Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Offline sam dump?
From: Nicola Cuomo <ncuomo () studenti unina it>
Date: Thu, 29 Jan 2004 13:43:44 +0100

Hi,  since the machine you are pen-testing are Win2k and WinXp box you
cannot  use SAMDUMP to dump the SAM (since syskey is enabled), however
look here:


there  is  a tool to dump the password hash from the SAM database when
syskey is enabled.

I've  never tested it on WinXp but i think it should work (sources are
also available so you can modify/fix it).

There  is also a document that describe how it work and how to use the

----from syskey.txt---
0)  Boot using another OS (maybe Linux or DOS)
1)  Steal the SAM and SYSTEM hive (from %WINDIR%\System32\config)
2)  Recover  the  syskey bootkey from the SYSTEM hive using Bkhive (or
    Bkreg on pre Sp4 system)
3)  Dump the password hashes using SAMDUMP2
4)  Crack them offline using his favorite cracking tool

Hope this help.

Bye, bye
 Nicola                            mailto:ncuomo () studenti unina it

 Nicola                            mailto:ncuomo () studenti unina it


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]