Using bkhive and samdump2
ls bkhive system /root/hive.txt samdump2 SAM /root/hive.txt > /root/hash.txt
- ls the contents of the /WINDOWS/system32/config directory.
- bkhive dumps the syskey bootkey from Windows NT/2k/XP/Vista system hive.
- samdump2 dumps the Windows NT/2k/XP/Vista password hashes.
View Hash Contents
cd /root ls -l *.txt file *.txt cat hash.txt
- Change directory into /root, because that is where we put our hive and hash files.
- List out the files using a wildcard (*).
- Determine the file type of the hash and hive files, where the hash file is (ASCII) and the hive file is (Compressed Binary).
- View the contents of the hash file
SOURCE: http://www.computersecuritystudent.com/SECURITY_TOOLS/PASSWORD_CRACKING/lesson2/