creddump /cachedump
reddump is a python tool to extract various credentials and secrets from Windows registry hives. It currently extracts:
- LM and NT hashes (SYSKEY protected)
- Cached domain passwords
- LSA secrets
It essentially performs all the functions that bkhive/samdump2, cachedump, and lsadump2 do, but in a platform-independent way.
It is also the first tool that does all of these things in an offline way (actually, Cain & Abel does, but is not open source and is only available on Windows).
Tools included in the creddump package
cachedump – Dump cached credentials
root@kali:~# cachedump
usage: /usr/bin/cachedump <system hive> <security hive>
usage: /usr/bin/cachedump <system hive> <security hive>
lsadump – Dump LSA secrets
root@kali:~# lsadump
usage: /usr/bin/lsadump <system hive> <security hive>
usage: /usr/bin/lsadump <system hive> <security hive>
pwdump – Dump password hashes
root@kali:~# pwdump
usage: /usr/bin/pwdump <system hive> <SAM hive>
usage: /usr/bin/pwdump <system hive> <SAM hive>
pwdump Usage Example
Dump the password hashes using the system (system) and sam (sam) hives:
root@kali:~# pwdump system sam
Administrator:500:41aa818b512a8c0e72381e4c174e281b:1896d0a309184775f67c14d14b5c365a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:667d6c58d451dbf236ae37ab1de3b9f7:af733642ab69e156ba0c219d3bbc3c83:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:8dffa305e2bee837f279c2c0b082affb:::
Administrator:500:41aa818b512a8c0e72381e4c174e281b:1896d0a309184775f67c14d14b5c365a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:667d6c58d451dbf236ae37ab1de3b9f7:af733642ab69e156ba0c219d3bbc3c83:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:8dffa305e2bee837f279c2c0b082affb:::
lsadump Usage Example
Dump the LSA secrets using the system (system) and security (security) hives:
root@kali:~# lsadump system security
_SC_ALG
_SC_Dnscache
_SC_upnphost
20ed87e2-3b82-4114-81f9-5e219ed4c481-SALEMHELPACCOUNT
_SC_WebClient
_SC_RpcLocator
0083343a-f925-4ed7-b1d6-d95d17a0b57b-RemoteDesktopHelpAssistantSID
0000 01 05 00 00 00 00 00 05 15 00 00 00 B6 44 E4 23 .............D.#
0010 F4 50 BA 74 07 E5 3B 2B E8 03 00 00 .P.t..;+....
0083343a-f925-4ed7-b1d6-d95d17a0b57b-RemoteDesktopHelpAssistantAccount
0000 00 38 00 48 00 6F 00 31 00 49 45 00 4A 00 26 00 E.J.&.8.H.o.1.I.
0010 00 63 00 72 00 48 00 68 00 53 6B 00 00 00 h.S.c.r.H.k...
_SC_MSDTC
_SC_SSDPSRV
_SC_Alerter
_SC_RpcSs
_SC_LmHosts
_SC_BthServ
_SC_ALG
_SC_Dnscache
_SC_upnphost
20ed87e2-3b82-4114-81f9-5e219ed4c481-SALEMHELPACCOUNT
_SC_WebClient
_SC_RpcLocator
0083343a-f925-4ed7-b1d6-d95d17a0b57b-RemoteDesktopHelpAssistantSID
0000 01 05 00 00 00 00 00 05 15 00 00 00 B6 44 E4 23 .............D.#
0010 F4 50 BA 74 07 E5 3B 2B E8 03 00 00 .P.t..;+....
0083343a-f925-4ed7-b1d6-d95d17a0b57b-RemoteDesktopHelpAssistantAccount
0000 00 38 00 48 00 6F 00 31 00 49 45 00 4A 00 26 00 E.J.&.8.H.o.1.I.
0010 00 63 00 72 00 48 00 68 00 53 6B 00 00 00 h.S.c.r.H.k...
_SC_MSDTC
_SC_SSDPSRV
_SC_Alerter
_SC_RpcSs
_SC_LmHosts
_SC_BthServ
No comments