Credentials from SYSTEM and SAM files | Windows 7 only

I will continue on forensics topics, but slightly different. In this write-up, I will showcase a methodology of extracting hash value from SYSTEM and SAM files in Window 7 system. These files combined we can extract hash which is relatively easy to crack because a hashing algorithm is weak comparing to BitLocker [1]

I installed Windows 7 on Virtualbox, created a user with 8 characters and lowercase password. My next step is to turn off the Windows VM and detach an image *.vdi. The particular image goes to Kali VM as a secondary. Virtualbox settings below:

settings > storage > storage devices > controller: SATA

Attaching windows disk.

Turn on the Kali VM, login with credentials user kali and password kali .

Next step to check the list of disks in terminal.

lsblk

The Disk /dev/sdb has two partitions boot /dev/sdb1 and NTFS /dev/sdb2.

We need to mount the largest one. using mount command and copy necessary files into home directory.

mkdir /mnt/windowsDisk 
mount  /dev/sdb2 /mnt/windowsDisk
cd /mnt/windowsDisk/Windows/System32/config/ 
cp SYSTEM SAM ~/
cd && samdump2 SYSTEM SAM

And from these files extract hash pattern of user admin [2].

samdump2  SYSTEM SAM | grep admin > ~/hash.txt

My mask is setup eight times used variable ?l which identifing lowercase letter.

hashcat -m 1000 -a 3 ~/hash.txt "?l?l?l?l?l?l?l?l" --force --potfile-path bitlocker.pot

This method doesn’t work on Windows 10. Because different passwords are organized [3].

Reference

#1 https://medium.com/@tomas_savenas/testing-bitlocker-security-1b90bd3f83d6
#2 http://nixware.net/crack-windows-sam-backup-filesystem
#3 https://superuser.com/questions/1178744/how-to-access-the-sam-file-in-windows-10