SamDecrypt
==========

You will need:

		Perl
		Crypt::DES

		A Working ntreg

YOU MUST MOUNT THE SAM UNDER /mnt/reg
THE OUTPUT FILE WILL BE WRITTEN TO ./sam.out
I'll correct this maybe, maybe not......

OK you've just obtained a sam._ file from a NT box and you want to crack the
password, crank up l0phtcrack... Your licence has expired yada yada....

John the ripper takes passwords from pwdump so if you've got admin you can
use that.

But using wget on Compaq insight manager to obtain sam._ via HTTP leaves you
with needing l0phtcrack to read sam._ (arse).

This is where SamDecrypt comes in, it will extract NT/LM hashes from accounts
present in the sam file, including the previous password history, if any.

using the excellent ntreg driver from the bindview,
	http://razor.bindview.com/tools/index.shtml

you can mount sam files.

on an NT system:

extract sam._ sam         <- this uncompresses the sam file

on your linux system:

mount ./sam /mnt/reg -t ntreg -o loopback    <- mount the SAM hive

./SamDecrypt                                 <- decrypt SAM

./john ./sam.out -format=NT                  <- crack NT passwords
./john ./sam.out -format=LM                  <- crack LM passwords

TIP:
	if you want to run it on the 'live' SAM use REGBACK.EXE from the
	resource kit to create SAM file and mount that instead.

So now I don't need commercial software anymore which makes me happy.

Shouts: Uncon!

Nathan Catlow.
--------------------------
Computer Crime Consultants
www.ccc-ltd.com

