Important! This program can be used only for your own forgotten password recovery!
SAMInside program has following functions:
- Gaining user data from the Windows NT/2000/XP/2003 SAM-files.
- Gaining the user passwords using the Windows NT SAM-files.
- Gaining the user passwords using the Windows 2000/XP/2003 SAM-files encrypted by the Syskey!
SAMInside is the first program in the world what breaks the Syskey protection!
SAMInside performs the brute-force attack several times faster than analogues due to that the
program code is written on Assembler and thoroughly optimized under the modern processors.
The brute-force attack speed of the SAMInside under different processors:
Processor |
Forcing speed on LMHash |
Forcing speed on NTHash |
Intel Pentium-III 1000 MHz | ~3,2 million passwords/sec | ~3,3 million passwords/sec |
AMD AthlonXP 1700+ (1466 MHz) | ~5,7 million passwords/sec | ~5,1 million passwords/sec |
Intel Pentium-4 2500 MHz | ~3,7 million passwords/sec | ~5,4 million passwords/sec |
At the same time for the single user NTHash brute-force attack speed
increases to 60-100%, and, for example, on the AthlonXP 1700+ it reaches 10
millions passwords per second.
One more feature is it's the most correct extract of the user names and passwords from the Windows NT/2000/XP/2003 SAM-files in the national encoding.
The program works under the Windows (from Windows 95 up to Windows 2003) and demands any x86 line processor above Intel Pentium (or AMD K6-II), with necessary MMX support.
Menu "File":
"Import SAM-file..." (Ctrl+O) - open and load the SAM-file to the program. If the file had been got from the
Windows NT/2000/XP/2003 system and encoded by the SYSKEY (the encryption is obligative in the Windows 2000/XP/2003 systems,
then the program will additionally ask to open the SYSTEM-file, located in the same directory with the SAM-file: %SystemRoot%\System32\Config.
Copies of these files may be also located in the %SystemRoot%\Repair and %SystemRoot%\Repair\RegBack directories.
"Import PWDUMP-file... - open and load to the program textual file with hashes in the PWDUMP format.
Usual format of hashes in these files is following:
User_name:RID:LMHash:NTHash:Account_description::
for example:
BillG:1010:5ECD9236D21095CE7584248B8D2C9F9E:C04EB42B9F5B114C86921C4163AEB5B1:::
The same format of information is kept by other programs, for example, LC4.
"Import local machine SAM" - import hashes from the SAM-file from the local machine.
To perform operations from this menu run the system logging as Administrator.
"Using LSASS" - import local hashes using connect to LSASS process.
"Using Scheduler" - import local hashes using system utility Scheduler,
which has the SYSTEM-user rights.
"Export to PWDUMP-file..." (Ctrl+S) - export data to the PWDUMP format (this format is described above).
This file may be easily loaded to any program to recover the password.
Menu "Edit":
"Mark all users" (Alt+M) - mark all users.
Only users which have no passwords found, may be marked.
"Unmark all users" (Alt+U) - unmark all users.
"Delete all users" (F12) - delete all imported users.
Menu "Tools":
"Check password" (F2) - check passwords for all imported users.
In the "Password:" field enter the password
and choose this menu (or press F2). Then the program will check this password
for all users which still have no passwords found. So to check password
you don't need to mark users.
"Generate LMHash and NTHash..." (F3) - generate LMHash and NTHash using known password.
In the "Password:" field enter the password
and choose this menu (or press F3).
Then the LMHash and NTHash to match the password will be displayed in dialogue.
"Hidden mode" (Ctrl+Alt+H) - "Hidden mode" of the work of the program.
With this option chosen program will disappear from the screen and taskbar. To return to visible mode press the same key combination.
"Language" - choose interface language. There's list of all found in the program work directory
language-files in this menu.
Menu "Search":
"Brute-force attack":
"Start(Stop) on LM Hashes" (F5) - start/stop brute-force attack on LM Hashes. To start brute-force attack mark users to recover passwords from, and press F5.
"Start(Stop) on NT Hashes" (F6) - start/stop brute-force attack on NT Hashes. To start brute-force attack mark users to recover passwords from, and press F6.
"Options..." - full brute-force attack settings to choose character sets for the brute-force attack and to set minimal and maximal password length.
"Mask attack": (this menu is unavailable in the Demo-version).
