Advanced NT Security Explorer 1.0 ================================== (c) 1998 Andy Malyshev, Elcom Ltd. 1. Overview ----------- Advanced NT Security Explorer is an application for NT system administrators for finding holes in system security. It analyses user password hashes, and tries to recover plain-text passwords. If it's possible to recover the password in a reasonable time, the password should be considered to be insecure, and so it's time to change it. Some users like simple and easy to remember passwords, unfortunately. This program is very actual for NT workstations, where users can access a hard drive from other computer in the network and copy a SAM registry key, where password hashes are stored. Also, users can sniff a network and recover password hash from sniffer results. Advanced NT Security Explorer (ANTExp) will help you in your way to complete system security. In addition, ANTExp could be used for recovering lost passwords of particular users. 2. About Windows NT passwords ----------------------------- Password hashes are stored in system registry (in SAM key). This key corresponds to the file named SAM, stored in /winnt/system/config folder. By default, nobody have access to this registry key, but system administrator can read it by setting a corresponding security properties. You can use a PWDUMP utility (included in ANTExp distribution) for dumping password hashes from registry. Two password hashes are stored in the SAM database: a LAN Manager hash and a native Windows NT hash. At the first step, ANTExp recovers a LAN Manager password, because it is simpler and faster. Afterwards, it recovers a native NT password, using known LAN Manager password. A LAN Manager passwords has the following restrictions: - a password length may be from 1 to 14 symbols - all latin characters must be in uppercase (if they're not, they're converted to uppercase It signifincantly decreases a password recovery time. 3. Working with ANTExp 3.1. Working with projects 3.1.1. Creating a project First, you have to create a project. Project file contains all information about users, password hashes and recovered passwords. It is based on the password hashes dump file, created by PWDUMP utility; project extension is ".nsp". When the program starts, it automatically creates a new project. Also, you can create a project by pressing the "Create new project" button or selecting a "Project -> New" menu item. 3.1.2. Selecting a password hashes file Next step is a source file selection. Press a "Load password hashes file" button and select an appropriate file (which you've got using PWDUMP utility, or from some other source). Using PWDUMP is quite simple. Simply type "PWDUMP computername" or just "PWDUMP" -- it will dump the SAM key contents on the screen. If "computername" parameter is specified, remote registry will be dumped. For dumping into the file (for using with ANTExp), type "PWDUMP > dump.txt" (redirection to the file), and the SAM key will be dumped to the "dump.txt" file, which you can use with ANTExp. Just note that PWDUMP utility is a console application, so it should be executed from the command prompt window. 3.1.3. Selecting users Each password hash file may contain a number of users' passwords. Press the "Select Users" button or select "Recovery -> Select users..." menu item to select users you want to check the security for; each selected user decreases a recovery speed, of course, so don't select all users if it is not required. "Select All" button selects all users except ones with void passwords. The user with void password is a great hole in your system security. actually! The program will also display what users have passwords with length from 1 to 7. 3.1.4. Saving your project When the file is loaded and the users are selected, you can save your project. All the changes you made will reflect in the project file. When the file being, the name for the project is selected automatically based on the name of the file; If you want to give an alternative name - use "Project -> Save as..." menu item. If you don't want to change the name, just use the "Save project" button or "Project -> Save" menu item. 3.2. Project options 3.2.1. Selecting type of attack Now ANTExp supports two attack types: brute-force and dictionary. A brute-force attack will try all possible passwords in specified range; a dictionary attack verifies the words stored in dictionary file. A dictionary attack is faster, and we recommend to run it first; only if it fails, perform a Brute-Force attack. 3.2.2. Selecting a password length As noted above, the password length can be from 1 to 14 characters; you can set minimun and maximum length in ANTExp. If maximum length is greater than 7 symbols, a minimum length required to be one. Otherwise, it will be corrected during recovery. 3.2.3. Selecting a brute-force range In Windows NT, passwords may contain the following characters: latin letters, digits, special symbols and national languages symbols. You can select these ranges separately, or define your own password range. To define your own range, check the box "Custom" and press a "Define" button, and enter all all characters you thing the password may consist of. A "Start from password" field is used for continuing an interrupted recovery. Don't change this field, if you stopped the recovery process and want to continue it from the same point; until you want to start the recovery from the beginning (in this case, just clear it). This option is also useful when you know first few characters (or even one) of the password -- so, you can reduce the number of passwords to verify, by typing an appropriate initial password. 3.2.4. Selecting a dictionary file If you want to perform a dictionary attack - just select a dictionary file. Press a "Select dictionary file" button to pick up the file name from the list. 3.2.5. Selecting priority You can select an application priority; it is useful when you work on machine with many other applications running. 3.2.6. Auto Save Project You can enable an auto-saving of your project file. Check an appropriate box and enter an interval between savings. 3.3. Recovery process After creating the project and selecting all the options, you're ready to start the recovery process: press the "Start recovery" button. The program will start to verify the passwords. You can stop the program at any time and later resume the process from the same point. 3.4. Status window All program steps and results are displayed in the Status Window. The contents of the Status Window is also saved into the "antexp.log" file for future analysys. 4. System requirements ---------------------- - A Pentium or higher CPU - Windows 95, Windows 98 or Windows NT operating system (note that PWDUMP utility works under Windows NT only) - About 1 megabyte available on hard drive. 5. Future enhancements ---------------------- - internal PWDUMP utility - SAM files processing - SMP multiprocessor support - network recovery. - speed improvements 6. Contact information ---------------------- Send your suggestions and bugreports to support@elcomsoft.com. The most current version of ANTExp is always available on http://www.elcomsoft.com/antexp.html.
MrocznyAniol