samdump2

To extract password hashes from the Windows 2K/NT/XP/Vista SAM database registry file, you can use samdump2 (http://sourceforge.net/projects/ophcrack/files/samdump2/). With samdump2, you don't need to give the System Key (SysKey) first to get the password hash. SysKey is a key used to encrypt the hashes in the Security Accounts Manager (SAM) file. It was introduced and enabled in Windows NT Service Pack 3.

To start samdump2, use the console to execute the following command:

    # samdump2

This will display simple usage instructions on your screen.

There are several ways to get the Windows password hash:

  • The first method is by using the samdump2 program utilizing the Windows system and SAM files. These are located in the c:%windows%system32config directory. This folder is locked for all accounts if Windows is running. To overcome this problem, you need to boot up a Linux Live CD, such as Kali Linux, and mount the disk partition containing the Windows system. After this, you can copy the system and SAM files to your Kali machine.
  • The second method is by using the pwdump program and its related variant tools from the Windows machine to get the password hash file.
  • The third method is by using the hashdump command from the meterpreter script as shown in the previous chapter. To be able to use this method, you need to exploit the system and upload the meterpreter script first.

For our exercise, we are going to dump the Windows XP SP3 password hash. We assume that you already have the system and SAM files and have stored them on your home directory as system and sam.

The following command is used to dump the password hash using samdump2:

    # samdump2 system sam -o test-sam

The output is saved to the test-sam file. The following is the test-sam file content:

Administrator:500:e52cac67419a9a22c295285c92cd06b4:b2641aea8eb4c00ede89cd2b7c78f6fb::: 
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: 
HelpAssistant:1000:383b9c42d9d1900952ec0055e5b8eb7b:0b742054bda1d884809e12b10982360b::: 
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:a1d6e496780585e33a9ddd414755019a::: 
tedi:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

You can then supply the test-sam file to the password crackers, such as John or Ophcrack.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
13.59.96.247