"Start(Stop) on LM Hashes" (F7) - start/stop mask attack on LM Hashes. To start mask attack mark users to recover passwords from, and press F7.
"Start(Stop) on NT Hashes" (F8) - start/stop mask attack on NT Hashes. To start mask attack mark users to recover passwords from, and press F8.
"Options..." - mask attack settings to shape mask for the passwords being recovered and to set maximal length of the password to recover. Mask setting carries the following: if you don't know the N-character in the password, set N-flag of the mask and in the textual field accordingly set the mask for this character.
The program uses the following masks:
? - Any printable symbol (symbols codes: 32...255).
A - Any Latin capital (A...Z).
a - Any Latin small (a...z).
S - Any special symbol (!@#...).
N - Any digit (0...9).
X - Any symbol from the user's character set.
If you already know one of the characters in the password, type it in the N-field and remove the mask flag.
"Dictionary attack":
"Start...(Stop)" (F9) - start/stop dictionary attack. To start working just choose the textual file of the dictionary and program will start to check every password from the dictionary file for all users which still have no password found.
Additional information:
- In the left bottom of the window there's textual field "Password:" to:
- set initial password for the brute-force attack and mask attack;
- enter the password to check and to form LMHash and NTHash;
- display current password worked on.
- During the work the program displays the speed of the work as:
N * X p/s, where N - quantity of users being worked on at the same time, and X - brute-force attack speed (or mask attack speed) for each user.
- If quitting the program you hadn't stop the brute-force attack, then next time launched program will continue from the latest checked password.
- The program supports the sorting of the data loaded. Just click the left mouse button on the table header to sort.
Program limitations:
- Maximal length of the password for the LMHash brute force attack and mask attack - 14 characters.
- Maximal length of the password for the NTHash brute force attack and mask attack - 32 characters.
- Maximal length of the password for the dictionary attack is 128 characters.
- Maximal length of the password in the "Password:" field is 128 characters.
- Maximal quantity of users to work on is 8192.
- You can use no other symbols for the gaining the password (figures,
national letters, etc.) but capital Latin letters.
- Mask attack is unavailable.
Q1: What are the SAM-files, what for are they and where are they located?
A: So called SAM-file is a file called so - sam. It's actually the
registry branch "HKEY_LOCAL_MACHINE\SAM" Windows'NT/2000/XP/2003 in binary.
SAM-file is located in the C:\WINNT\System32\Config\ directory and
contains account (login and password) of the current machine.
Q2: I set for the gaining my own SAM-file located in the C:\WINNT\System32\Config\
directory but SAMInside can't read it. Why?
A: This directory contains Windows registry fragments (sam, system, software
and other files without extension) and operational system lets to no one
access it even for read only. To achieve these files do one of the following:
- Run SAMInside under the Administrator account and import local SAM-files using either Scheduler, or LSASS method.
- Under the Administrator account run "Backup wizard" and create the repair
disk ("Emergency Repair Disk"). Then there will be current SAM/SYSTEM-files copies in the
C:\WINNT\Repair\ that you may achieve and import to the SAMInside.
- If your boot disk has file system other than NTFS, create boot floppy
under the Windows 98, boot from this floppy and copy SAM/SYSTEM-files to
another folder or to the floppy. Then run your OS and import these files to
the SAMInside.
- If your boot disk has NTFS file system, create boot floppy using the
NTFSDos Pro, boot from this floppy, mount the NTFS partition you need and
copy SAM/SYSTEM-files to another folder or to the floppy.
- As soon as SYSTEM-file size usually has size of several MB, to compress it
(if you copy to floppy) use any DOS-archiver, for example, HA:
- To add SYSTEM-file to archive: ha.exe a system.ha system
- To extract SYSTEM-file from the archive: ha.exe e system.ha
Q3: What's the difference between LM- and NT-passwords? Using your program I had found LM-password "ADMIN",
and NT-password - "Admin". What one shall I use to log in?
A: You may read more about these passwords formation and distinctions in
this article in the chapter
"Passwords storing in the Windows 2000/XP". In short, Windows sees no difference and you may log in with any
password - "ADMIN", "Admin", "aDmIn" or "admin", so if there is the LM-hashes formation switched in the system
then the password checking uses LM-hashes, when any password is being transformed to the upper register so any
one of passwords above will look the same in LM-hash.
