CredAudit
Open-source Windows credential audit tool — extracts NTLM hashes from SAM/SYSTEM hives, cracks passwords using Hashcat, and tests password strength. Generates TXT, JSON, and HTML reports.
Install / Use
/learn @Darknetwave/CredAuditREADME
🔐 CredAudit — Automated Windows Credential Audit Tool
CredAudit is a fully automated Python CLI tool for auditing Windows local account password strength through NTLM hash extraction and dictionary attack analysis. Built for penetration testers, security auditors, and system administrators.
No manual commands. No complex setup. Just drop your SAM + SYSTEM files and run one script.
📋 Table of Contents
- What is CredAudit?
- How It Works
- Features
- Project Structure
- Requirements
- Installation
- Exporting SAM + SYSTEM from Windows
- Transferring Files to Kali / Linux
- Running the Tool
- CLI Options Reference
- Output Reports
- Cross-Platform Support
- Important Notes
- Ethical Use Disclaimer
- License
🔍 What is CredAudit?
CredAudit automates the Windows credential auditing process that security professionals perform manually during penetration tests and security assessments.
In a real pentest scenario, auditors need to:
- Export SAM and SYSTEM registry hives from a Windows machine
- Extract NTLM password hashes
- Run dictionary attacks to identify weak passwords
- Document findings in a security report
CredAudit automates all of these steps in one command.
Use Cases
- Penetration Testing — Audit Windows local account password strength during authorized engagements
- Security Assessments — Identify weak passwords on corporate workstations and servers
- Lab Practice — Learn NTLM hash extraction and password cracking in a controlled environment
- Security Awareness — Demonstrate password weakness risks to clients and stakeholders
What CredAudit Can Audit
| Account Type | Supported | Notes | |-------------|-----------|-------| | Local accounts | ✅ Yes | Full hash extraction and cracking | | Built-in accounts (Administrator, Guest) | ✅ Yes | Detects empty/default passwords | | Service accounts | ✅ Yes | Classified and risk-flagged | | Domain accounts (on domain-joined machines) | ✅ Yes | Cached credentials in SAM | | Microsoft accounts (personal laptops) | ⚠️ Partial | Hash extracted but may not be crackable |
⚙️ How It Works
┌─────────────────────────────────────────────────────────────────┐
│ USER WORKFLOW │
│ │
│ STEP 1 — On the Windows target machine (as Administrator): │
│ reg save HKLM\SAM C:\Users\Public\SAM │
│ reg save HKLM\SYSTEM C:\Users\Public\SYSTEM │
│ │
│ STEP 2 — Transfer SAM + SYSTEM to your audit machine │
│ and drop them into the input/ folder │
│ │
│ STEP 3 — Run the launcher: │
│ ./run_audit.sh (Linux / Kali / macOS) │
│ run_audit.bat (Windows CMD) │
│ .\run_audit.ps1 (Windows PowerShell) │
│ │
│ STEP 4 — Follow the guided prompts │
│ (wordlist selection, report format) │
│ │
│ STEP 5 — Reports saved to reports/ folder ✅ │
└─────────────────────────────────────────────────────────────────┘
Internal Pipeline
input/SAM + input/SYSTEM
│
▼
[1/4] Extract NTLM hashes
└─ Boot key from SYSTEM hive
└─ Decrypt SAM with Impacket LocalOperations
└─ Output: username, RID, LM hash, NTLM hash
│
▼
[2/4] Parse account records
└─ Classify account types (Admin, Guest, Standard, Service)
└─ Detect empty passwords, LM hash storage, disabled accounts
└─ Apply risk flags (default RIDs, high-privilege accounts)
│
▼
[3/4] Dictionary attack
└─ Primary: Hashcat mode 1000 (NTLM) — GPU/CPU accelerated
└─ Fallback: Python MD4 engine — no dependencies needed
└─ Uses any wordlist (recommended: rockyou.txt)
│
▼
[4/4] Generate audit report
└─ TXT — Plain text, suitable for documentation
└─ JSON — Machine-readable, SIEM-ready
└─ HTML — Visual report with charts and severity colors
✨ Features
- 🎬 Animated startup — Letter-by-letter banner animation on launch
- 🤖 Fully guided — Interactive setup shows exact commands to run
