Using samdump2

In Penetration Testing, Weidman walks you through pulling hashes from the Security Account Manager (SAM) database on a Windows machine. SysKey is the Microsoft utility that encrypts the SAM database. SysKey uses the bootkey for encryption, which is actually an amalgamation of four separate keys contained in hidden fields within the registry. Luckily there are some tools that do the hard work of extracting the key for us

In the text, bkhive is used to extract the key and then samdump2 is used to decrypt the SAM database and reveal the password hashes. The hashes must then be cracked using John the Ripper or another similar hash cracking tool.

When walking through the scenario in the text, there are a few issues. First, bkhive is no longer pre-installed on Kali. It isn’t necessary for it to be installed, as samdump2 can perform both functions, but the syntax is not readily apparent and searching on the Internet yields a lot of outdated information on using bkhive in conjunction with samdump2. Previously bkhive would be the tool that extracted the key from the SYSTEM hive and samdump2 would take that key, decrypt the SAM file. This gives you the password hashes and associated accounts for the machine. There are two solutions to get this working again: install older versions of bkhive and samdump2 software and use those or use samdump2 for both functions.

First, we’ll install the old versions. This is a bad way to do things, but doing this will allow you to follow the example in the text as written. This took longer to figure out than I care to admit.

The Kali repositories have bkhive available, however installing from the repo does not give you a usable application, instead building out directories in /usr/share and placing documentation in those. Older versions of the software are maintained online and can be downloaded:

wget http://http.us.debian.org/debian/pool/main/b/bkhive/bkhive_1.1.1-1_amd64.deb

apt-get install libssl-dev

dpkg -i bkhive_1.1.1-1_amd64.deb

 Now you have a version of bkhive that will work with the steps and syntax in the text. But the installed version of samdump2 still won’t accept the key as input, it is looking for the SYSTEM hive.

So to roll back the version of samdump2, first we have to install libssl1.0.0:

wget http://security.debian.org/debian-security/pool/updates/main/o/openssl/libssl1.0.0_1.0.1t-1+deb8u5_amd64.deb

dpkg -i libssl1.0.0_1.0.1t-1+deb8u5_amd64.deb

Now install the old version of samdump2:

wget http://http.us.debian.org/debian/pool/main/s/samdump2/samdump2_1.1.1-1.1_amd64.deb

Dpkg -i samdump2_1.1.1-1.1_amd64.deb

And now we follow the example in the text:

The simpler, and definitely preferable, alternative is just to use samdump2 for both key extraction and for pulling the hashes out of the SAM database. The syntax is pretty simple:

samdump2 SYSTEM SAM > hashes.txt

This command takes the location of the key to be extracted, the location of the SAM database, performs the extraction, decrypts the SAM database, and then outputs the results to hashes.txt. There are options for debugging if needed, available in the command help. Simple enough! Now using either method you have hashes ready to be cracked.