Thread: Generating SAM dumps from an external HDD

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. 01-27-2016 #1
    Abyssion
    Abyssion is offline
    Registered User
    Join Date
    Jul 2015
    Posts
    64

    Generating SAM dumps from an external HDD

    Hey guys,

    Given that this is a bit of a grey area, and knowing that this forum is against any kind of malicious cracking, I shall let you know the situation.

    I took the hard drive out of my old laptop the other day and connected it via a HDD enclosure to my current machine. I was looking for some files on the drive that contain sensitive information. However, it turns out that I had encrypted the files using Windows EFS, which utilises a key derived from the user password in the (symetrical, I presume) encryption process.

    As such, I am trying to generate a dump of the NTLM hashes stored on the disk in the SAM file. I am not looking to crack the hashes, and I have no interest in software which is able to do so, because I've narrowed the possible user password down to a list of 7 or so potential candidates. The plan is to use online tools to generate NTLM hashes of these possible passwords and compare it to the hashes stored in the SAM hive. So technically, I'm not looking to crack anything. Hopefully you guys believe me when I say I am trying to access my own data!

    The issue that I'm having is that most SAM-dumping utilities perform a local dump on a live operating system. I've copied the SAM from the external HDD over to my current laptop and it is now sitting on my desktop. However, I can't find any utilities that are able to dump NTLM hashes from a non-local SAM file (i.e. one that isn't in system32). I would've thought that dumping from a live OS would be more difficult and that the number of tools available for dumping from an "external" file would be plentiful. As I say though, I've looked around and I can't seem to find a tool to suit my needs.

    If anyone knows of any applications that can achieve this (preferably portable,) then please do give us a shout! Once a dump is generated and the password is found by comparison with hashes of my potential passwords, the plan is to change my user password on my current machine to that password to access the files. (Will this work? Short of that, is it perhaps possible to supply LSA with a custom password for decryption of DPAPI blobs as opposed to it defaulting to the current user's password?)

    Many thanks for your time,
    It's always appreciated!

    Abyssion

    EDIT: Oh, if anyone is feeling helpful, but doesn't want to suggest tools that could be used nefariously in a public place, feel free to P.M. me. Thank you!
    Last edited by Abyssion; 01-27-2016 at 10:24 PM.
« Previous Thread | Next Thread »
Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Core-dumps and I do not know why.
    By Killroy in forum C Programming
    Replies: 1
    Last Post: 11-10-2005, 04:21 AM
  2. Core dumps
    By kocika73 in forum C Programming
    Replies: 2
    Last Post: 10-23-2005, 08:14 PM
  3. Core dumps
    By rotis23 in forum Linux Programming
    Replies: 4
    Last Post: 06-06-2003, 10:01 AM