Encrypting HKLM\SAM with SYSKEY
Like Unix, Windows 2000 and NT don’t directly store user or machine passwords. Instead, they take the passwords and passes them through a scheme called a one-way function , or OWF. The OWF takes a password in and generates a new block of data that is related to, but doesn’t contain, the password. The “OW” in OWF comes from the fact that it’s not feasible to take the output of the OWF and “go backwards” to derive the original password. The output of the OWF is called a password hash. NT stores the password hashes instead of the password, so you can’t steal the hash and use it directly in place of a password. Windows 2000 also stores hashed passwords for local user and computer accounts, as well as for backward compatibility with older Win9x and NT clients.
In the spring of 1997, an enterprising group of hackers from L0pht Heavy Industries (http://www.l0pht.com) publicized the fact that it was possible to get the password hashes from a SAM database (or by sniffing them over the network) and feed them to a password-cracking tool. These types of attacks have been known for many years in the Unix community, but their appearance in the Windows NT world generated a lot of headlines. In practical terms, the actual risk was significant. Even though only administrators have access to the SAM to get the OWF’ed passwords in the first place, the hashes could be recovered from backup tapes or ERDs, and they could be sniffed off the network.
Accordingly, Microsoft ...