samdump2

samdump2 is designed to extract password hashes from Windows SAM databases protected by syskey encryption. Syskey is a Windows feature that adds an additional encryption layer to the password hashes stored in the SAM file. This tool retrieves the syskey bootkey from the system hive and uses it to decrypt and dump the hashes from the SAM file.

Use cases include forensic analysis of Windows systems where access to plaintext passwords is not possible, but cracking the extracted hashes is feasible with other tools. It supports Windows 2k/NT/XP/Vista SAM files, making it valuable for incident response and penetration testing scenarios involving compromised Windows machines.

The package also incorporates bkhive functionality for syskey recovery, providing a complete workflow for hash extraction in offline environments.

samdump2 first extracts the syskey bootkey from the Windows system hive file, which contains the encryption key used by syskey to protect SAM database hashes. It then applies this bootkey to decrypt the password hashes stored in the provided SAM file. The process targets the specific encryption scheme in Windows NT/2K/XP/Vista, enabling retrieval of LM and NTLM hashes for subsequent cracking.