Tweet
The Security Accounts Manager (SAM) is located inside the Windows operating system and is a database that stores security principals; accounts or an entity that can be authenticated. In Windows, these principals can be stored locally in a database known as the Security Accounts Manager. Credentials, passwords, and other account information is stored in this database; the passwords are stored in a hashed format. When Windows is up and running, the operating system keeps a lock on this file to prevent it from being accessed by other applications or processes except those run under the System user. This is part of the principle of every operating system has to be able to boot, run, shut down and crash securely. When the system is running, a copy of the SAM database also resides in memory and can be accessed given the right tool. Sometimes a copy of the SAM database is located in a backup for later recovery and even though this might not contain all recent passwords, it can be accessed without any special tools. It is also possible to access the sam database if the computer with a Windows installation is booted on a live linux distribution because this prevents Windows from locking the file.
In order to improve security, Microsoft added some features designed to preserve the integrity of the information stored in the database. A features known as the SYSKEY was added to improve the existing security of the SAM. The SYSKEY is nothing more than a fancy name for an encryption key that is used to partially encrypt the SAM and protect the information stored within.
How Passwords Are Stored Within The Sam
In Windows XP and later Microsoft operating systems, passwords are stored in a hashed format using the NT LAN Manager (NTML) and sometimes LANMAN (LM) hasing mechanisms. The hashes are stored in "C:\Windows\System32\config\SAM" and the SYSTEM file containing the SYSKEY is located in this folder also. Even thoug this location is also locked while the operating system is running the SAM file is mounted into the Registry Database under "HKEY_LOCAL_MACHINE\SAM".
An account in the SAM database looks like this
The first hash for this user, is the LM has and the second hash is the NTLM hash for the same password. Modern versions of Windows do no longer store the LM hash as it is no longer considered secure.
LM also has issues storing passwords longer than 14 characters. If a LM hash of a 7 character or less password is stored, the right most part of the hash is always the same, giving away the fact that the password is 7 characters or less long. This will help making a brute-force attack worth the time.
In order to improve security, Microsoft added some features designed to preserve the integrity of the information stored in the database. A features known as the SYSKEY was added to improve the existing security of the SAM. The SYSKEY is nothing more than a fancy name for an encryption key that is used to partially encrypt the SAM and protect the information stored within.
How Passwords Are Stored Within The Sam
In Windows XP and later Microsoft operating systems, passwords are stored in a hashed format using the NT LAN Manager (NTML) and sometimes LANMAN (LM) hasing mechanisms. The hashes are stored in "C:\Windows\System32\config\SAM" and the SYSTEM file containing the SYSKEY is located in this folder also. Even thoug this location is also locked while the operating system is running the SAM file is mounted into the Registry Database under "HKEY_LOCAL_MACHINE\SAM".
An account in the SAM database looks like this
bill:3A260B96675C0E6FAAD3B435B51404EE:75BFBE346A8D 3E3FC05B890266D9E498:::
LM also has issues storing passwords longer than 14 characters. If a LM hash of a 7 character or less password is stored, the right most part of the hash is always the same, giving away the fact that the password is 7 characters or less long. This will help making a brute-force attack worth the time.