What is Password Hashes and SAM Database?
SAM is stand for Security Account Manager. SAM database is a part of windows Operating system consist user name and password in encrypted format called password hashes. SAM file is exist under C:/Windows/System32/config in Window 7/8/8.1/10. If User want to logon on the machine, user name and password should be match for authentication entered by user. If user put wrong username and password, authentication being failed. The encryption algorithm is NTLM2 used. The main purpose of SAM to save the computer and data by unauthorized person like hacker’s. But it is not completely work against a professional hacker. Here I am going to show you how hacker dump these encrypted password hashes from database and find out the password by cracking these hashes.
Boot Window machine with Kali Linux?
As I know you are learner here, so you have two option to make exercise on this topic. First create and install window (xp/7/8/8.1/10) machine on Virtual box, it is pretty easy and no harm for base computer. Another method is Do practice on base machine installed window OS already, in this condition you have to boot window machine by Kali Linux live Persistent DVD/Flash Drive.
When penetester boots Window machine with Kali Linux live then can use window file system without any interruption, As described above SAM are saved in the location C:/Windows/system32/config. So we have main task to go to this location and find out the SAM database. After booting system with Kali Linux you should follow the given instruction to find out the password.
Step1: First step mount the window system partition
click on Place> Filesystem.
When you clicked on file system window partition will be mounted automatically on /media directory. Open the terminal and type following command to reach in location where SAM database saved.
#cd /media/Mounting Point value/Windows/System32/config
In above mounting value will be changed according the system you can see this value by executing following command
Step2: Relieve bootkey.
#bkhive SYSTEM /root/Desktop/system.txt
System.txt is a file where bootkey is stored and /root/Desktop is location to save system.txt file.
Step 3: Dump the password hashes
Password hashes is retrieved with combination of bootkey and SAM database, This process is completed with the help of samdump2 utility found in kali linux by default. Command is giving following
#samdump2 SAM /root/Desktop/system.txt > /root/Desktop/hashes.txt
In implemented command SAM database and system.txt filed has been merged and created new file name hashes.txt. To see the password hashes dumped into hashes.txt file use given command
Change directory to /root/Desktop by using following command
Step 4: John the Ripper a password cracking tool
After reaching the directory to crack hashes use excute john by given command
#john –formate=nt2 –users=vijay hashes.txt