What is SAM?
SAM is short for Security Accounts Manager, which is located on the PDC and has information on all user accounts and passwords. Most of the time while the PDC is running, it is being accessed or used.
What do I do with a copy of SAM?
You get passwords. First use a copy of SAMDUMP.EXE to extract the user info out of it. You do not need to import this data into the Registry of your home machine to play with it. You can simply load it up into one of the many applications for cracking passwords, such as L0phtCrack, which is available from: http://www.L0phtCrack.com
Of interest to hackers is the fact that all access control and assorted parameters are located in the Registry. The Registry contains thousands of individual items of data, and is grouped together into “keys” or some type of optional value. These keys are grouped together into subtrees — placing like keys together and making copies of others into separate trees for more convenient system access.
The Registry is divided into four separate subtrees. These subtrees are called
We’ll go through them from most important to the hacker to least important to the hacker.
First and foremost is the HKEY_LOCAL_MACHINE subtree. It contains five different keys. These keys are as follows:
- SAM and SECURITY – These keys contain the info such as user rights, user and group info for the domain (or workgroup if there is no domain), and passwords. In the NT hacker game of capture the flag, this is the flag. Bag this and all bets are off.
The keys are binary data only (for security reasons) and are typically not accessible unless you are an Administrator or in the Administrators group. It is easier to copy the data and play with it offline than to work on directly.
- HARDWARE – this is a storage database of throw-away data that describes the hardware components of the computer. Device drivers and applications build this database during boot and update it during runtime (although most of the database is updated during the boot process). When the computer is rebooted, the data is built again from scratch. It is not recommended to directly edit this particular database unless you can read hex easily.
There are three subkeys under HARDWARE, these are the Description key, the DeviceMap key, and the ResourceMap key. The Description key has describes each hardware resource, the DeviceMap key has data in it specific to individual groups of drivers, and the ResourceMap key tells which driver goes with which resource.
- SYSTEM – This key contains basic operating stuff like what happens at startup, what device drivers are loaded, what services are in use, etc. These are split into ControlSets which have unique system configurations (some bootable, some not), with each ControlSet containing service data and OS components for that ControlSet. Ever had to boot from the “Last Known Good” configuration because something got hosed? That is a ControlSet stored here.
- SOFTWARE – This key has info on software loaded locally. File associations, OLE info, and some miscellaneous configuration data is located here.
The second most important main key is HKEY_USERS. It contains a subkey for each local user who accesses the system, either locally or remotely. If the server is a part of a domain and logs in across the network, their subkey is not stored here, but on a Domain Controller. Things such as Desktop settings and user profiles are stored here.
The third and fourth main keys, HKEY_CURRENT_USER and HKEY_CLASSES_ROOT, contain copies of portions of HKEY_USERS and HKEY_LOCAL_MACHINE respectively. HKEY_CURRENT_USER contains exactly would you would expect a copy of the subkey from HKEY_USERS of the currently logged in user. HKEY_CLASSES_ROOT contains a part of HKEY_LOCAL_MACHINE, specifically from the SOFTWARE subkey. File associations, OLE configuration and dependency information.
To show Windows Vista “super hidden” files, that is, those files that are normally hidden from the user, you’ll need to accesss the registry editor.
To turn on (or off) super hidden files: (make sure you backup the registry before making changes)
- Click the Start Button, type “regedit” (Registry Editor) in the search box, and press Enter
- Click Continue to get past the User Account Control hurdle
- On the left panel, double-click to navigate to the key:
- On the right panel, double-click on Superhidden
- In the Value Data box, change the value to “1“
- Click OK
- Exit the Registry Editor
- Restart your machine for the changes to take effect
Add Notepad to the contextual menu (right-button menu):
Create [HKEY_CLASSES_ROOT\*\shell\Open with Notepad\command], click on command, then double-click on “(Default)” in the right pane and edit the string to read notepad.exe %1
Open unknown files in Notepad when clicking on them:
– Create [HKEY_CLASSES_ROOT\Unknown\shell\open\command], click on command, then double-click on “(Default)” in the right pane and edit the string to read notepad.exe %1
– If Notepad still does not open unknown files when you click on them, delete the key openas (export it first)
Note: In Windows Explorer, Open With > Choose Program… will not work anymore.
Well, did you know you could hide your files in a JPEG file? For this, you will only need to download WinRAR. You just need to have a little knowledge about Command Prompt and have WinRAR installed.
Ok, lets begin…
1. Gather all the files that you wish to hide in a folder anywhere in your PC (make it in C:\hidden – RECOMMENDED).
2. Now, add those files in a RAR archive (e.g. secret.rar). This file should also be in the same directory (C:\hidden).
3. Now, look for a simple JPEG picture file (e.g. logo.jpg). Copy/Paste that file also in C:\hidden.
4. Now, open Command Prompt (Go to Run and type ‘cmd‘). Make your working directory C:\hidden.
5. Now type: “COPY /b logo.jpg + secret.rar output.jpg” (without quotes) – Now, logo.jpg is the picture you want to show, secret.rar is the file to be hidden, and output.jpg is the file which contains both. 😀
6. Now, after you have done this, you will see a file output.jpg in C:\hidden. Open it (double-click) and it will show the picture you wanted to show. Now try opening the same file with WinRAR, it will show the hidden archive .