SAMInside

SAMInside is designated for the recovery of Windows NT, Windows 2000, Windows XP, Windows 2003, Windows Vista, Windows 7 user passwords.

Some of its outstanding features include:

• The program has small footprint, it doesn’t require the installation and can be run from a diskette, CD/DVD-disk or USB-drive.

• Includes over 10 types of data import and 6 types of password attack:
– Brute-force attack
– Distributed attack
– Mask attack
– Dictionary attack
– Hybrid attack
– Pre-calculated tables attack

• Top-speed performance on any CPU, since the recovery code completely written in Assembler.

• The application understands national character sets and properly displays non-latin Windows user names and passwords.

Data Import

SAMInside data import features include:

“Import SAM and SYSTEM Registry Files” – the importing of user data from SAM registry file. If the imported SAM file is additionally encrypted by SYSKEY (enabled by default in Windows 2000/XP/2003/Vista), the program will also need the SYSTEM Windows registry file, located at the same Windows directory, where SAM file was – %SystemRoot%\System32\Config. Copies of these files may be also found in the %SystemRoot%\Repair and %SystemRoot%\Repair\RegBack folders. (Note: %SystemRoot% is the system folder of Windows OS; commonly C:\WINDOWS or C:\WINNT).

“Import SAM Registry and SYSKEY File” – the importing of user data from SAM Windows registry file using the file with the SYSKEY system key.

“Import from PWDUMP File” – the importing of user data from text file of the PWDUMP format. You can find sample files with users in the SAMInside archive.

“Import from *.LC File” – the importing of user data from files created with L0phtCrack.

“Import from *.LCP File” – the importing of user data from files created with LC+4 and LC+5.

“Import from *.LCS File” – the importing of user data from files created with LC4, LC5 and LC6.

“Import from *.HDT File” – the importing of user data from projects created with Proactive Windows Security Explorer and Proactive Password Auditor.

“Import from *.LST File” – the importing of user data from LMNT.LST files created with Cain&Abel.

“Import LM-Hashes from *.TXT File” – the importing of LM-hashes from text file.

“Import NT-Hashes from *.TXT File” – the importing of NT-hashes from text file.

“Import Local Users …” – the importing of local user data (to do that, run the program with Administrator privileges). The program uses the following methods of obtaining local users:
” … via LSASS” – importing local user data using a connection to the LSASS process.
” … via Scheduler” – importing local user data using the Scheduler system utility.

The program also lets adding users with known LM/NT hashes through the dialog box (Alt+Ins).

The peak user number the application is capable of serving to is 65536.

Data Export

SAMInside export features include:

“Export Users to PWDUMP File” – the exporting of all user records to a text file in the PWDUMP format. You can then open the produced file in any passwords recovery program.

“Export Selected Users to PWDUMP File” – the exporting of selected user records to a text file in the PWDUMP format.

“Export Found Passwords” – the exporting of found passwords in the “User name:Password” format.

“Export Statistics” – the exporting of current program statistics to a text file.

“Export Users to HTML” – the exporting of users to a HTML file.

Password Recovery

Brute-force attack

This type of attack is the exhaustive search of all possible password values.

Brute-force attack also includes the distributed attack. This type of attack allows using multiple computers for the recovery of passwords, distributing the recovery calculation load among them. This type of attack takes off automatically when user provides more than one computer for facilitating the attack. At the same time, the range selection feature becomes available for the current computer. So, to start a distributed attack, you’d have to:

1. Run this program on several computers.
2. Choose how many computers are to facilitate the attack.
3. Set the same attack options on all computers that are to facilitate the attack.
4. Choose an individual passwords attack range for each of the computers.
5. Launch brute-force attack on all computers.

Mask attack

This type of password attack is used when user possesses partial information about the lost password. For example:
– Password begins with the “12345” character combination.
– First 4 characters of the password are numbers, others are letters.
– Password has 10-character length, and there’s the “admin” character string in the middle of the password.
– And so on.

Mask attack settings allow creating a mask for passwords to be attacked and setting the overall length of passwords to be processed. The following mask setting can be provided: if you don’t know the N-th character of the password, then set the N-th checkbox of the mask and choose the mask for this character in the corresponding entry field. If you know any character of the password, enter it to the N-th entry field and switch off the corresponding mask checkbox.

The application uses the following masks:
? – any printable character (ASCII-codes 32…255).
A – any upper-case Latin character (A…Z).
a – any lower-case small Latin (a…z).
S – any special character (!@#…).
N – any number (0…9).
1…8 – any character from a custom character set; you may define up to 8 custom sets.

