samdump2

Overview

samdump2 is a forensic analysis tool that extracts password hashes and credential information from Windows SAM (Security Accounts Manager) database files and System registry hives. It recovers NTLM and LM password hashes from offline Windows systems or memory dumps, enabling credential analysis during authorized penetration tests and digital forensics investigations.

Key Capabilities:

• Extract NTLM password hashes from SAM database
• Extract LM password hashes from legacy systems
• Parse Windows registry hives (SAM and SYSTEM)
• Support for offline forensic analysis
• Compatible with both modern and legacy Windows systems
• Output in hashcat and John the Ripper formats

Installation

From Source

# Clone the samdump2 repository
git clone https://github.com/Neohapsis/samdump2.git
cd samdump2
gcc -o samdump2 samdump2.c

# Or use make if available
make

Via Kali Linux

# Pre-installed on Kali Linux
samdump2 --help

# If not installed, install via apt
apt-get update
apt-get install samdump2

Via Package Manager (Various Distributions)

# Debian/Ubuntu
apt install samdump2

# Arch Linux
pacman -S samdump2

# FreeBSD
pkg install samdump2

Build from Source on Any Linux

# Install prerequisites
apt-get install build-essential libssl-dev

# Download and compile
wget https://sourceforge.net/projects/samdump2/files/samdump2/samdump2-3.3.0.tar.gz
tar xzf samdump2-3.3.0.tar.gz
cd samdump2-3.3.0
./configure
make
sudo make install

Verify Installation

samdump2 -h
samdump2 --version
which samdump2

Basic Usage

Extract Hashes from Local System

# Must run as root
sudo samdump2 /Windows/System32/config/SAM /Windows/System32/config/SYSTEM

# Alternative path syntax
sudo samdump2 /var/lib/virtualenvs/windows/SAM /var/lib/virtualenvs/windows/SYSTEM

Extract from Offline System Image

# From a forensic copy of Windows system
samdump2 /mnt/evidence/Windows/System32/config/SAM /mnt/evidence/Windows/System32/config/SYSTEM

# From a mounted Windows partition
samdump2 /mnt/windows_drive/Windows/System32/config/SAM /mnt/windows_drive/Windows/System32/config/SYSTEM

Save Output to File

# Redirect hashes to file
samdump2 /path/to/SAM /path/to/SYSTEM > hashes.txt

# Output directly to file
samdump2 /path/to/SAM /path/to/SYSTEM -o hashes.txt

Common samdump2 Commands

Command	Purpose
SAM_FILE	Path to SAM registry hive (required)
SYSTEM_FILE	Path to SYSTEM registry hive (required)
-h, --help	Display help message
-v, --verbose	Enable verbose output
--pwdump	Output in pwdump format
-o FILE	Write output to file
--ntlm-only	Extract only NTLM hashes
--lm-only	Extract only LM hashes
-s	Silent mode, no banner
-p	Display password hashes only

Understanding the Output Format

Default Output Format

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
User1:1001:aad3b435b51404eeaad3b435b51404ee:e52caf2b8c24a98bf4e5e523e8ff8bea:::

Output Fields Explained

Field	Description
Username	Windows account name
RID	Relative ID (user identifier)
LM Hash	LM hash (legacy, often aad3b435b51404eeaad3b435b51404ee if empty)
NTLM Hash	NTLM hash (modern Windows password hash)
Extra Fields	Additional fields (usually empty)

Practical Examples

Extract and Display Hashes

# Simple hash extraction
sudo samdump2 /Windows/System32/config/SAM /Windows/System32/config/SYSTEM

# Verbose output with details
sudo samdump2 -v /Windows/System32/config/SAM /Windows/System32/config/SYSTEM

Save and Filter Hashes

# Save all hashes to file
sudo samdump2 /path/to/SAM /path/to/SYSTEM > all_hashes.txt

# Extract only NTLM hashes (skip LM hashes)
sudo samdump2 /path/to/SAM /path/to/SYSTEM | awk -F: '{print $1":"$4}' > ntlm_only.txt

