Attention! This program can be used only for recovering your
own forgotten passwords!
The program SAMInside executes the follow functions:
Extracting information about users from SAM-files of Windows'NT/2000/XP.
Brute-forcing attack on passwords of users from SAM-files of Windows'NT.
Brute-forcing attack on passwords of users from SAM-files of Windows'2000/XP,
encrypted by system key Syskey!
SAMInside is the first program in the world, which breaks the defense of Syskey!
New (2.1) version of the program includes additionally the following abilities:
Recovering passwords not only to LMHash, but and to NTHash.
Working with SAM-file, used by the system at this moment.
Importing the hashes stored in text files, got as the result of work of another programs (L0phtCrack, pwdump and so on).
Generation the LMHash/NTHash from entered password.
Checking the entered password on all users.
Recovering passwords, using vocabulary.
Displaying the found passwords in right case now.
More comfortable work with users hashes.
Also the program code was greatly optimized and now
the size of executable file became only 24kB!
SAMInside makes the brute-forcing attack more than 2 times
faster, than the programs-analogs. This is because the program has been written on Assembler language,
and there was made the code optimisation for the modern processors, and also there was implemented some artful tricks
in realization of the brute-forcing algorithm, then it has been let to increase the speed of brute-forcing.
For example, while the brute-forcing of passwords to LMHash on computer with Intel Pentium III-1000 processor,
the program shows speed near 3 millions passwords/sec, and to NTHash near 4,4 millions passwords/sec.
The speed of brute-forcing of passwords to LMHash on the AMD AthlonXP 1700+ processor near 5,4 millions passwords/sec,
and to NTHash near 3,9 millions passwords/sec.
The program works under all of OS Windows (from Win'95 to XP) and
requires for the work any processor from the line of x86, not older than Pentium (or AMD K6-II),
and necessarily with MMX support.
In the program was implemented the unique mode of brute-forcing of all, imported in program,
users at a time, working with which, gives us the increasing
of the speed else on the hundreds of percents, comparing to programs-analogs.
Else one great difference of the program from the analogs is that, it more
correctly "extracts" the usernames and the users hashes from SAM-files of Windows'2000/XP, and
also in national codepages.
In the new version appeared ability to import into the program the LMHash/NTHash
for recovering, got from different sources (SAM-files, text files from another
programs (L0phtCrack, pwdump and so on), SAM-file, used by the system etc.),
what gives us the ability to get more quick and efficient brute-forcing.
For example, if you have
10 different SAM-files and every of them has only one account in it, then, if you opens every file separately,
you will got the speed 3 millions on Intel Pentium III-1000 for every account.
If you imports into the program
ALL SAM-files together, then you will found all passwords with the same speed!
So on, you will spend 10 times less of the time for recovering of all passwords!
Working with the program:
Choose through the "Import SAM" menu the source SAM-file.
After that, there will appeared the list of users with hashes, read from file.
If the SAM-file got from Windows'NT/2000/XP and encrypted by SYSKEY (in
systems W2K/XP this encrypting is on, by default),
then the program asks to open the SYSTEM-file, which lies in
the same directory of Windows as the SAM-file.
Then you must set the flags near those users, which passwords do you want to find,
and push the button from "Search" menu for LM-passwords recovering (key F5) or NT-passwords recovering (key F6).
For stopping the brute-forcing it is need to push the corresponding "Stop" button.
If while exiting from the program, the brute-forcing wasn't stopped, then with the next start
the program will continue the brute-forcing automatically from the last password.
In the lower part of the program window there is three text fields:
- The field for entering the starting password (or displaying the current brute-forcing password).- The field for entering the alphabet for brute-forcing (in Demo-version is disabled!).- The field for showing the current brute-forcing speed.
While working, the program displays the brute-forcing speed in form:
N * X p/s, where N - number of brute-forcing passwords at a time,
X - brute-forcing speed for one password.
For example, if you makes the brute-force attack for 10 users at a time and you have the
Pentium-1000 MHz processor, then you will got the follow result: 10 x 3000000 p/s.
This is, the summary speed 30 millions of passwords per second!
The program has the limit for the length of password to 14
symbols for LMHash recovering (because it's the limit of used algorithms in SAM-files),
and for NTHash recovering.
The program, while working, creates the file SAMInside.INI, where saves
all necessary information, and also the last tried password.
For erasing all added hashes in the program, please push "Clear all" button F12.
Additional functions of the program:
Reading users hashes from SAM-file of current computer.
For executing this operation, you must start the program under
user with Administrator rights and choose "Import local machine SAM" from menu.
Loading in program the hashes, got, using another programs.
For that, push "Import TXT" menu and choose the text file,
got as a result of working another programs, such as L0phtCrack,
pwdump and so on.
Generation the LMHash/NTHash from entered password (runs by F3).
In dialog window enter password (maximum 128 symbols) and get
LMHash and NTHash, which are corresponds to this password.
Checking the entered password on all users, loaded into the program (runs by F2).
In dialog window enter password (maximum 14 symbols), after
that, the program checks this password on ALL users, and
so on for this you don't need to set checkboxes!
Recovering passwords, using vocabulary.
For this, simply open vocabulary file using menu.
The limits of Demo-version:
You can't use another alphabet for brute-forcing (digits, special symbols and so on), except latin letters.
Also tou can't use vocabulary. So on, the Demo-version of the program is full-functionally near 95%!
FAQ:
Q: What is this: the SAM-files, what for are they need, and where I can get them?
A: The SAM-file - is the file, which has the name - sam. It is the branch
of the registry "HKEY_LOCAL_MACHINE\SAM" of WindowsNT/2000/XP in binary form. SAM-file is placed
in directory C:\WINNT\System32\Config\ and there are stored the accounts
(login/passwords) of users of this computer.
Q: I tries to open my SAM-file, placed in directory C:\WINNT\System32\Config\,
but the program SAMInside can't read it. Why?
A: It is because the files in this directory (sam, system, software and others
without extensions) - is the fragments of the Windows registry and OS by default doesn't give nobody
the access to them, even for the read. To copy this files, you may boot in other OS, or boot from diskette.
Ability to access to the current SAM-file without its copying already added in 2.1 version of the program,
for this choose "Import local machine SAM" from menu, and you must to have Administrator rights.
If you wish to test the program, then you can use files sam and
system from directories C:\WINNT\Repair\ and C:\WINNT\Repair\RegBack\.
Q: I have password 8(9,10...) symbols length, but if I tries to set starting password
more than 7 symbols, the LM-recovering doesn't start, or program ends to recover
all of 7-symbols passwords and tell us, that recovering is end. Why? I have the longer password?
A: Let's talk about forming LMHash in Windows. The system takes password,
converts it to upper case, cuts off it to 14 symbols,
then divides it into 2 halfes, every of 7 symbols and encrypts them separately.
Therefore, while searching password (for example, "123456789") the program finds
it by halfes - first of all "89" (because it is shorter), then - "1234567".
Therefore the length of starting password is limited to 7 symbols.
Q: I have short NT-password (LM-password absent), consists from latin symbols, but
the program doesn't find it, why? (Note: the alphabet consists from UPPER case symbols).
A: It is because, the Windows always converts LM-password in upper case
(i.e. while encrypting different passwords "Admin", "ADMIN" and "aDmIn" it will be one LMHash,
you may to test it, using function of the program, which generates hashes),
but NT-password is case-sensitive and all shown above passwords will have different
NTHash. Therefore, while recovering NT-password you must use different alphabets,
consists of upper and of lower case symbols!