CredAudit is a fully automated Python CLI tool for auditing Windows local account password strength through NTLM hash extraction and dictionary attack analysis. Built for penetration testers, security auditors, and system administrators.
No manual commands. No complex setup. Just drop your SAM + SYSTEM files and run one script.
- What is CredAudit?
- How It Works
- Features
- Project Structure
- Requirements
- Installation
- Exporting SAM + SYSTEM from Windows
- Transferring Files to Kali / Linux
- Running the Tool
- CLI Options Reference
- Output Reports
- Cross-Platform Support
- Important Notes
- Ethical Use Disclaimer
- License
CredAudit automates the Windows credential auditing process that security professionals perform manually during penetration tests and security assessments.
In a real pentest scenario, auditors need to:
- Export SAM and SYSTEM registry hives from a Windows machine
- Extract NTLM password hashes
- Run dictionary attacks to identify weak passwords
- Document findings in a security report
CredAudit automates all of these steps in one command.
- Penetration Testing — Audit Windows local account password strength during authorized engagements
- Security Assessments — Identify weak passwords on corporate workstations and servers
- Lab Practice — Learn NTLM hash extraction and password cracking in a controlled environment
- Security Awareness — Demonstrate password weakness risks to clients and stakeholders
| Account Type | Supported | Notes |
|---|---|---|
| Local accounts | ✅ Yes | Full hash extraction and cracking |
| Built-in accounts (Administrator, Guest) | ✅ Yes | Detects empty/default passwords |
| Service accounts | ✅ Yes | Classified and risk-flagged |
| Domain accounts (on domain-joined machines) | ✅ Yes | Cached credentials in SAM |
| Microsoft accounts (personal laptops) | Hash extracted but may not be crackable |
┌─────────────────────────────────────────────────────────────────┐
│ USER WORKFLOW │
│ │
│ STEP 1 — On the Windows target machine (as Administrator): │
│ reg save HKLM\SAM C:\Users\Public\SAM │
│ reg save HKLM\SYSTEM C:\Users\Public\SYSTEM │
│ │
│ STEP 2 — Transfer SAM + SYSTEM to your audit machine │
│ and drop them into the input/ folder │
│ │
│ STEP 3 — Run the launcher: │
│ ./run_audit.sh (Linux / Kali / macOS) │
│ run_audit.bat (Windows CMD) │
│ .\run_audit.ps1 (Windows PowerShell) │
│ │
│ STEP 4 — Follow the guided prompts │
│ (wordlist selection, report format) │
│ │
│ STEP 5 — Reports saved to reports/ folder ✅ │
└─────────────────────────────────────────────────────────────────┘
input/SAM + input/SYSTEM
│
▼
[1/4] Extract NTLM hashes
└─ Boot key from SYSTEM hive
└─ Decrypt SAM with Impacket LocalOperations
└─ Output: username, RID, LM hash, NTLM hash
│
▼
[2/4] Parse account records
└─ Classify account types (Admin, Guest, Standard, Service)
└─ Detect empty passwords, LM hash storage, disabled accounts
└─ Apply risk flags (default RIDs, high-privilege accounts)
│
▼
[3/4] Dictionary attack
└─ Primary: Hashcat mode 1000 (NTLM) — GPU/CPU accelerated
└─ Fallback: Python MD4 engine — no dependencies needed
└─ Uses any wordlist (recommended: rockyou.txt)
│
▼
[4/4] Generate audit report
└─ TXT — Plain text, suitable for documentation
└─ JSON — Machine-readable, SIEM-ready
└─ HTML — Visual report with charts and severity colors
- 🎬 Animated startup — Letter-by-letter banner animation on launch
- 🤖 Fully guided — Interactive setup shows exact commands to run
- 🔑 Automatic hash extraction — No manual secretsdump or mimikatz needed
- ⚡ Hashcat integration — GPU-accelerated cracking using mode 1000 (NTLM)
- 🐍 Python fallback engine — Works even without Hashcat installed
- 📊 Three report formats — TXT, JSON, and HTML in one run
- 🌍 Cross-platform — Works on Kali Linux, Ubuntu, macOS, and Windows
- 🎨 Color-coded terminal output — Clear visual feedback throughout
- 🚩 Risk flagging — Detects high-value targets, empty passwords, LM hash storage
- 📁 Rotating log files — Full audit trail saved to
logs/ - 🔒 Safe by default —
.gitignoreblocks SAM/SYSTEM files from being committed
credential-audit-tool/
│
├── main.py ← CLI entry point — auto + guided + manual modes
├── run_audit.sh ← One-click launcher for Linux / Kali / macOS
├── run_audit.bat ← One-click launcher for Windows CMD
├── run_audit.ps1 ← One-click launcher for Windows PowerShell
├── requirements.txt ← Python dependencies
├── README.md
├── LICENSE ← MIT License
├── .gitignore ← Blocks SAM/SYSTEM/hive files from git
│
├── modules/
│ ├── hash_extractor.py ← SAM + SYSTEM hive parsing, NTLM extraction
│ ├── hash_parser.py ← Account enrichment, risk flags, LM detection
│ ├── password_cracker.py ← Hashcat (mode 1000) + Python MD4 fallback
│ ├── report_generator.py ← TXT / JSON / HTML report generation
│ └── logger.py ← Colored console + rotating file logger
│
├── input/ ← ⬅ DROP YOUR SAM + SYSTEM FILES HERE
│ └── README.md
│
├── wordlists/
│ └── example_wordlist.txt ← Bundled demo wordlist (limited)
│
├── reports/ ← Generated audit reports saved here
└── logs/ ← Audit session logs saved here
| Component | Requirement |
|---|---|
| Python | 3.8 or higher |
| OS | Kali Linux, Ubuntu, Debian, macOS, Windows |
| Hashcat | Optional — falls back to Python engine |
| RAM | 512 MB minimum |
| Disk | 200 MB (plus wordlist size) |
impacket>=0.11.0 # SAM/SYSTEM hive parsing and NTLM extraction
pycryptodome>=3.18.0 # Cryptographic operations for hash decryption
python-registry>=1.4 # Windows registry hive file reading
git clone https://github.com/yourusername/CredAudit.git
cd CredAudit# Standard install
pip install -r requirements.txt
# On Kali Linux (if you get externally-managed error)
pip install -r requirements.txt --break-system-packages
# Or using virtual environment (recommended)
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt# Kali Linux / Ubuntu / Debian
sudo apt update && sudo apt install hashcat
# macOS
brew install hashcat
# Windows — Download from https://hashcat.net/hashcat/chmod +x run_audit.shOpen Command Prompt as Administrator and run:
reg save HKLM\SAM C:\Users\Public\SAM /y
reg save HKLM\SYSTEM C:\Users\Public\SYSTEM /yYou should see:
The operation completed successfully.
