bkhive & samdump2
Written by Oki   
Saturday, 07 July 2007 16:54

bkhive tool is designed to recover the syskey bootkey from a Windows NT/2K/XP system hive. Then we can decrypt the SAM file with the syskey and dump password hashes.

And samdump2 is designed to dump Windows 2k/NT/XP password hashes from a SAM file. It requires the syskey key which can be found with tools like bkhive.

So both of them need each other :)

"Syskey is  a Windows feature that adds an additional encryption layer to the password hashes stored in the SAM database. The main purpose of this  feature  is  to  deter 'offline' attack. In fact one of the most common ways to gather passwords is to copy the system SAM database and then  use  one  of the many good password crackers[1] to "recover" the passwords; of course physical access is almost always required.

So  with syskey the attacker needs to remove the additional encryption layer  to  get  the password hashes (this is not entirely true as some tools can crack even syskeyed hashes while losing some performance)

The  key used by Syskey to encrypt the password hashes (called bootkey or  system  key) can be generated and stored in three ways. The method to use is selected when running syskey.exe on the hos

An attacker can steal (maybe at the same time of the SAM database) the system  hive and access from there the above mentioned keys to recover the syskey bootkey.

The tool developed to make this operation is called Bkhive.

So syskey encrypts the password hashes with the RC4 algorithm using as key "something" derived (through MD5) from the syskey bootkey.

Tool  to  automate the above steps and include the features  of  SAMDUMP. The tool is called SAMDUMP2; SAMDUMP2 can, when given  a  SAM  hive and a bootkey file (generated by Bkreg or Bkhive),output the password hashes in SAMDUMP/PWDUMP format.

So an attacker with physical access can:

0)  Boot using another OS (maybe Linux or DOS)
1)  Steal the SAM and SYSTEM hive (from %WINDIR%System32config)
2)  Recover  the  syskey bootkey from the SYSTEM hive using Bkhive (or
Bkreg on pre Sp4 system)
3)  Dump the password hashes using SAMDUMP2
4)  Crack them offline using his favorite cracking tool"

Ref : Here


Add comment

Security code