cmartinbaughman/winnt-sec2008

## winnt-sec2008
Password hashes are stored in the registry, in the key HKLM\Security\Sam. Normally you must have administrator privileges to access it. Even you are the local admin – you still have to assign manually full control permission for this subkey to yourself.

The juicy stuff physically is stored in two files:
C:\windows\system32\config\sam
and
C:\windows\system32\config\system

http://www.codeproject.com/KB/files/FDump.aspx is a tool that can dump file sectors directly from disk using logical offsets.

C:\windows\system32\config\sam and C:\windows\system32\config\system in target system (the second one is needed because of the “boot key” is stored there) so then we may process it somewhere else with Cain & Abel.

Run the fdump.exe with the following parameters:

fdump.exe "C:\WINDOWS\system32\config\SAM" sam.dat
fdump.exe "C:\WINDOWS\system32\config\system" system.dat

Run cain.exe and do the following thing: Select “Cracker”, then “Add to list” and then “Import hashes from Sam database”.
The rest is up to you. Now you probably need a good rainbow tables and a bit of luck. :-)

Afterword:
You may be tempted to explore the copied registry manually and see what else is there (your curiosity is more then normal), so here is the quick "how to" browse downloaded registry files with regedit:

Open regedit, and make single click on HKLM branch (important!):
Then in the main menu select “File” and “Load Hive”, then select our file: C:\myfiles\sam

...and finally provide a key name. This is the key where a new hive will be attached to.
Do not forget to assign proper permissions to this branch!
Close the regedit and open it again. Now you can browse everything! :)
	Password hashes are stored in the registry, in the key HKLM\Security\Sam. Normally you must have administrator privileges to access it. Even you are the local admin – you still have to assign manually full control permission for this subkey to yourself.

	The juicy stuff physically is stored in two files:
	C:\windows\system32\config\sam
	and
	C:\windows\system32\config\system

	http://www.codeproject.com/KB/files/FDump.aspx is a tool that can dump file sectors directly from disk using logical offsets.

	C:\windows\system32\config\sam and C:\windows\system32\config\system in target system (the second one is needed because of the “boot key” is stored there) so then we may process it somewhere else with Cain & Abel.

	Run the fdump.exe with the following parameters:

	fdump.exe "C:\WINDOWS\system32\config\SAM" sam.dat
	fdump.exe "C:\WINDOWS\system32\config\system" system.dat

	Run cain.exe and do the following thing: Select “Cracker”, then “Add to list” and then “Import hashes from Sam database”.
	The rest is up to you. Now you probably need a good rainbow tables and a bit of luck. :-)

	Afterword:
	You may be tempted to explore the copied registry manually and see what else is there (your curiosity is more then normal), so here is the quick "how to" browse downloaded registry files with regedit:

	Open regedit, and make single click on HKLM branch (important!):
	Then in the main menu select “File” and “Load Hive”, then select our file: C:\myfiles\sam

	...and finally provide a key name. This is the key where a new hive will be attached to.
	Do not forget to assign proper permissions to this branch!
	Close the regedit and open it again. Now you can browse everything! :)