Forem: Md. Ibrahim Reza Rabbi

How to Crack the SAM Database in Kali Linux | Windows Password Hash Extraction Guide

Md. Ibrahim Reza Rabbi — Sun, 19 Apr 2026 17:23:10 +0000

In this guide, I will show you an approach to crack the Windows SAM database NTLM hashes. Before cracking, you first need to obtain these three files from the target system: SAM, SYSTEM, and SECURITY. I had a .ova file of a Windows virtual machine, so I will demonstrate how to extract them from that image. First, you need to dump the target system’s image. If it is a VM or virtual disk image, then this method of extracting those three files will be useful for you.

Convert the .ova file into a .rar file and then extract that . And we got this →

I loaded the “Windows-disk001.vmdk” file as an image in Magnet AXIOM. You can also use Autopsy or FTK Imager for this task. When the processing was complete, we went to the →

Directory → “ windows/system32/config “

Exported SAM , SYSTEM & SECURITY file and paste that in kali linux .

┌──(kali㉿kali)-[~/Windows_dump]
└─$ sudo apt install python3-impacket                                     
python3-impacket is already the newest version (0.12.0+gite61ff5d-0kali1).
Summary:
  Upgrading: 0, Installing: 0, Removing: 0, Not Upgrading: 235                                                                                                              
┌──(kali㉿kali)-[~/Windows_dump]
└─$ python3 -m impacket.examples.secretsdump -sam SAM -system SYSTEM LOCAL

┌──(kali㉿kali)-[~/Windows_dump]
└─$ samdump2 SYSTEM SAM > hashes.txt                                                                                                                                  
┌──(kali㉿kali)-[~/Windows_dump]
└─$ cat hashes.txt 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* :503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* :504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1002:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1004:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1005:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1006:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1007:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1008:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1009:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1010:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1011:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1012:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1013:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1014:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1015:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1016:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1017:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1018:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1019:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
support_admin:1020:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::                                                                                           
┌──(kali㉿kali)-[~/Windows_dump]
└─$ ls
hashes.txt  SAM  SECURITY  SYSTEM

┌──(kali㉿kali)-[~/Windows_dump]
└─$

After that the hash will be cracked if that password is present in the "rockyou.txt" wordlist
If you want more powerful one →

┌──(kali㉿kali)-[~/Windows_dump]
└─$ creddump7 
creddump7 - Python tool to extract credentials and secrets from Windows registry hives
/usr/share/creddump7
├── cachedump.py
├── framework
├── lsadump.py
├── pwdump.py
└── __pycache__
┌──(kali㉿kali)-[/usr/share/creddump7]
└─$ ls
cachedump.py  framework  lsadump.py  pwdump.py  __pycache__

┌──(kali㉿kali)-[/usr/share/creddump7]
└─$ python pwdump.py                                                                                          
usage: pwdump.py <system hive> <SAM hive>

┌──(kali㉿kali)-[/usr/share/creddump7]
└─$ python pwdump.py ~/Windows_dump/SYSTEM ~/Windows_dump/SAM 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:22775c1ecbe2bd7d69c6dcd55b7f9b25:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:4fa9775c90b54e688035a28e04d59a3c:::
james.l:1000:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd:::
amir.k:1001:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd:::
sadia.b:1002:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd:::
karim.r:1003:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd:::
anika.d:1004:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd:::
rashed.h:1005:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd:::
nafisa.j:1006:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd:::
sumon.t:1007:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd:::
nazia.c:1008:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd:::
arif.w:1009:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd:::
kamal.n:1010:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd:::
bilkis.z:1011:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd:::
rubel.m:1012:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd:::
tania.y:1013:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd:::
robin.p:1014:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd:::
sohan.v:1015:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd:::
nayeem.d:1016:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd:::
salma.q:1017:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd:::
hossain.a:1018:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd:::
meem.u:1019:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd:::
support_admin:1020:aad3b435b51404eeaad3b435b51404ee:8a46225c4f14f99711b0c2d6002d3af2:::

with “ john jumbo “ ⇒

And, after that the password will be cracked.