- 🔑 Automatic hash extraction — No manual secretsdump or mimikatz needed
- ⚡ Hashcat integration — GPU-accelerated cracking using mode 1000 (NTLM)
- 🐍 Python fallback engine — Works even without Hashcat installed
- 📊 Three report formats — TXT, JSON, and HTML in one run
- 🌍 Cross-platform — Works on Kali Linux, Ubuntu, macOS, and Windows
- 🎨 Color-coded terminal output — Clear visual feedback throughout
- 🚩 Risk flagging — Detects high-value targets, empty passwords, LM hash storage
- 📁 Rotating log files — Full audit trail saved to
logs/ - 🔒 Safe by default —
.gitignoreblocks SAM/SYSTEM files from being committed
📁 Project Structure
credential-audit-tool/
│
├── main.py ← CLI entry point — auto + guided + manual modes
├── run_audit.sh ← One-click launcher for Linux / Kali / macOS
├── run_audit.bat ← One-click launcher for Windows CMD
├── run_audit.ps1 ← One-click launcher for Windows PowerShell
├── requirements.txt ← Python dependencies
├── README.md
├── LICENSE ← MIT License
├── .gitignore ← Blocks SAM/SYSTEM/hive files from git
│
├── modules/
│ ├── hash_extractor.py ← SAM + SYSTEM hive parsing, NTLM extraction
│ ├── hash_parser.py ← Account enrichment, risk flags, LM detection
│ ├── password_cracker.py ← Hashcat (mode 1000) + Python MD4 fallback
│ ├── report_generator.py ← TXT / JSON / HTML report generation
│ └── logger.py ← Colored console + rotating file logger
│
├── input/ ← ⬅ DROP YOUR SAM + SYSTEM FILES HERE
│ └── README.md
│
├── wordlists/
│ └── example_wordlist.txt ← Bundled demo wordlist (limited)
│
├── reports/ ← Generated audit reports saved here
└── logs/ ← Audit session logs saved here
📦 Requirements
| Component | Requirement | |-----------|-------------| | Python | 3.8 or higher | | OS | Kali Linux, Ubuntu, Debian, macOS, Windows | | Hashcat | Optional — falls back to Python engine | | RAM | 512 MB minimum | | Disk | 200 MB (plus wordlist size) |
Python Dependencies
impacket>=0.11.0 # SAM/SYSTEM hive parsing and NTLM extraction
pycryptodome>=3.18.0 # Cryptographic operations for hash decryption
python-registry>=1.4 # Windows registry hive file reading
🚀 Installation
Step 1 — Clone the Repository
git clone https://github.com/yourusername/CredAudit.git
cd CredAudit
Step 2 — Install Python Dependencies
# Standard install
pip install -r requirements.txt
# On Kali Linux (if you get externally-managed error)
pip install -r requirements.txt --break-system-packages
# Or using virtual environment (recommended)
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
Step 3 — Install Hashcat (Optional but Recommended)
# Kali Linux / Ubuntu / Debian
sudo apt update && sudo apt install hashcat
# macOS
brew install hashcat
# Windows — Download from https://hashcat.net/hashcat/
Step 4 — Make Launcher Executable (Linux/macOS)
chmod +x run_audit.sh
🪟 Exporting SAM + SYSTEM from Windows
Open Command Prompt as Administrator and run:
reg save HKLM\SAM C:\Users\Public\SAM /y
reg save HKLM\SYSTEM C:\Users\Public\SYSTEM /y
You should see:
The operation completed successfully.
The operation completed successfully.
⚠️ Note: Must be run as Administrator. Right-click CMD → Run as Administrator.
📤 Transferring Files to Kali / Linux
Method 1 — Python HTTP Server (Recommended)
On the Windows machine:
cd C:\Users\Public
python -m http.server 8888
On Kali / Linux:
wget http://<windows-ip>:8888/SAM -O input/SAM
wget http://<windows-ip>:8888/SYSTEM -O input/SYSTEM
Method 2 — SCP
scp user@<windows-ip>:"C:/Users/Public/SAM" ./input/SAM
scp user@<windows-ip>:"C:/Users/Public/SYSTEM" ./input/SYSTEM
Verify
ls input/
# Should show: README.md SAM SYSTEM
▶️ Running the Tool
Auto Mode — Recommended
Related Skills
node-connect
352.5kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
frontend-design
111.3kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
openai-whisper-api
352.5kTranscribe audio via OpenAI Audio Transcriptions API (Whisper).
qqbot-media
352.5kQQBot 富媒体收发能力。使用 <qqmedia> 标签,系统根据文件扩展名自动识别类型(图片/语音/视频/文件)。
