Hey guys,
Given that this is a bit of a grey area, and knowing that this forum is against any kind of malicious cracking, I shall let you know the situation.
I took the hard drive out of my old laptop the other day and connected it via a HDD enclosure to my current machine. I was looking for some files on the drive that contain sensitive information. However, it turns out that I had encrypted the files using Windows EFS, which utilises a key derived from the user password in the (symetrical, I presume) encryption process.
As such, I am trying to generate a dump of the NTLM hashes stored on the disk in the SAM file. I am not looking to crack the hashes, and I have no interest in software which is able to do so, because I've narrowed the possible user password down to a list of 7 or so potential candidates. The plan is to use online tools to generate NTLM hashes of these possible passwords and compare it to the hashes stored in the SAM hive. So technically, I'm not looking to crack anything. Hopefully you guys believe me when I say I am trying to access my own data!
The issue that I'm having is that most SAM-dumping utilities perform a local dump on a live operating system. I've copied the SAM from the external HDD over to my current laptop and it is now sitting on my desktop. However, I can't find any utilities that are able to dump NTLM hashes from a non-local SAM file (i.e. one that isn't in system32). I would've thought that dumping from a live OS would be more difficult and that the number of tools available for dumping from an "external" file would be plentiful. As I say though, I've looked around and I can't seem to find a tool to suit my needs.
If anyone knows of any applications that can achieve this (preferably portable,) then please do give us a shout! Once a dump is generated and the password is found by comparison with hashes of my potential passwords, the plan is to change my user password on my current machine to that password to access the files. (Will this work? Short of that, is it perhaps possible to supply LSA with a custom password for decryption of DPAPI blobs as opposed to it defaulting to the current user's password?)
Many thanks for your time,
It's always appreciated!
Abyssion
EDIT: Oh, if anyone is feeling helpful, but doesn't want to suggest tools that could be used nefariously in a public place, feel free to P.M. me. Thank you!