Recover Lost Linux Password Using Yescrypt Hash Cracking (Kali & Shadow File Guide)

Md. Ibrahim Reza Rabbi — Sun, 19 Apr 2026 11:45:08 +0000

In Linux systems, user passwords are not stored in plain text. Instead, they are stored as cryptographic hashes inside the /etc/shadow file. Modern distributions use yescrypt ( $y$ ), a memory-hard password hashing algorithm designed to resist brute-force and GPU-based attacks.

Since hashing is a one-way function, passwords cannot be decrypted. Recovery is done through hash cracking, where candidate passwords are hashed and compared against the stored value. Tools such as John the Ripper Jumbo are commonly used for this process.

Because yescrypt is computationally expensive, blind brute-force attacks are inefficient. The most practical approach is a dictionary attack, where prebuilt wordlists (such as rockyou.txt) are used along with mutation rules. In real-world CTFs, success depends heavily on contextual guessing, such as usernames, system themes, or predictable password patterns.

Hash Location in Linux

Password hashes are stored in /etc/shadow with the following structure:

username:hash:lastchg:min:max:warn:inactive:expire:reserved

Example entry:

kali:$y$j9T$zY1oKFxJlTgP2WcJhzbNl1$xhkUmB8R9fzETc/1kgL/nOPcWFTvhn17clxXCgyFjpC:19953:0:99999:7:::

Breakdown:

kali → username
$y$j9T$... → password hash (used for cracking only)
- $y$ → yescrypt algorithm
- j9T → cost parameters
- salt → zY1oKFxJlTgP2WcJhzbNl1
- hash → xhkUmB8R9fzETc/...
Remaining fields → password policy metadata

For cracking purposes, only the hash portion is required:

$y$j9T$zY1oKFxJlTgP2WcJhzbNl1$xhkUmB8R9fzETc/1kgL/nOPcWFTvhn17clxXCgyFjpC

Now, before cracking, you also need to get that hash from your system :)

For this purpose, we will choose the Autopsy software, which is a free forensic tool. Install it and open an empty case. When complete, follow the image instructions.

Note: The given process works for Disk image type or VM type file forensics.

Now, select the image contain file and the image ->

Then, go next , next. Then it start the analyze and it will take some time when it is finish by the given image way you will be able to get the shadow file :')->

Step 1: Prepare Hash File

echo '$y$j9T$zY1oKFxJlTgP2WcJhzbNl1$xhkUmB8R9fzETc/1kgL/nOPcWFTvhn17clxXCgyFjpC' > hash.txt

Now, for cracking I will prefer John the ripper. If, default kali not work then you may use the john jumbo link & install_explain_link. After, it is installed let's follow the below steps

Step 2: Dictionary Attack

john --format=crypt --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Check results:

john --show hash.txt

Step 3: When Dictionary Attack Fails

If the password is not present in the wordlist, more advanced techniques are required.

1. Sequential brute force (incremental attack)

This method tries all possible combinations:

john --format=crypt --incremental hash.txt

2. Custom wordlist generation using Crunch

Crunch allows generation of targeted wordlists instead of random brute force.

Basic syntax:

crunch <min> <max> <charset> -o wordlist.txt

Examples:

Numeric-only wordlist (4–6 digits):

crunch 4 6 0123456789 -o numbers.txt

Lowercase alphabet wordlist (3–5 characters):

crunch 3 5 abcdefghijklmnopqrstuvwxyz -o alpha.txt

Mixed pattern wordlist:

crunch 6 6 abcdef123 -o custom.txt

3. Use custom wordlist with John

john --format=crypt --wordlist=custom.txt hash.txt

Summary

Start with dictionary attack using rockyou.txt
Apply rule-based mutations
If unsuccessful, use custom wordlists (Crunch)
Use incremental brute force only as a last resort
Always prioritize contextual password guessing over blind attacks

Key Insight

Yescrypt is designed to resist brute-force attacks. Effective cracking depends not on raw computation, but on intelligent wordlist construction and contextual analysis. This is why dictionary-based attacks remain the most practical method in CTFs and security testing environments.

