November 25th, 2004, 02:00 PM
Where is SAM?
Dear Buddies, I want to know where is the actual location of Windows NT SAM. From where the PWDump like tools dump these password hashes.
I have tried "%systemroot%\respair\sam" and "%systemroot%\system32\config\sam" but none of it dumped the correct hashes.
I took my SAM from *config* folder with the help of NTFSDOS and exported it to LC5 and at the same time I imported the password hashes with the help LC5 itself. Now the hashes of earlier were different from the latter. Whats this. Can you please help me to get the original SAM.
November 25th, 2004, 02:10 PM
It should be under %systemroot%\system32\config\sam. You might want to look at Cain and Abel and pull it from the Hive. I suspect the SAM file itself only gets updated during a reboot/shutdown.
November 25th, 2004, 02:17 PM
If you mean this pwdump:
* Program to dump the Lanman and NT MD4 Hashed passwords from
* an NT SAM database into a Samba smbpasswd file. Needs Administrator
* privillages to run.
* Takes one arg - the name of the machine whose SAM database you
* wish to dump, if this arg is not given it dumps the local machine
* account database.
Experience is something you don't get until just after you need it.
November 25th, 2004, 02:25 PM
This didn't solve my problem.
Just tell me that is the file located at "%systemroot%\system32\config\sam" the file which PWDump, Cain and Abel, LC5 , etc use to dump the password hashes.
November 25th, 2004, 02:35 PM
The reason why the hashes are different if you're getting them from the raw SAM file not through pwdump/cain, etc is because they are syskey encrypted.
November 25th, 2004, 02:38 PM
Didn't I just say that? The file you are looking for is called SAM and it's under %systemroot%\system32\config. However, it may not be updated immediately and a tool that can access information kept in the Registry Hive might be more current, hence the possibility of using something that accesses the registry. But as Sir Dice pointed out, if you aren't admin, you probably won't be able to access that.
November 29th, 2004, 01:55 PM
Thankx for your helpfull replies. But you buddies have created a new ques in my mind.
Can we extract the password hashes from *Registry Hive*?
I would really appreciate if you reply me this question.
However, it may not be updated immediately and a tool that can access information kept in the Registry Hive might be more current, hence the possibility of using something that accesses the registry
November 29th, 2004, 02:01 PM
Yes. As I pointed out, download a tool like Cain and Abel or SamInside. Both of those will pull it out of the Registry Hive or rather from it's location when stored in memory (LSA Secret -- might want to look for LSADump2 should do the same thing).
November 29th, 2004, 02:09 PM
o dear, How can I use 'cain and abel' or 'sam inside' when I am trying to get the password file through NTFSDOS and please tell me are these password hashes pre syskey encrypted.
November 29th, 2004, 06:15 PM
Should have mentioned that at the start. Use the reg command. More details here. I suspect reg query <hive> is what you want to use.