Re: Offline sam dump?

["Kenzo" <kenzo_chin () hotmail com>]

Have you tried to boot using regular DOS boot disk, than use DOS NTFS, then
copy the sam file to floppy.  This should works on win2k and winXP.


----- Original Message ----- 
From: "Nicola Cuomo" <ncuomo () studenti unina it>
To: "Mark Melonson" <markmelonson () hotmail com>
Cc: <pen-test () securityfocus com>
Sent: Thursday, January 29, 2004 6:43 AM
Subject: Re: Offline sam dump?


> Hi,  since the machine you are pen-testing are Win2k and WinXp box you
> cannot  use SAMDUMP to dump the SAM (since syskey is enabled), however
> look here:
>
> http://studenti.unina.it/~ncuomo/syskey/
>
> there  is  a tool to dump the password hash from the SAM database when
> syskey is enabled.
>
> I've  never tested it on WinXp but i think it should work (sources are
> also available so you can modify/fix it).
>
> There  is also a document that describe how it work and how to use the
> tool
>
> ----from syskey.txt---
> 0)  Boot using another OS (maybe Linux or DOS)
> 1)  Steal the SAM and SYSTEM hive (from %WINDIR%\System32\config)
> 2)  Recover  the  syskey bootkey from the SYSTEM hive using Bkhive (or
>     Bkreg on pre Sp4 system)
> 3)  Dump the password hashes using SAMDUMP2
> 4)  Crack them offline using his favorite cracking tool
> ---------------------
>
> Hope this help.
>
> Bye, bye
> -- 
>  Nicola                            mailto:ncuomo () studenti unina it
>
>
>
>
>
>
> -- 
>  Nicola                            mailto:ncuomo () studenti unina it
>
>
> --------------------------------------------------------------------------
-
> --------------------------------------------------------------------------
--
>

---------------------------------------------------------------------------
----------------------------------------------------------------------------