Offline Hash Cracking Tutorial: Crack the Hash Room Walkthrough | TryHackMe

Md. Ibrahim Reza Rabbi — Sun, 19 Apr 2026 09:04:19 +0000

Can you complete the level 1 tasks by cracking the hashes?
Question-01:

Hash: 48bb6e862e54f2a795ffc4e541caed4d

Identifying the hash type (tools used -> "haiti" , "hash-identifier" , "hashid" )

All indicating MD5 (mode 0)

Now, put the hash text in the hash.txt file

Question-02:

Hash: CBFDAC6008F9CAB4083784CBD1874F76618D2A97

Let's solve this with "john the ripper" tool

Question-03:

Hash: 1C8BFE8F801D79745C4631D09FFF36C82AA37FC4CCE4FC946683D7B336B63032

like the 1 ->

Question-04:

Hash: $2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom

It will take many time if we want to crack it by hashcat blowfish method normally

confirmed “blowfish”
Now, this will take long time crack

So, let’s do brute force as string (Where I don’t know the length and assuming all lowercase letters)

It will also take very much time :’/
But , from internet i know the result is “bleh”
so, for fast work modify the previous code to show it in short time

It will execute the hash very fast as it know the length and 1st 2 characters of hash crack

Question-05:

Hash: 279412f945939ba78ce0758d3fd83daa

Now, this is mine favorite one among all. From, crack station,

Now, I will use mine own create Linux tool which very efficient in password existence finding from wordlists. you can visit this link for more info

Ibrahim71Reza / password_finder

🚀 pwfind (Password Find)

The Ultimate, World's Fastest Password and Secret Finder for Huge Wordlists.

Stop crashing your RAM. Start finding secrets instantly.

⚡ Why `pwfind`?

When penetration testers, bug bounty hunters, or sysadmins work with massive datasets (like a 50GB SecLists dump or massive compressed server logs), standard tools like grep or Python scripts will either bottleneck on CPU, or load the whole file into RAM and crash the system.

pwfind is written in highly optimized Rust. It utilizes multi-threading, memory-safe buffered streaming, and on-the-fly decompression to hunt for exact passwords or regex secrets across millions of lines in a fraction of a second.

✨ Core Features

🏎️ Blazing Fast Concurrency: Utilizes all your CPU cores to search dozens of files simultaneously.
🧠 Hacker Intelligence (Presets): Built-in complex Regex patterns to instantly find JWT Tokens, AWS Keys, IPv4 Addresses, and Emails.
📦 On-the-Fly Decompression: Searches directly…

View on GitHub

Now, if you notice you will see there is no single wordlist which have this password in it

So, we have to go for a long bruteforce to crack this :) No quick dictionary attack :'(

We can use this payload,

hashcat -m 900 -a 3 hash.txt ?a?l?l?l?l?l?l?l?d?d

This will also take time but will work at the end
To ensure you it will work just running a sample case of that code manually,

Okay now, We will jump to the 2nd level of this ->

Question-1:

Hash: F09EDCB1FCEFC6DFB23DC3505A882655FF77375ED8AA2D1C13F640FCCC2D0C85

Now, lets crack this with SHA-256 mode 1400 by hashcat

Question-2:

Hash: 1DFECA0C002AE40B8619ECF94819CC1B

Now, this hash is tricky though it is showing MD5 or any version of MD but it is "NTLM". So, we should not blindly trust the top guess of this tools rather than sequentially test all the hash until we will get the hash cracked.

Question-3:

Hash: $6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02.

Salt: aReallyHardSalt

Now, it is bit tricky. Go to hashcat_wiki and search the $6$ tag and understand which mode is this. ->

okay now lets crack we don't need to add the salt in the hash manually cause it is attached with that in the hash. But, most of we miss to add the (.) full stop at the end. This full stop is a part of this hash. And also it will take some time to crack ->

Question-4:

Hash: e5d8870e5bdd26602cab8dbe07a942c8669e56d6
Salt: tryhackme

now if we look at the hashcat_wiki the Sha-1 with salt is the mode 110 and also see the format sha1($pass.$salt) ->

But, unfortunately it didn't work :) then I sequentially search for other sha1 and salt type hash mode and I found this ->

And with that 160 mode we cracked the hash ->

┌──(kali㉿kali)-[~/password]
└─$ echo 'e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackme' > hash.txt

┌──(kali㉿kali)-[~/password]
└─$ hashcat -m 160 -a 0 hash.txt /usr/share/wordlists/rockyou.txt      
hashcat (v7.1.2) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================================
* Device #01: cpu-sandybridge-12th Gen Intel(R) Core(TM) i5-12450H, 1466/2933 MB (512 MB allocatable), 4MCU