Dictionary attack

Dictionary is a text file made of commonly used passwords like
123
admin
master
etc.

Dictionary attack settings include the hybrid attack, i.e. to the possibility to append up to 2 characters before or after the password; that paves an easier way to recover passwords like “master12” or “#admin”.

Pre-calculated tables attack

This type of attack uses the Rainbow technology (http://project-rainbowcrack.com/) for creating pre-calculated tables.

Additionally

– All types of attack require the additional specification of what type of hashes (LM or NT) are to be used for the recovery.

– Mark the files you’re going to use for the dictionary attack (in the dictionary files list) and for the pre-calculated tables attack (in the tables list).

Command Line Parameters

The application can be managed with the following command line parameters:

-hidden : launch the program in the hidden mode

-noreport : disables reporting the completion of attack

-import : import local users automatically on startup

-export : import local users, save the data to the SAMInside.OUT file and close

-minimize : run minimized to tray.

Additional Features

1. Checking password for all users loaded in the program
Enter the password to the “Current password:” field and then press F2. The program will attempt to match the password for all users who have no password found.

2. Running in the “Hidden mode” (Ctrl+Alt+H)
When this mode is enabled, the application will disappear from both desktop and taskbar. To return from the hidden mode, press the same keyboard shortcut.

3. The following console utilities provided in the installation archive will be helpful when working with SAM and SYSTEM registry files:

GetSyskey – extracts SYSKEY from the SYSTEM registry file and saves it to a separate 16-byte file.

GetHashes – gets user hashes using SAM registry file and SYSKEY.

LRConvert – converts hashes from the Login Recovery to PWDUMP format.

PassToSyskey – generates SYSKEY using provided password.

Demo Version Restrictions

1. Only Latin capitals may be used for brute-force attack.
2. Mask attack is unavailable.
3. Only one table is available for attack with pre-calculated tables.

License Agreement

1. All rights for SAMInside are reserved to InsidePro Software.

2. The software is distributed as Demo, without any restrictions on the length of the evaluation. You may also copy and redistribute the unchanged distribution of the Demo edition on any data mediums (hard disk, floppy disk, CD-ROM, etc.).

3. To remove all restrictions from the software, you must register your copy of the software by purchasing and then entering a license key (or several license keys) in the application.

4. The use of license keys by any person not registered as an authorized user of the software, distribution of or publishing license keys are illegal. The author of the software reserves the right to revoke the registered user status from such key owners and block the revoked keys in the future versions of software.

5. You shall not modify, disassemble or decompile this software. The violation of this provision in any part shall lead to the immediate termination of this license agreement.

6. The software is provided “AS IS”. You use this software at your own risk. Under no circumstances shall the author be held liable for any data loss or damage, lost profits or any other damages caused by using or not using this software.

7. The author guarantees that the software does not contain harmful, spyware nor any other code designed for performing any functions other than those stated in Program Description.

8. Using the software shall indicate your acceptance of this license agreement.

9. If you do not wish to be bounded by these terms, delete all files of this software from your computer and stop using this software.

FAQ

Q1: What is SAM registry file, what is it for and where is it located?
A: The so-called SAM (Security Account Manager) registry file is the “HKEY_LOCAL_MACHINE\SAM” hive of Windows registry, which is physically located in the \System32\Config\ subfolder of the Windows system folder. This file’s name is exactly – sam. It contains local user names and their encoded passwords (hashes).

Q2: I want to import SAM file located in the C:\WINDOWS\System32\Config\ folder but program messages access error and can’t read the file. Why?
A: The matter is that files in this folder (sam, system, software and other files without extension) are Windows registry fragments, so Windows by default does not allow anyone to access these files, even for reading only. To gain the access to the SAM registry file, take either of the following routes:
• Boot under a different OS (Linux, Knoppix, WinPE, etc.) on the same computer.
• If your system disk has the FAT (or FAT32) file system, create a boot diskette on a computer operating under Windows 95/98, and then boot your PC from that diskette and copy the SAM and SYSTEM files to another folder or diskette.
• If your system disk has the NTFS file system, use the diskette created in NTFSDos Pro to gain the access to these registry files.

