SAMInside

Important! This program can be used only for your own forgotten password recovery!

SAMInside program has following functions:

SAMInside is the first program in the world what breaks the Syskey protection!

SAMInside performs the brute-force attack several times faster than analogues due to that the program code is written on Assembler and thoroughly optimized under the modern processors.

The brute-force attack speed of the SAMInside under different processors:

Processor Forcing speed on LMHash Forcing speed on NTHash
Intel Pentium-III 1000 MHz~3,2 million passwords/sec~3,3 million passwords/sec
AMD AthlonXP 1700+ (1466 MHz)~5,7 million passwords/sec~5,1 million passwords/sec
Intel Pentium-4 2500 MHz~3,7 million passwords/sec~5,4 million passwords/sec


At the same time for the single user NTHash brute-force attack speed increases to 60-100%, and, for example, on the AthlonXP 1700+ it reaches 10 millions passwords per second.

One more feature is it's the most correct extract of the user names and passwords from the Windows NT/2000/XP/2003 SAM-files in the national encoding.

The program works under the Windows (from Windows 95 up to Windows 2003) and demands any x86 line processor above Intel Pentium (or AMD K6-II), with necessary MMX support.

The program abilities

Menu "File":

"Import SAM-file..." (Ctrl+O) - open and load the SAM-file to the program. If the file had been got from the Windows NT/2000/XP/2003 system and encoded by the SYSKEY (the encryption is obligative in the Windows 2000/XP/2003 systems, then the program will additionally ask to open the SYSTEM-file, located in the same directory with the SAM-file: %SystemRoot%\System32\Config. Copies of these files may be also located in the %SystemRoot%\Repair and %SystemRoot%\Repair\RegBack directories.

"Import PWDUMP-file... - open and load to the program textual file with hashes in the PWDUMP format. Usual format of hashes in these files is following: User_name:RID:LMHash:NTHash:Account_description::
for example: BillG:1010:5ECD9236D21095CE7584248B8D2C9F9E:C04EB42B9F5B114C86921C4163AEB5B1:::
The same format of information is kept by other programs, for example, LC4.

"Import local machine SAM" - import hashes from the SAM-file from the local machine. To perform operations from this menu run the system logging as Administrator.

"Using LSASS" - import local hashes using connect to LSASS process.

"Using Scheduler" - import local hashes using system utility Scheduler, which has the SYSTEM-user rights.

"Export to PWDUMP-file..." (Ctrl+S) - export data to the PWDUMP format (this format is described above). This file may be easily loaded to any program to recover the password.

Menu "Edit":

"Mark all users" (Alt+M) - mark all users. Only users which have no passwords found, may be marked.

"Unmark all users" (Alt+U) - unmark all users.

"Delete all users" (F12) - delete all imported users.

Menu "Tools":

"Check password" (F2) - check passwords for all imported users. In the "Password:" field enter the password and choose this menu (or press F2). Then the program will check this password for all users which still have no passwords found. So to check password you don't need to mark users.

"Generate LMHash and NTHash..." (F3) - generate LMHash and NTHash using known password. In the "Password:" field enter the password and choose this menu (or press F3). Then the LMHash and NTHash to match the password will be displayed in dialogue.

"Hidden mode" (Ctrl+Alt+H) - "Hidden mode" of the work of the program. With this option chosen program will disappear from the screen and taskbar. To return to visible mode press the same key combination.

"Language" - choose interface language. There's list of all found in the program work directory language-files in this menu.

Menu "Search":

"Brute-force attack":

"Start(Stop) on LM Hashes" (F5) - start/stop brute-force attack on LM Hashes. To start brute-force attack mark users to recover passwords from, and press F5.

"Start(Stop) on NT Hashes" (F6) - start/stop brute-force attack on NT Hashes. To start brute-force attack mark users to recover passwords from, and press F6.

"Options..." - full brute-force attack settings to choose character sets for the brute-force attack and to set minimal and maximal password length.

"Mask attack": (this menu is unavailable in the Demo-version).

"Start(Stop) on LM Hashes" (F7) - start/stop mask attack on LM Hashes. To start mask attack mark users to recover passwords from, and press F7.

"Start(Stop) on NT Hashes" (F8) - start/stop mask attack on NT Hashes. To start mask attack mark users to recover passwords from, and press F8.

"Options..." - mask attack settings to shape mask for the passwords being recovered and to set maximal length of the password to recover. Mask setting carries the following: if you don't know the N-character in the password, set N-flag of the mask and in the textual field accordingly set the mask for this character. The program uses the following masks:
        ? - Any printable symbol (symbols codes: 32...255).
        A - Any Latin capital (A...Z).
        a - Any Latin small (a...z).
        S - Any special symbol (!@#...).
        N - Any digit (0...9).
        X - Any symbol from the user's character set.
If you already know one of the characters in the password, type it in the N-field and remove the mask flag.

"Dictionary attack":

"Start...(Stop)" (F9) - start/stop dictionary attack. To start working just choose the textual file of the dictionary and program will start to check every password from the dictionary file for all users which still have no password found.

