Credentials from SYSTEM and SAM files | Windows 7 only

Tomas Savenas
2 min readFeb 5, 2020


I will continue on forensics topics, but slightly different. In this write-up, I will showcase a methodology of extracting hash value from SYSTEM and SAM files in Window 7 system. These files combined we can extract hash which is relatively easy to crack because a hashing algorithm is weak comparing to BitLocker [1]

I installed Windows 7 on Virtualbox, created a user with 8 characters and lowercase password. My next step is to turn off the Windows VM and detach an image *.vdi. The particular image goes to Kali VM as a secondary. Virtualbox settings below:

settings > storage > storage devices > controller: SATA

Attaching windows disk.

Turn on the Kali VM, login with credentials user kali and password kali .

Next step to check the list of disks in terminal.


The Disk /dev/sdb has two partitions boot /dev/sdb1 and NTFS /dev/sdb2.

We need to mount the largest one. using mount command and copy necessary files into home directory.

mkdir /mnt/windowsDisk 
mount /dev/sdb2 /mnt/windowsDisk
cd /mnt/windowsDisk/Windows/System32/config/
cd && samdump2 SYSTEM SAM

And from these files extract hash pattern of user admin [2].

samdump2  SYSTEM SAM | grep admin > ~/hash.txt

My mask is setup eight times used variable ?l which identifing lowercase letter.

hashcat -m 1000 -a 3 ~/hash.txt "?l?l?l?l?l?l?l?l" --force --potfile-path bitlocker.pot

This method doesn’t work on Windows 10. Because different passwords are organized [3].





Tomas Savenas

Kibernetinio saugumo entuziastas; Aktyviausias Lietuvis TryHackMe platformoje; Inovacijų valdymo ir Antreprenerystės Magistrantas @ KTU