Penetration Testing mailing list archives
Re: Offline sam dump?
From: "Kenzo" <kenzo_chin () hotmail com>
Date: Fri, 30 Jan 2004 09:18:39 -0600
Have you tried to boot using regular DOS boot disk, than use DOS NTFS, then copy the sam file to floppy. This should works on win2k and winXP. ----- Original Message ----- From: "Nicola Cuomo" <ncuomo () studenti unina it> To: "Mark Melonson" <markmelonson () hotmail com> Cc: <pen-test () securityfocus com> Sent: Thursday, January 29, 2004 6:43 AM Subject: Re: Offline sam dump?
Hi, since the machine you are pen-testing are Win2k and WinXp box you cannot use SAMDUMP to dump the SAM (since syskey is enabled), however look here: http://studenti.unina.it/~ncuomo/syskey/ there is a tool to dump the password hash from the SAM database when syskey is enabled. I've never tested it on WinXp but i think it should work (sources are also available so you can modify/fix it). There is also a document that describe how it work and how to use the tool ----from syskey.txt--- 0) Boot using another OS (maybe Linux or DOS) 1) Steal the SAM and SYSTEM hive (from %WINDIR%\System32\config) 2) Recover the syskey bootkey from the SYSTEM hive using Bkhive (or Bkreg on pre Sp4 system) 3) Dump the password hashes using SAMDUMP2 4) Crack them offline using his favorite cracking tool --------------------- Hope this help. Bye, bye -- Nicola mailto:ncuomo () studenti unina it -- Nicola mailto:ncuomo () studenti unina it --------------------------------------------------------------------------
-
--------------------------------------------------------------------------
--
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Offline sam dump? Mark Melonson (Jan 28)
- Re: Offline sam dump? Nicola Cuomo (Jan 29)
- Re: Offline sam dump? Kenzo (Jan 30)
- <Possible follow-ups>
- Re: Offline sam dump? Erik Birkholz (Jan 29)
- Re: Offline sam dump? Erik Birkholz (Jan 29)
- Re: Offline sam dump? Nicola Cuomo (Jan 29)