Additional information:

Program limitations:

Demo-version limits
  1. You can use no other symbols for the gaining the password (figures, national letters, etc.) but capital Latin letters.
  2. Mask attack is unavailable.
FAQ

Q1: What are the SAM-files, what for are they and where are they located?
A: So called SAM-file is a file called so - sam. It's actually the registry branch "HKEY_LOCAL_MACHINE\SAM" Windows'NT/2000/XP/2003 in binary. SAM-file is located in the C:\WINNT\System32\Config\ directory and contains account (login and password) of the current machine.

Q2: I set for the gaining my own SAM-file located in the C:\WINNT\System32\Config\ directory but SAMInside can't read it. Why?
A: This directory contains Windows registry fragments (sam, system, software and other files without extension) and operational system lets to no one access it even for read only. To achieve these files do one of the following:

  1. Run SAMInside under the Administrator account and import local SAM-files using either Scheduler, or LSASS method.
  2. Under the Administrator account run "Backup wizard" and create the repair disk ("Emergency Repair Disk"). Then there will be current SAM/SYSTEM-files copies in the C:\WINNT\Repair\ that you may achieve and import to the SAMInside.
  3. If your boot disk has file system other than NTFS, create boot floppy under the Windows 98, boot from this floppy and copy SAM/SYSTEM-files to another folder or to the floppy. Then run your OS and import these files to the SAMInside.
  4. If your boot disk has NTFS file system, create boot floppy using the NTFSDos Pro, boot from this floppy, mount the NTFS partition you need and copy SAM/SYSTEM-files to another folder or to the floppy.
  5. As soon as SYSTEM-file size usually has size of several MB, to compress it (if you copy to floppy) use any DOS-archiver, for example, HA:
Q3: What's the difference between LM- and NT-passwords? Using your program I had found LM-password "ADMIN", and NT-password - "Admin". What one shall I use to log in?
A: You may read more about these passwords formation and distinctions in this article in the chapter "Passwords storing in the Windows 2000/XP". In short, Windows sees no difference and you may log in with any password - "ADMIN", "Admin", "aDmIn" or "admin", so if there is the LM-hashes formation switched in the system then the password checking uses LM-hashes, when any password is being transformed to the upper register so any one of passwords above will look the same in LM-hash.
Otherwise, if the LM-hash formation is off, then to log in use the register-dependable NT-password.

Q4: My password contains 8(9,10...) symbols but when I try to enter initial password longer than 7 symbols either LM brute-force attack doesn't launch or the program displays the end of gaining when finishes 7 symbol passwords working on. Why? But my password is longer.
A: A little bit about the LMHash forming in the Windows. The system takes the password, transforms it to the upper register, cuts to 14 symbols and then divides it on a half and encrypts every half. So searching the password (for example "123456789") the program finds it's parts first the shorter one "89" and then "1234567", so the initial password length is limited by 7 symbols.

Q5: I have a short NT-password (no LM-password) composed of Latins but program can't gain it. Why? (Notice: the password is composed by capital letters).
A: Windows always transforms the LM-password to the upper register so that encrypting the "Admin", "ADMIN" and "aDmIn" you will have the same LMHash. You can check that using the hash generating program and the NT-password is register dependable so that enlisted passwords will have different NTHash. So regaining the NT password it's necessary to use different alphabets containing both capital and small letters!

Q6: Importing local SAM-file ("Using Scheduler") program displays a message: "Can't open temporary file!". Why?
A: The matter is that this method gets the HKEY_LOCAL_MACHINE\SAM\SAM registry branch content using the system utility Scheduler which as default has rights of the SYSTEM user. However this branch on different computers may be closed even for SYSTEM user by tweakers, or manually. To get local hashes you can also use another method - choosing "Using LSASS", or external utility PWDUMP, or programs as LC4/LC+4. Or follow the instructions below: Q7: Loading the SAM-file (or SYSTEM-file) program messages the wrong format or file damage, although it had been copied from the C:\WINDOWS\System32\Config directory. Why can't I load the file to the program?
A: This may occur if format of file is not familiar to the SAMInside program. First of all give a look to the signature (first 4 bytes of your file), it shall be - 'regf'. If it's different, you probably had one of the following situations:
    - you had copied the file from the EFS-disk (i.e. the disk which has Encrypting File System installed) and your files are encrypted and look pseudo-random bytes set which can't be used to get the registry branches.
    - your files are located on the NTFS-disk using the program with errors; this may occur using the NTFSDos and some others which incorrectly work with the NTFS 5.0 and later, so to copy files use recent programs as NTFSDos Pro.
If you file still has right signature (i.e. it's actually the registry file), but program can't import it then please send us your file to analyze.

Q8: Both "Using Scheduler" and "Using LSASS" methods work correctly in my system. What for did you need to include both at the same?
A: That's especially for the case if one of them doesn't work (the possible reasons of the Scheduler method breaks are described above) or works incorrectly, so that you have the alternative way to get local hashes. So, if you have problems using one of them, you may use another one.

Q9: Your program had recovered the password from the SAM-file, but when I try to log in using this password, the OS messages the wrong password! That's the matter?
A: In your case there's the following: your computer is connected to the net which contains the domain server with the Active Directory service switched. Then the users' accounts are stored on the domain server, not in the SAM-file. SAMInside can recover the passwords for local accounts only stored on the local machine. But if the user had ever logged in, the account of this user is cached on the local computer (as default the Windows 2000/XP caches 10 latest logged users and their passwords). To get this data use the program lsadump2.

In the next versions