The SAM file is locate in C:\Windows\System32\config and stores all Windows account password encrypted.
The problem is that you cannot copy or tamper the file while the file system is mounted.
This leaves us with at least 2 options: copy the SAM and SYTEM files from a Linux live CD or by having a copy of those files in a backup.
I have the backup and I copy the 2 files to my Kali Linux machine.
I recover the NTLM hashes by issuing the following command:
root@kali:~# /usr/bin/samdump2 /root/Desktop/SYSTEM /root/Desktop/SAM
user1:1000:aad3b435b51404eeaad3b435b51404ee:f9a14effe4a24ceb1cf0b2e8e9e7e9f9:::
root@kali:~#
The backup is from a Windows 7 version and that means that we are seeing NTLM v.2 hashes, which translates to the fact that only the last part of the hashes are useful.
So we need to convert to uppercase the bold part by using 2 BASH commands:
cristi@ubserver-nv:~/hashcat$ STRING=’f9a14effe4a24ceb1cf0b2e8e9e7e9f9‘
cristi@ubserver-nv:~/hashcat$ echo $STRING | awk ‘{print toupper($0)}’
F9A14EFFE4A24CEB1CF0B2E8E9E7E9F9
cristi@ubserver-nv:~/hashcat$
Copy the uppercase version to a text file and start hashcat:
crs@ubsv:~$ ./hashcat -m 1000 -a 3 ./ntlm.txt -w 3 –status
Good luck!
