views:

93

answers:

4

Hi,

Is there a way to get the hashed value of Windows password for a specific local user? Which Win32 API would that be? I don't want to know what the actual password is, just the hash value of the password.

I'd like to be able to tell which workstations/servers don't have the same password for a specific user.

Please advise, thanks.

A: 

The Windows password file is locked while the operating system is running and is not easily accessible. The easiest workaround is to boot to a CD or other USB device and run a password file extraction tool such as might be found at the Openwall project.

andand
A: 

Cain and Abel can do this.

Billy ONeal
A: 

If all workstations are in the domain, the passwords should be sync-ed up automatically. If not, you probably can try opening a connection with a specific user & password and check if the connection can be opened. If it can, the password is correct for that machine; if not, the password is not correct.

rgunawan
To be pedantic: Passwords aren't actually synced. It's just that the Domain Controller is asked when someone attempts to log on to the system.
Billy ONeal
They are synced in some manner. You can still log into a workstation even if there is no network connection, as long as you've successfully logged in while connected once. Read: laptops.
Cogwheel - Matthew Orlando
+1  A: 

I haven't tried this technique recently, so I'm not sure it still works, but at one time it definitely did, and I'd guess it probably still does.

Call NetUserChangePassword for that user's account on each of the target computers, but do it from an account that does not have the right to change that users password (e.g., another normal user account). When you call this, you have to pass (among other things) the user's old password. Since you're calling it from an account that isn't allowed to change that user's password, this call will always fail.

What you're interested in is the error code when it fails. If what you passed as the old password is recognized by the system (i.e., is the correct password for the account), the call will fail with ERROR_ACCESS_DENIED. If the password you pass is incorrect (i.e., not recognized for that account), it'll fail with ERROR_INVALID_PASSWORD.

Jerry Coffin