Results 1 to 6 of 6

Thread: samdump2

  1. #1
    Member mixit's Avatar
    Join Date
    Jan 2010
    Posts
    104

    Question samdump2

    I'm trying to use samdump2 to dump the hashes of my Vista partition by simply mounting the partition and running samdump2 according to the document located here

    HTML Code:
    hxxp://www.backtrack-linux.org/forums/backtrack-howtos/68-password-cracking-guide.html
    When I attempt to dump the hash using the command

    Code:
    samdump2 /mnt/Windows/Windows/System32/config/SAM syskey.txt
    I get an error saying:

    Code:
    Error reading ControlSet: _RegOpenKey
    I have made sure that the directory of my SAM file is in the path

    /mnt/Windows/Windows/System32/config/SAM

    I don't fully understand what the syskey.txt is since it's not located under this path, but I'm looking into it. While I continue to read up on this topic, I was hoping that someone could help me figure out what this error means and what I'll have to do in order to successfully dump my SAM from my windows vista partition.

  2. #2
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: samdump2

    Try these:

    http://www.google.com/searchq=samdump2+vista
    http://www.google.com/search?&q=samdump2+vista+"Error+reading+ControlSet %3A+_RegOpenKey"
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  3. #3
    Member mixit's Avatar
    Join Date
    Jan 2010
    Posts
    104

    Default Re: samdump2

    If you search google, this is actually the first link that comes up and every document after has no information regarding this error.

    I was never able to successfully use bkhive with samdump2, but I tried a different method referenced in that document in which samdump2 is used to extract the system key as well as dump the sam. In other words, I bypassed using bkhive alltogether. If anyone is having a similar problem, I recommend using samdump2 for everything. This method is referenced in the document I mentioned in the first post.

  4. #4
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: samdump2

    It looks like you missed some steps/details in the guide you followed.

    I don't fully understand what the syskey.txt is since it's not located under this path, but I'm looking into it. While I continue to read up on this topic, I was hoping that someone could help me figure out what this error means and what I'll have to do in order to successfully dump my SAM from my windows vista partition.
    syskey.txt should have been extracted from bkhive in an earlier step.

    Cracking Syskey and the SAM on Windows XP, 2000 and NT 4 using Open Source Tools is a little older but the basic process should still be applicable.

    If you weren't able to extract syskey via bkhive then what was the name of the syskey file you extracted via your altrenate method & samdump2?
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  5. #5
    Good friend of the forums
    Join Date
    Jan 2010
    Location
    outside chicago, il
    Posts
    442

    Default Re: samdump2

    In BT4 samdump2 is samdump version 2.0.1 and the way the program is written is the source code for bkhive is included in the samdump2 executable. Basically the main function looks like
    bkhive
    samdump
    exit

    I have an updated version that includes the ability to dump cached credentials on XP.
    I like the bleeding edge, but I don't like blood loss

  6. #6
    Member mixit's Avatar
    Join Date
    Jan 2010
    Posts
    104

    Default Re: samdump2

    Ok, Here are the exact commands I'm using and the output I'm receiving.

    Code:
    root@bt:~# bkhive /mnt/Windows/Windows/System32/config/SYSTEM syskey.txt
    bkhive 1.1.1 by Objectif Securite
    http://www.objectif-securite.ch
    original author: ncuomo@studenti.unina.it
    
    Root Key : CMI-CreateHive{C619BFE8-791A-4B77-922B-F114AB570920}
    Default ControlSet: 001
    Bootkey: 83f1a25575986067abc03ebc081a65cf
    root@bt:~# samdump2 /mnt/Windows/Windows/System32/config/SAM syskey.txt>hash.txt
    The syskey.txt file contains 16 cryptic looking characters as thought it were trying to read a binary file. Then the hash.txt file just contains

    Code:
    Error reading ControlSet: _RegOpenKey
    I'm not sure, but i dont think that the syskey.txt should look as it does. I'm opening it with the text editor kate. I guess it would be nice to know why this isnt working, but again, I was able to do all of this using just samdump2.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •