Aug 07, 2017 Step 1: Extract Hashes from Windows. Security Account Manager (SAM) is a database file in Windows 10/8/7/XP that stores user passwords in encrypted form, which could be located in the following directory: C: Windows system32 config. The first thing we need to do is grab the password hashes from the SAM file. Hacker tools were available to recover a FEK from the SAM. If an administrator took ownership of an encrypted file, with a little effort, they could retrieve the FEK from the SAM and recover the encrypted file. When EFS is used to encrypt a file in Windows 7, the FEK is. Jul 12, 2020 SAM file is exist under C:/Windows/System32/config in Window 7/8/8.1/10. If User want to logon on the machine, user name and password should be match for authentication entered by user. If user put wrong username and password, authentication being failed. The encryption algorithm is NTLM2 used.
Step 1: Extract Hashes from Windows Security Account Manager (SAM) is a database file in Windows 10/8/7/XP that stores user passwords in encrypted form, which could be located in the following directory: C: Windows system32 config The first thing we need to do is grab the password hashes from the SAM file.
Security Account Manager (SAM) in Windows is used to storeusers’ passwords and can be used to authenticate local users on yourWindows systems.
This post is about recovering your account password fromWindows SAM by using a GNU/Linux system for the task.
Decrypt File Tool
In the cases when you happen to forget the Administrator passwordfor your Windows server this could be really handy to keep around.
Today was such a day for me, so I thought I should document thissomewhere for future references if needed.
We will be using an Arch Linux ISOimage to boot the system and then make our way to the SAM passwordrecovery.
You can read more about SAM at theSecurity Account Managerpage on Wikipedia.
Lets get started!
First, go ahead to the Arch Linuxsite and grab an ISO image.
Then boot your system using the Arch Linux image you’ve downloaded,which should soon take you to the shell prompt.
For recovering the password from SAM we will be using thechntpw tool, so in order to beable to install the package we would need networking first.
The commands below are used to assign a static address to one of ourethernet interfaces, but you could use DHCP instead if you happento have a running DHCP server in your subnet already.
Make sure that you have a working network connection thenproceed to the next steps.
Synchronize your package database.
Now lets install
It is now time to mount the Windows drive. The command belowassumes that your
Windows C: drive is at
/dev/sda1, but itmight not be the case with your setup. Check
lsblk(8)to see which is the correct device of your Windows systems.
The Windows SAM file location by default is at
C:WindowsSystem32config, so lets navigate to that directory first.
Sam File Reader
List the local users from the SAM file by executing the command below.
Select the user you wish to reset/unlock and run the followingcommand.
Program To Decrypt Files
From there on simply follow the menu instructions provided by
chntpw and you should be ready to go.