Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
183 views3 pages

Using Samdump2

Uploaded by

Kashif Majeed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
183 views3 pages

Using Samdump2

Uploaded by

Kashif Majeed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Using samdump2

In Penetration Testing, Weidman walks you through pulling


hashes from the Security Account Manager (SAM) database on
a Windows machine. SysKey is the Microsoft utility that
encrypts the SAM database. SysKey uses the bootkey for
encryption, which is actually an amalgamation of four separate
keys contained in hidden fields within the registry. Luckily there
are some tools that do the hard work of extracting the key for
us.
In the text, bkhive is used to extract the key and then
samdump2 is used to decrypt the SAM database and reveal the
password hashes. The hashes must then be cracked using John
the Ripper or another similar hash cracking tool.
When walking through the scenario in the text, there are a few
issues. First, bkhive is no longer pre-installed on Kali. It isn’t
necessary for it to be installed, as samdump2 can perform both
functions, but the syntax is not readily apparent and searching
on the Internet yields a lot of outdated information on using
bkhive in conjunction with samdump2. Previously bkhive would
be the tool that extracted the key from the SYSTEM hive and
samdump2 would take that key, decrypt the SAM file. This
gives you the password hashes and associated accounts for the
machine. There are two solutions to get this working again:
install older versions of bkhive and samdump2 software and
use those or use samdump2 for both functions.
First, we’ll install the old versions. This is a bad way to do
things, but doing this will allow you to follow the example in the
text as written. This took longer to figure out than I care to
admit.
The Kali repositories have bkhive available, however installing
from the repo does not give you a usable application, instead
building out directories in /usr/share and placing documentation
in those. Older versions of the software are maintained online
and can be downloaded:
wget http://http.us.debian.org/debian/pool/main/b/bkhive/
bkhive_1.1.1-1_amd64.deb
apt-get install libssl-dev
dpkg -i bkhive_1.1.1-1_amd64.deb
Now you have a version of bkhive that will work with the steps
and syntax in the text. But the installed version of samdump2
still won’t accept the key as input, it is looking for the SYSTEM
hive.

So to roll back the version of samdump2, first we have to install


libssl1.0.0:
wget http://security.debian.org/debian-security/pool/updates/
main/o/openssl/libssl1.0.0_1.0.1t-1+deb8u5_amd64.deb
dpkg -i libssl1.0.0_1.0.1t-1+deb8u5_amd64.deb
Now install the old version of samdump2:
wget http://http.us.debian.org/debian/pool/main/s/samdump2/
samdump2_1.1.1-1.1_amd64.deb
Dpkg -i samdump2_1.1.1-1.1_amd64.deb
And now we follow the example in the text:
The simpler, and definitely preferable, alternative is just to use
samdump2 for both key extraction and for pulling the hashes
out of the SAM database. The syntax is pretty simple:
samdump2 SYSTEM SAM > hashes.txt
This command takes the location of the key to be extracted,
the location of the SAM database, performs the extraction,
decrypts the SAM database, and then outputs the results to
hashes.txt. There are options for debugging if needed, available
in the command help. Simple enough! Now using either method
you have hashes ready to be cracked.

https://traviswhitney.com/2016/12/30/using-samdump2/

You might also like