Q3: Using a diskette created with the NTFSDos Pro program, I got the access to the SAM and SYSTEM registry files; but the SYSTEM file is too large and can’t be saved on a diskette. What shall I do?
A: Use any DOS-based compression utility to compress it; for example, HA:
– To add the SYSTEM registry file to an archive:
a:\ha.exe a a:\system.ha C:\WINDOWS\System32\Config\system
– To extract the SYSTEM registry file from the archive:
ha.exe e system.ha

Q4: When importing the SAM (or SYSTEM) registry file, the application messages an error, despite that I copied it from the C:\WINDOWS\System32\Config folder! Why am I unable to import my file?
A: This may occur if the format of your file is unknown to SAMInside. First, check the signature (i.e. the first 4 bytes) of your file – it is to be ‘regf’. Other than that, either of the following might has happened:
– You had copied the file from an EFS-disk (i.e. from disk with installed Encrypting File System which supports file encryption); thus, your files are encoded and are a pseudo-random byte array, which cannot be used for obtaining the required registry branches, or
– Your files are located on an NTFS-disk, and the program you had used for copying the files had bugs. That often happens with NTFSDos (not the Pro edition!) and some other applications, which fail to perform properly with NTFS 5.0 and higher. So, better use the latest versions of the software for copying registry files.
If the signature of your file is correct (i.e. it’s really a registry file) but program still can’t import it, please, send your file to the Support service for the analysis.

Q5: What do question marks mean in unknown passwords?
A: If an LM-password or an NT-password appear as “???????”, it means that the password is 1 to 7 characters long.
If an LM-password or an NT-password appear as “??????????????”, it means that the password is 8 to 14 characters long.
If none of LM-password or NT-passwords appear as “??????????????”, it means that the password may have any length, but usually it’s greater than 14 characters.

Q6: What algorithms are used for obtaining LM- and NT-hashes?
A: The NT-hash formation goes this way:
1. User password gets converted to a Unicode-string.
2. That string is used for generating the MD4-hash.
3. The produced hash is encoded with the DES algorithm, where the user RID is used as the key.
The LM-hash formation goes this way:
1. User’s password is capitalized and appended with nulls to obtain the 14-byte length.
2. The produced string is divided into 7-byte halves, and each one of them is encoded with the DES algorithm separately. Finally, we obtain a 16-byte hash (what includes two separate 8-byte halves).
3. The produced hash is encoded with the DES algorithm, where the user RID is used as the key.

Q7: What’s the difference between LM- and NT-passwords? Using your program I’ve found the “ADMIN” LM-password and the “Admin” NT-password. Which one shall I use for logging in?
A: Use the case-sensitive NT-password to log in.

Q8: My password is longer than 7 characters, but brute-force attack can’t be launched when I try to set the start password of more than 7-character length. Why? Or, the program halts the attack of all 7-character passwords and messages the attack completion. My password is longer. Why is it so?
A: 7 characters isn’t the software-enforced limitation; it’s an LM-hash formation feature. For example, here is how a 9-character password “MARGARITA” encoded by Windows. It’s done separately – the first 7-character part of the password, “MARGARI” (getting hash “0069AD6D0FA5DD32”) and the second part, “TA” (getting hash “25E6C6A091DDAB09”). The resulting LM-hash, “0069AD6D0FA5DD3225E6C6A091DDAB09”, is stored in the SAM registry file after the additional encryption. Accordingly, SAMInside, when recovering an LM-password, will analyze the both 8-byte halves separately. So, if you’ve got a 9-character password, the program won’t recover it as a single 9-character password, but as two different passwords of 7- and 2-characters length! At the same time, SAMInside analyses the both halves of the initial password simultaneously, halving the general time of recovery of a long password. Thus, SAMInside successfully recovers LM-passwords of up to 14 characters long by halves!

Q9: I have a short NT-password (LM-password is disabled), which is made of Latin characters, but the program can’t recover it. Why is that?
A: The matter is that Windows will always capitalize passwords to produce their LM-hashes (i.e. the encoding of “Admin”, “ADMIN” and “aDmIn” passwords will produce the same LM-hash; you can verify that using the SAMInside LM/NT-hash generator). That’s why it doesn’t matter which character case you are going to use when recovering an LM-password – the program will capitalize them anyway.
NT-password is case-sensitive, so use character sets made of both capital and lower-case letters when recovering it.

Q10: When importing local users “… via Scheduler”, I get the error “Can’t open temporary file: …” Why is that?
A: The matter is that this importing method gets the content of the HKEY_LOCAL_MACHINE\SAM\SAM hive of Windows registry using the built-in Scheduler utility, which by default has the SYSTEM user privileges. But the access to this hive for reading can be closed even to the SYSTEM user! That can be done by tweakers or by “manual” Windows registry settings.
In this case, use another method of importing local users, by connecting to LSASS system process or other utilities.