The operation completed successfully.
⚠️ Note: Must be run as Administrator. Right-click CMD → Run as Administrator.
On the Windows machine:
cd C:\Users\Public
python -m http.server 8888On Kali / Linux:
wget http://<windows-ip>:8888/SAM -O input/SAM
wget http://<windows-ip>:8888/SYSTEM -O input/SYSTEMscp user@<windows-ip>:"C:/Users/Public/SAM" ./input/SAM
scp user@<windows-ip>:"C:/Users/Public/SYSTEM" ./input/SYSTEMls input/
# Should show: README.md SAM SYSTEM./run_audit.sh # Linux / Kali / macOS
run_audit.bat # Windows CMD
.\run_audit.ps1 # Windows PowerShell# Basic
python3 main.py --sam input/SAM --system input/SYSTEM
# With rockyou.txt wordlist and all report formats
python3 main.py --sam input/SAM --system input/SYSTEM \
--wordlist /usr/share/wordlists/rockyou.txt \
--format all
# Force Python engine (no Hashcat needed)
python3 main.py --sam input/SAM --system input/SYSTEM --cracker python
# Verbose debug output
python3 main.py --auto --verbose| Flag | Default | Description |
|---|---|---|
--auto |
— | Launch guided interactive mode (recommended) |
--sam FILE |
— | Path to SAM hive file |
--system FILE |
— | Path to SYSTEM hive file |
--wordlist FILE |
wordlists/example_wordlist.txt |
Wordlist for dictionary attack |
--format |
all |
Report format: txt / json / html / all |
--output DIR |
reports/ |
Directory to save reports |
--cracker |
auto |
Engine: hashcat / python / auto |
--hashcat-path |
hashcat |
Custom path to Hashcat binary |
--skip-disabled |
off | Skip disabled accounts |
--no-color |
off | Disable ANSI color output |
--verbose / -v |
off | Enable debug logging |
--log-file FILE |
logs/audit.log |
Custom log file path |
Visual browser-based report with severity-colored table, donut chart, bar chart, risk flags, and remediation recommendations.
xdg-open reports/audit_report_<timestamp>.html # Linux / Kali
open reports/audit_report_<timestamp>.html # macOS
start reports\audit_report_<timestamp>.html # WindowsMachine-readable output for SIEM integration or custom scripting.
Plain text report for email, documentation, or terminal review.
| Platform | Launcher | Hashcat Install | Status |
|---|---|---|---|
| Kali Linux | ./run_audit.sh |
sudo apt install hashcat |
✅ Fully tested |
| Ubuntu / Debian | ./run_audit.sh |
sudo apt install hashcat |
✅ Supported |
| macOS | ./run_audit.sh |
brew install hashcat |
✅ Supported |
| Windows CMD | run_audit.bat |
hashcat.net | ✅ Supported |
| Windows PowerShell | .\run_audit.ps1 |
hashcat.net | ✅ Supported |
The bundled example wordlist is for demo only. For real auditing use your own wordlists or rockyou.txt:
# Unzip on Kali if needed
sudo gunzip /usr/share/wordlists/rockyou.txt.gz
# Then use in tool
/usr/share/wordlists/rockyou.txtIf the target uses a Microsoft account (Gmail, Outlook etc.), the SAM file contains cached credentials that cannot be cracked with a wordlist. This tool is designed for local accounts — standard in corporate environments.
The .gitignore automatically blocks SAM, SYSTEM, and hive files from Git. Never commit real SAM/SYSTEM files to any repository.
This tool is provided strictly for authorized security auditing, penetration testing, and cybersecurity education.
✅ Permitted: Systems you own, systems with explicit written authorization, controlled lab environments.
❌ Prohibited: Any unauthorized access to systems you do not own or have permission to test.
Unauthorized use is illegal under the CFAA, UK Computer Misuse Act, IT Act (India), and equivalent laws worldwide. The authors accept no responsibility for unauthorized or illegal use.
MIT License — see LICENSE for full terms.
CredAudit is a practical open-source security tool developed for penetration testers, security auditors, and system administrators to extract, crack, and analyze Windows local account password strength in authorized environments.
⭐ If you found this useful, consider giving it a star on GitHub!