# Extract hashes for specific users
sudo samdump2 /path/to/SAM /path/to/SYSTEM | grep -E "Administrator|Domain"

Create Hash Cracking Wordlists

# Extract username:hash pairs for hashcat
sudo samdump2 /path/to/SAM /path/to/SYSTEM | awk -F: '{print $1":"$4}' > hashcat_format.txt

# Extract for John the Ripper
sudo samdump2 /path/to/SAM /path/to/SYSTEM > john_format.txt

# Count total hashes extracted
sudo samdump2 /path/to/SAM /path/to/SYSTEM | wc -l

Forensic Analysis Workflow

Step 1: Acquire Registry Hives

# From a Linux forensic workstation, acquire SAM and SYSTEM files
# These are typically located at:
# C:\Windows\System32\config\SAM
# C:\Windows\System32\config\SYSTEM

# Using a forensic imaging tool (e.g., from a mounted evidence image)
cp /mnt/evidence/Windows/System32/config/SAM ./SAM.hive
cp /mnt/evidence/System32/config/SYSTEM ./SYSTEM.hive

# Or using dd from a raw disk image
dd if=/dev/sdc1 of=./SAM.hive bs=512 skip=0 count=1024

Step 2: Extract Credentials

# Extract hashes from acquired hives
samdump2 ./SAM.hive ./SYSTEM.hive > extracted_hashes.txt

# Verify extraction success
head extracted_hashes.txt

Step 3: Analyze Results

# Count user accounts
wc -l extracted_hashes.txt

# List all usernames
cut -d: -f1 extracted_hashes.txt

# Find system service accounts
grep -E "SYSTEM|LocalService|NetworkService" extracted_hashes.txt

Step 4: Hash Cracking

# Prepare hashes for hashcat
cat extracted_hashes.txt | awk -F: '{print $4}' > nt_hashes.txt

# Crack with hashcat (mode 1000 = NTLM)
hashcat -m 1000 nt_hashes.txt wordlist.txt

# Or with John the Ripper
john --format=nt extracted_hashes.txt --wordlist=wordlist.txt

Integration with Hash Cracking Tools

Format for Hashcat

# Extract NTLM hashes in hashcat format
sudo samdump2 /path/to/SAM /path/to/SYSTEM | awk -F: '{print $4}' > hashes_hashcat.txt

# Crack with hashcat (mode 1000 = NTLM)
hashcat -m 1000 hashes_hashcat.txt /usr/share/wordlists/rockyou.txt

# Use GPU acceleration
hashcat -m 1000 hashes_hashcat.txt wordlist.txt -d 1 --workload-profile 4

Format for John the Ripper

# Extract in John format (username:hash)
sudo samdump2 /path/to/SAM /path/to/SYSTEM | awk -F: '{print $1":"$4}' > hashes_john.txt

# Crack with John
john --format=nt hashes_john.txt --wordlist=wordlist.txt

# Single crack mode (uses usernames)
john --single --format=nt hashes_john.txt

Format for Hashcat with Usernames

# Preserve username with hash for context
sudo samdump2 /path/to/SAM /path/to/SYSTEM | awk -F: '{print $4":"$1}' > hashcat_usernames.txt

# Crack with hash:username format
hashcat -m 1000 hashcat_usernames.txt wordlist.txt

Advanced Forensic Techniques

Extract and Timeline User Activity

# Create timeline of user modifications
stat /Windows/System32/config/SAM
stat /Windows/System32/config/SYSTEM

# Extract hashes and correlate with last login times
sudo samdump2 /path/to/SAM /path/to/SYSTEM > forensic_data.txt

Identify Disabled and Locked Accounts

# Extract with system registry analysis
# Disabled accounts may appear in hashes but be flagged in SYSTEM hive

# Parse for account flags
samdump2 -v /path/to/SAM /path/to/SYSTEM | grep -i "disabled\|locked"

Recover Deleted Accounts

# SAM file may contain remnants of deleted accounts
# Use hexdump for deeper analysis
hexdump -C /path/to/SAM | grep -A2 -B2 "UserName"

