Hi there! Welcome to OpenSeSAM. This is a forensic tool written in Go, designed to help you explore the Windows Security Account Manager (SAM) database.
Here is what it helps you do:
- Extract NTLM and LM password hashes directly from a registry export.
- Create password reset packets to modify user settings by injecting them back into the registry.
Windows keeps user passwords (hashes) safe inside the Registry hive at HKEY_LOCAL_MACHINESAM. You can't just read them because they are encrypted with a system-specific key called the Boot Key (also known as SysKey).
OpenSeSAM handles the decryption process for you by:
- Reading a text-based .reg export of the SAM hive.
- Reconstructing the Boot Key from hidden parts in the System hive.
- Decrypting the AES-encrypted user data.
- Unlocking the NTLM hashes using the user's unique RID (Relative ID).
To get to the hashes, we have to get rid of a few layers of security.
1. The Hidden "Boot Key" Parts
Windows hides the master key inside the Class Names of four specific registry keys. Most tools ignore "Class Names" because they are usually just metadata, but they are actually important here.
These keys are located in HKLMSYSTEM\CurrentControlSet\Control\Lsa:
- JD
- Skew1
- GBG
- Data
Each key's Class Name contains 8 characters of hex code (4 bytes). When we combine them, we get a 16-byte scrambled key.
That 16-byte key isn't quite ready yet. It is scrambled, so we have to rearrange it using this specific pattern:
Input Indices: [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15]
Output Indices: [ 8, 5, 4, 2, 11, 9, 13, 3, 0, 6, 1, 12, 14, 10, 15, 7]
And there we go! Now we have the LSA Key.
Inside the SAM hive (SAM\Domains\Account), there is a value named F. This binary blob holds the actual AES-256 encrypted Boot Key.
We use the LSA Key from the previous step to unlock F. This finally gives us the System Boot Key.
Finally, each user's hash is encrypted with:
- The System Boot Key.
- The user's RID (Relative ID).
OpenSeSAM does the math to get the RID-specific DES keys and unlocks the final NTLM hash. simple as that!
Since standard .reg exports don't include "Class Names," you need to use a little trick in Regedit to see them.
- Open regedit.exe.
- Go to
HKEY_LOCAL_MACHINE\SAM\SAM. - Right-click SAM -> Export.
- Save it as sam.reg (make sure you select the "Text" format, not the Binary one!).
- Go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. - You will see JD, Skew1, GBG, and Data.
- Right-click on JD.
- It might sound strange, but the easiest way to see the Class Name is to PRINT the key.
- Select JD.
- Press Ctrl + P (Print).
- Choose "Microsoft Print to PDF".
- Save the file.
- Open the PDF and look for "Class Name". It will be a hex string (like 37557b3a).
- Repeat this for Skew1, GBG, and Data.
# Clone the repository
git clone https://github.com/rokybeast/opensesam.git
cd opensesam
# Build the reader
go build -o samreader ./cmd/samreader
# Build the reset generator
go build -o resetgen ./cmd/resetgen
Run the tool with your .reg file and the 4 hex strings you found in the PDFs.
./samreader
--reg sam.reg\
--jd <JD_HEX>\
--skew1 <SKEW1_HEX>\
--gbg <GBG_HEX>\
--data DATA_HEX>\
What the output looks like:
Registry parsed.
Domain Creation Time: 2023-10-27 10:00:00 +0000 UTC
LSA Key: 1a2b3c...
Boot Key: 9f8e7d...
User: Administrator (RID: 500)
NT Hash: 8846f7eaee8fb117ad06bdd830b7586c
LM Hash: None
—————————————————————————————————————
User: Guest (RID: 501)
NT Hash: None
LM Hash: None
—————————————————————————————————————
Use this tool if you want to clear the security questions for a user.
./resetgen
- Enter the Target RID (like 1F4 for decimal 500).
- It will generate a file called
reset.reg. - Import reset.reg on the target machine, and it will overwrite the ResetData.
Please use this responsibly! This tool is for educational purposes, forensic analysis, and authorized auditing ONLY. If you use this on systems you don't own, you are on your own. I ain’t responsible for stuff twin! ✌️