Q11: Both local user import methods work great for me – “… via Scheduler” and “… via LSASS”. What’s the reason for keeping them both in the program then?
A: That’s done intentionally for the case when one of them doesn’t work or works incorrectly, so that you could use an alternate one (an example of the incorrect performance when import via Scheduler is described above; or, Microsoft may issue a patch to change the LSASS connection procedure or to disable such connection at all, etc.) So, if one of these methods won’t work, just use the other one.

Q12: Your program has recovered the password from the SAM registry file, but when I try to log in using that password, the OS messages the wrong password error! What’s the matter?
A: Your computer is likely to be connected to a network with a domain server with Active Directory service enabled in the network. That means that all user accounts are stored on the domain server, not in the SAM registry file. SAMInside recovers only local account passwords, stored in the SAM registry file.

Q13: What is the SYSKEY system key? How should one properly import a SAM registry file with SYSKEY?
A: The system key is 16 bytes used by Windows for the additional encryption of hashes. This key is stored in the registry. To gain access to this file:
• Use the SYSKEY.EXE utility to set the mode and store the key on a diskette, which is to be used on every Windows boot. The file stored on the diskette will be named as StartKey.key.
• Or, use the GetSyskey application (or similar) which extracts the key from the SYSTEM registry file and saves it to an external file. This file has a 16-byte length and is used for ensuring the correct decoding of hashes by the command “Import from SAM registry file and file with system key…” on the SAMInside menu.

Q14: How to use SAMInside brute-force attack on computers with multiple CPU?
A: You can successfully use the program on multiprocessor computers (if your Windows core supports multiprocessing, of course), and all the processors will be engaged. So, the average speed of password recovery will grow accordingly to the number of processors.
For example, your computer has two processor units. Then you need to create two folders and place one copy of SAMInside program to each of them. Then set the same brute force attack options in the both programs and use the distributed attack. To do that, set the number of participating computers value equal to the quantity of available processors (2, in our case). Then define the first range of passwords for one program and the second range for another one and run the attack in each instance of the program. As a result, both programs will run using different processors, and each will work with the fastest CPU speed.

Q15: Does your program recover Active Directory passwords?
A: No, it doesn’t. SAMInside recovers only local user passwords stored in the SAM registry file.

Q16: Is there any way to simplify the adding of custom character sets to brute force attack and mask attack?
A: Yes. To do that, right-click on the corresponding entry field to open the context menu. Besides the standard commands (like ‘Copy’, ‘Cut’, etc.) this menu will also display the commands for quick pasting of different character sets.

Q17: “Symbol replace tables” in the dictionary attack – what is it?
A: These tables (*.KBT-files) are text files where users can set which characters of passwords being checked are to be replaced with something else. This feature is useful for users of non-English-speaking countries with 2 keyboard layouts, English and national. In this case, native language passwords can be entered using English keyboard layout or, vice versa, English words can be typed using national characters. There’s the “Russian.kbt” file in the installation archive; it contains tables for the Russian keyboard layout.

Q18: What are Rainbow-tables, and how can they be used for password recovery?
A: Find the detailed information on Rainbow-tables here. You can use the rtgen or Winrtgen programs to generate such tables. To recover passwords this way, import the list of *.RT-files in the program and select table attack. Certainly, the type of hashes in the tables must match the type of hashes selected for the attack. To ensure that, table file names are to comply with this format:
“lm_*.rt” for LM-hashes,
“ntlm_*.rt” for NT-hashes (generated by Winrtgen program).

Q19: During the pre-calculated tables attack, program messages “Can’t open charset configuration file!” and halts the attack. What is this file, where can I get it, and what do I need it for?
A: This is a file that contains character sets (like “alpha” (A…Z), “numeric” (0…9), etc.) used for generating Rainbow-tables as well as for recovering passwords using such tables. The installation archive contains the “Charset.txt” file with 25 most frequently used character sets; though you can always add your own sets to this file.

Q20: When I import hashes from Windows NT registry files and when loading the SYSTEM file to the program, I get the error: “Error reading system key from SYSTEM registry file!”. What can I do about that?
A: That error tells you that the SYSTEM file does not contain the SYSKEY key, with which password hashes are encrypted additionally. Thus, to import such hashes, you do not need the SYSTEM file, and when the program prompts you to load it, simply click “Cancel”.

  1. #1 by retnol on July 17, 2010 - 4:30 pm

    nice
    thx for information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: