Written by Oki
Saturday, 07 July 2007 16:54
bkhive tool is designed to recover the syskey bootkey from a Windows NT/2K/XP system hive. Then we can decrypt the SAM file with the syskey and dump password hashes.
And samdump2 is designed to dump Windows 2k/NT/XP password hashes from a SAM file. It requires the syskey key which can be found with tools like bkhive.
So both of them need each other :)
"Syskey is a Windows feature that adds an additional encryption layer to the password hashes stored in the SAM database. The main purpose of this feature is to deter 'offline' attack. In fact one of the most common ways to gather passwords is to copy the system SAM database and then use one of the many good password crackers to "recover" the passwords; of course physical access is almost always required.
So with syskey the attacker needs to remove the additional encryption layer to get the password hashes (this is not entirely true as some tools can crack even syskeyed hashes while losing some performance)
The key used by Syskey to encrypt the password hashes (called bootkey or system key) can be generated and stored in three ways. The method to use is selected when running syskey.exe on the hos
An attacker can steal (maybe at the same time of the SAM database) the system hive and access from there the above mentioned keys to recover the syskey bootkey.
The tool developed to make this operation is called Bkhive.
So syskey encrypts the password hashes with the RC4 algorithm using as key "something" derived (through MD5) from the syskey bootkey.
Tool to automate the above steps and include the features of SAMDUMP. The tool is called SAMDUMP2; SAMDUMP2 can, when given a SAM hive and a bootkey file (generated by Bkreg or Bkhive),output the password hashes in SAMDUMP/PWDUMP format.
So an attacker with physical access can:
0) Boot using another OS (maybe Linux or DOS)
1) Steal the SAM and SYSTEM hive (from %WINDIR%System32config)
2) Recover the syskey bootkey from the SYSTEM hive using Bkhive (or
Bkreg on pre Sp4 system)
3) Dump the password hashes using SAMDUMP2
4) Crack them offline using his favorite cracking tool"
Ref : Here