Otherwise, if the LM-hash formation is off, then to log in use the register-dependable NT-password.
Q4: My password contains 8(9,10...) symbols but when I try to enter
initial password longer than 7 symbols either LM brute-force attack
doesn't launch or the program displays the end of gaining when
finishes 7 symbol passwords working on. Why? But my password is longer.
A: A little bit about the LMHash forming in the Windows. The system takes
the password, transforms it to the upper register, cuts to 14 symbols
and then divides it on a half and encrypts every half. So searching
the password (for example "123456789") the program finds it's parts
first the shorter one "89" and then "1234567", so the initial password
length is limited by 7 symbols.
Q5: I have a short NT-password (no LM-password) composed of Latins but
program can't gain it. Why? (Notice: the password is composed by capital letters).
A: Windows always transforms the LM-password to the upper register so that
encrypting the "Admin", "ADMIN" and "aDmIn" you will have the same LMHash.
You can check that using the hash generating program and the NT-password
is register dependable so that enlisted passwords will have different NTHash.
So regaining the NT password it's necessary to use different alphabets
containing both capital and small letters!
Q6: Importing local SAM-file ("Using Scheduler") program displays a message: "Can't open
temporary file!". Why?
A: The matter is that this method gets the HKEY_LOCAL_MACHINE\SAM\SAM registry
branch content using the system utility Scheduler which as default has
rights of the SYSTEM user. However this branch on different computers may be
closed even for SYSTEM user by tweakers, or manually.
To get local hashes you can also use another method - choosing "Using
LSASS", or external utility PWDUMP, or programs as LC4/LC+4.
Or follow the instructions below:
- Run regedt32.exe.
- Open the HKEY_LOCAL_MACHINE registry folder.
- To get to the HKEY_LOCAL_MACHINE\SAM folder choose "Permissions", there
set for the SYSTEM user and Administrator rights "Full access" + "Read"
(either they are already marked and "hidden", i.e. unavailable to change).
- For the HKEY_LOCAL_MACHINE\SAM\SAM folder also set full access and
reading for the SYSTEM user, and for your account Administrator rights to
read will be enough.
- Run command:
regedit.exe /E /A samexport.txt "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account"
- Put the program SAMDump.exe and gained samexport.txt at the same folder.
- Run:
SAMDump.exe > hashes.txt
- Import the gained hashes.txt file to the SAMInside.
- Attention! Be VERY careful making actions with the registry, because the
wrong setting of access rights may lead to the full inability of Windows.
Q7: Loading the SAM-file (or SYSTEM-file) program messages the wrong format or file damage,
although it had been copied from the C:\WINDOWS\System32\Config directory. Why can't I load the file to the program?
A: This may occur if format of file is not familiar to the SAMInside program.
First of all give a look to the signature (first 4 bytes of your file), it shall be - 'regf'.
If it's different, you probably had one of the following situations:
- you had copied the file from the EFS-disk (i.e. the disk which has Encrypting File System installed)
and your files are encrypted and look pseudo-random bytes set which can't be used to get the registry branches.
- your files are located on the NTFS-disk using the program with errors; this may occur using the
NTFSDos and some others which incorrectly work with the NTFS 5.0 and later,
so to copy files use recent programs as NTFSDos Pro.
If you file still has right signature (i.e. it's actually the registry file), but program can't import it
then please send us your file to analyze.
Q8: Both "Using Scheduler" and "Using LSASS" methods work correctly in my
system. What for did you need to include both at the same?
A: That's especially for the case if one of them doesn't work (the possible
reasons of the Scheduler method breaks are described above) or works
incorrectly, so that you have the alternative way to get local hashes. So,
if you have problems using one of them, you may use another one.
Q9: Your program had recovered the password from the SAM-file, but when I
try to log in using this password, the OS messages the wrong password!
That's the matter?
A: In your case there's the following: your computer is connected to the net
which contains the domain server with the Active Directory service switched.
Then the users' accounts are stored on the domain server, not in the
SAM-file. SAMInside can recover the passwords for local accounts only stored
on the local machine. But if the user had ever logged in, the account of
this user is cached on the local computer (as default the Windows 2000/XP
caches 10 latest logged users and their passwords). To get this data use the
program lsadump2.
- Brute-force attack and mask attack acceleration for LMHash and NTHash.
- Functionality improved.