subject: SAM file and Windows Login Password [print this page] SAM file and Windows Login Password SAM file and Windows Login Password
The SAM files also known as Security Accounts Manager stores all the passwords on Windows XP, Windows NT, Windows 2000, Windows Vista and Windows 7 computers.
You can find this file on your computer's hard drive in the directory C:WINDOWSSystem32Config". User names and password are stored in SAM files in a hashed format (in LM hash and NTLM hash) for every account on the local machine, or domain if it is a domain controller. It uses hashed format to provide some measures of security for the stored passwords.
It can be found on the hard drive in the folder %systemroot%system32config. This folder is locked if the machine is on. While the machine is running, only the "System" account can access the SAM file
SAM file can also be stored in %systemroot% epair if the NT Repair Disk Utility has been run and the Administrator has not removed the backed up SAM file.
Finally you can find SAM or corresponding hashes under HKEY_LOCAL_MACHINESAM Windows registry. This one is also locked to all users, including Administrator, while the machine is running.
To obtain the SAM Password Hashes
Since the folder containing SAM file is locked while the machine is running, you can not simply copy the SAM file. You will need to find alternate methods of starting up the computer without using the SAM file. Probably the easiest way to obtain Hashes is to boot the computer up into Linux using a boot CD or floppy and just copy the SAM from the %systemroot%system32config folder or %systemroot% epair if rdisk has been run. It's quick and effective.
You can also find password hashes by using pwdump. It uses .DLL injection to use the system account to view the password hashes stored in the registry and pulls the hashes from the registry to stores them in a handy little text file.
You can also obtain SAM files using a MSDOS boot disk. You just need to insert a floppy, right click on it in My Computer, and click on format floppy. When the menu appears, check the box for "Create a MS-DOS startup boot disk", and then click the start button. After the disk is ready, restart your computer with the disk still in the drive. Make sure your computer boot from the floppy drive. When the computer boots, you will see a screen with command prompt "A:>". Change this drive to the C drive and copy the SAM and SYSTEM files to other areas of the hard drive.
And you can obtain password hashes by listening directly to the network traffic as it floats by your computer and grab hashes.
How to crack SAM file
There are a lot of programs available that will crack the SAM file for you. You may also try to crack it by hand. Some programs are SAMinside, which unfortunately costs money, Proactive Windows Security Explorer, which actually can import the SAM file from memory, and of course CAIN and ABEL will do the trick as well.
For more information, visit http://www.recoveryknowledgebase.com/Windows-Server-Password-Reset.htm
