't exactly just get immediate clearance from anyone who knows the password to help me out but if I did I would still like to have

the password for future troubleshooting that requires admin privs

so basically the ultimate solver of my problems would be a successful run of pwdump/fgdump

which I have not tried to run on my switchblade yet, that will be my next trial however I'm unsure

why pwdump wont work though

Link to comment
Share on other sites

actually, there might be... I didnt look but the DVD player aswell as the TV are drilled to the cieling

and I'm not sure if we even had a video/audio cord to extend that long, thanks for your help aswell

though both of those are valid ideas aswell as 'almost' effective implements

much appreciated =]

Link to comment
Share on other sites

Is the laptop part of a domain? If so, then arent the hashes stored as NTLM hashes (not LM hashes) on some other server for authentication, which means it should have some backup copy on the local machine if it can not reach the domain to authenticate? (I am just guessing here, but not sure) I have never tried to rip a hash other than my own machine which is fairly easy with something like Cain or ophcrack, but then again you need to be able to boot from CD for ophcrack and without the bios, you can't choose this. Cain will(or should) set off any virus scanners upon use, so that will be a problem as well.

The other option is to find the exact registry key that controls what you want and just add the key to the registry to enable/disable the settings.(this should even be possible without admin access, but I do not see that they would disable registry access from reg files. We disable access to Regedit on out lan, but you can still manually patch settings with .reg files which kind of defeats the purpose of disabling access to regedit.)

Either way, your at school. You get caught, its on you. Be carefull whatever you decide to do.

Link to comment
Share on other sites

lol... well, it is part of a domain somewhat, every student/teacher has been asigned

individual usernames&passwords to authenticate EACH user, where as before we would

all sign is as username student or teacher or administrator... when logging in there is a

drop down menu that allows you to select where you would like to login (This Computer,

or the BCPS Domain(Baltimore County public schools)) if you choose to login to 'the computer'

administrator will work, I know this only from prior experince, however logging in with a

personal authentication it would authenticate from huge server, idk how big exactly but

when I looked at how much free space I had available on my BCPS drive it was 500GB

and every user is like that, but I'm thinking it might be shared? because 500GB * # of

students in BCPS = very expensive & pointless =/

Link to comment
Share on other sites

when I run bkhive /mnt/sda1/windows/sys32/config/sysem key

I get boot key:some random hex thing

error writing to key

is this because the file is set to read-only or something? I'm not sure how or why

that attribute might be set aswell as being put into effect since I didn't boot from

windows I was on backtrack. or is there another reason why I might be getting

that error?

thoughts appreciated

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...