Find Window password hashes from SAM database

What is Password Hashes and SAM Database?

SAM is stand for Security Account Manager. SAM database is a part of  windows Operating system consist user name and password in encrypted format called password hashes. SAM file is exist under C:/Windows/System32/config in Window 7/8/8.1/10. If User want to logon on the machine, user name and password should be match for authentication entered by user. If user put wrong username and password, authentication being failed. The encryption algorithm is NTLM2 used. The main purpose of SAM to save the computer and data by unauthorized person like hacker’s. But it is not completely work against a professional hacker. Here I am going to show you how hacker dump these encrypted password hashes from database and find out the password by cracking these hashes.

Boot Window machine with Kali Linux?

As I know you are learner here, so you have two option to make exercise on this topic. First create and install window (xp/7/8/8.1/10) machine on Virtual box, it is pretty easy and no harm for base computer. Another method is Do practice on base machine installed window OS already, in this condition you have to boot window machine by Kali Linux live Persistent DVD/Flash Drive.

When penetester boots Window machine with Kali Linux live then can use window file system without any interruption, As described above SAM are saved in the location C:/Windows/system32/config.  So we have main task to go to this location and find out the SAM database. After booting system with Kali Linux you should follow the given instruction to find out the password.

Step1: First step mount the window system partition

click on Place> Filesystem.

Mount window partitoin on Kali Linux

When you clicked on file system window partition will be mounted automatically on /media directory. Open the terminal and type following command to reach in location where SAM database saved.

#cd /media/Mounting Point value/Windows/System32/config

In above mounting value will be changed according the system you can see this value by executing following command

#ls /media

Step2: Relieve bootkey.

#bkhive SYSTEM /root/Desktop/system.txt
bkhive and bootkey

System.txt is a file where bootkey is stored and /root/Desktop is location to save system.txt file.

Step 3: Dump the password hashes

Password hashes is retrieved with combination of bootkey and SAM database, This process is completed with the help of samdump2 utility found in kali linux by default. Command is giving following

#samdump2 SAM /root/Desktop/system.txt > /root/Desktop/hashes.txt
samdump2 to get administrator password hashes

In implemented command SAM database and system.txt filed has been merged and created new file name hashes.txt. To see the password hashes dumped into hashes.txt file use given command

#cat /root/Desktop/hashes.txt

Change directory to /root/Desktop by using following command

#cd /root/Desktop

Step 4: John the Ripper a password cracking tool

After reaching the directory to crack hashes use excute john by given command

#john –formate=nt2 –users=vijay hashes.txt

john and ripper example to crack the password hashes

Leave a Reply

Your email address will not be published. Required fields are marked *