# Strings extraction for keywords
strings /path/to/SAM | grep -i "admin\|user\|service"

Create Hash Database

# Build a master hash database from multiple systems
cat >> hash_database.txt << 'EOF'
#!/bin/bash
for system_dir in /mnt/evidence/*/Windows/System32/config; do
  samdump2 "$system_dir/SAM" "$system_dir/SYSTEM" >> all_hashes.txt
done
EOF

chmod +x hash_database.txt
./hash_database.txt

Handling Registry Hives

Locate Registry Hives on Windows System

# Typical paths for registry hives
/Windows/System32/config/SAM
/Windows/System32/config/SYSTEM
/Windows/System32/config/SOFTWARE
/Windows/System32/config/SECURITY

Backup Registry Hives (Windows)

# PowerShell command to backup registry hives
reg export HKLM\SAM C:\SAM.bak
reg export HKLM\SYSTEM C:\SYSTEM.bak

Copy from Live System (Linux/Windows)

# From a mounted Windows partition
sudo cp /mnt/windows/Windows/System32/config/SAM ./SAM
sudo cp /mnt/windows/Windows/System32/config/SYSTEM ./SYSTEM

# Change permissions if needed
sudo chmod 644 SAM SYSTEM

Troubleshooting

Permission Denied

# samdump2 requires root access to read registry hives
sudo samdump2 /path/to/SAM /path/to/SYSTEM

# Check file permissions
ls -la /path/to/SAM /path/to/SYSTEM

Registry Hive Errors

# Hives may be locked if acquired from running Windows system
# Best practice: extract from offline/forensic copy

# Verify hive integrity
file /path/to/SAM
file /path/to/SYSTEM

# Should show "Windows Registry Hive"

Missing SYSTEM Hive

# Both SAM and SYSTEM hives are required
# SYSTEM hive contains decryption keys for password hashes

# Verify both files exist
ls -la /path/to/SAM /path/to/SYSTEM

# Check file sizes (should be non-zero)
du -h /path/to/SAM /path/to/SYSTEM

No Hash Output

# If no hashes are extracted, hives may be corrupted or incorrect format
# Try verbose mode for diagnostics
samdump2 -v /path/to/SAM /path/to/SYSTEM

# Check hive header
hexdump -C /path/to/SAM | head -5
# Should show "regf" header

Hash Cracking Tips

Optimize Wordlist

# Sort and deduplicate hashes before cracking
sort -u hashes.txt > hashes_clean.txt

# Use John's preprocessing
john --wordlist=dictionary.txt --rules=best64 --format=nt hashes_clean.txt

Performance Tuning

# Use GPU for faster cracking (if available)
hashcat -m 1000 hashes.txt wordlist.txt -d 1

# Use multiple GPUs
hashcat -m 1000 hashes.txt wordlist.txt -d 1,2,3

# Use CPU with optimized settings
hashcat -m 1000 hashes.txt wordlist.txt -w 4 -O

Combined Attack Modes

# Dictionary attack
hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt

# Dictionary + rules
hashcat -m 1000 hashes.txt wordlist.txt -r /usr/share/hashcat/rules/best64.rule

# Hybrid attack (wordlist + mask)
hashcat -m 1000 hashes.txt wordlist.txt -a 6 '?d?d?d?d'

# Mask attack (brute force patterns)
hashcat -m 1000 hashes.txt -a 3 '?l?l?l?l?l'

Ethical and Legal Considerations

Authorized Access Only

• Only extract hashes from systems you own or have written authorization to test
• Digital forensics work must follow proper chain of custody procedures
• Unauthorized access to authentication credentials violates computer fraud laws
• Always maintain detailed forensic documentation and logs

Incident Response Protocol

# Document everything in your forensic report
cat > forensic_report.txt << 'EOF'
Date Acquired: 2026-05-02
Chain of Custody: [Document handling]
System: [System identifier]
Forensic Tool: samdump2
Total Hashes Extracted: [Count]
Notable Accounts: [List]
Recommendations: [Security improvements]
EOF

Remediation and Notification

• Report findings to appropriate system owners
• Recommend password resets for compromised accounts
• Advise on security improvements for SAM database protection
• Follow responsible disclosure timelines

Additional Resources

• Windows Registry Documentation and Structure
• NTLM Hash Format and Cracking Guides
• Digital Forensics Best Practices
• Incident Response and Evidence Handling Procedures
• Hash Cracking Tools Documentation (hashcat, John the Ripper)