Credentials from SYSTEM and SAM files | Windows 7 only
--
I will continue on forensics topics, but slightly different. In this write-up, I will showcase a methodology of extracting hash value from SYSTEM and SAM files in Window 7 system. These files combined we can extract hash which is relatively easy to crack because a hashing algorithm is weak comparing to BitLocker [1]
I installed Windows 7 on Virtualbox, created a user with 8 characters and lowercase password. My next step is to turn off the Windows VM and detach an image *.vdi. The particular image goes to Kali VM as a secondary. Virtualbox settings below:
settings > storage > storage devices > controller: SATA
Attaching windows disk.
Turn on the Kali VM, login with credentials user kali and password kali .
Next step to check the list of disks in terminal.
lsblk
The Disk /dev/sdb has two partitions boot /dev/sdb1 and NTFS /dev/sdb2.
We need to mount the largest one. using mount command and copy necessary files into home directory.
mkdir /mnt/windowsDisk
mount /dev/sdb2 /mnt/windowsDisk
cd /mnt/windowsDisk/Windows/System32/config/
cp SYSTEM SAM ~/
cd && samdump2 SYSTEM SAM
And from these files extract hash pattern of user admin [2].
samdump2 SYSTEM SAM | grep admin > ~/hash.txtMy mask is setup eight times used variable ?l which identifing lowercase letter.
hashcat -m 1000 -a 3 ~/hash.txt "?l?l?l?l?l?l?l?l" --force --potfile-path bitlocker.pot
This method doesn’t work on Windows 10. Because different passwords are organized [3].
Reference
#1 https://medium.com/@tomas_savenas/testing-bitlocker-security-1b90bd3f83d6#2 http://nixware.net/crack-windows-sam-backup-filesystem#3 https://superuser.com/questions/1178744/how-to-access-the-sam-file-in-windows-10
