Header Ads

Header ADS

creddump /cachedump

reddump is a python tool to extract various credentials and secrets from Windows registry hives. It currently extracts:

  • LM and NT hashes (SYSKEY protected)
  • Cached domain passwords
  • LSA secrets

It essentially performs all the functions that bkhive/samdump2, cachedump, and lsadump2 do, but in a platform-independent way.

It is also the first tool that does all of these things in an offline way (actually, Cain & Abel does, but is not open source and is only available on Windows).

Tools included in the creddump package

cachedump – Dump cached credentials
root@kali:~# cachedump
usage: /usr/bin/cachedump <system hive> <security hive>

lsadump – Dump LSA secrets

root@kali:~# lsadump
usage: /usr/bin/lsadump <system hive> <security hive>

pwdump – Dump password hashes

root@kali:~# pwdump
usage: /usr/bin/pwdump <system hive> <SAM hive>

pwdump Usage Example

Dump the password hashes using the system (system) and sam (sam) hives:

root@kali:~# pwdump system sam
Administrator:500:41aa818b512a8c0e72381e4c174e281b:1896d0a309184775f67c14d14b5c365a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:667d6c58d451dbf236ae37ab1de3b9f7:af733642ab69e156ba0c219d3bbc3c83:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:8dffa305e2bee837f279c2c0b082affb:::

lsadump Usage Example

Dump the LSA secrets using the system (system) and security (security) hives:

root@kali:~# lsadump system security
_SC_ALG

_SC_Dnscache

_SC_upnphost

20ed87e2-3b82-4114-81f9-5e219ed4c481-SALEMHELPACCOUNT

_SC_WebClient

_SC_RpcLocator

0083343a-f925-4ed7-b1d6-d95d17a0b57b-RemoteDesktopHelpAssistantSID
0000   01 05 00 00 00 00 00 05 15 00 00 00 B6 44 E4 23    .............D.#
0010   F4 50 BA 74 07 E5 3B 2B E8 03 00 00                .P.t..;+....

0083343a-f925-4ed7-b1d6-d95d17a0b57b-RemoteDesktopHelpAssistantAccount
0000   00 38 00 48 00 6F 00 31 00 49 45 00 4A 00 26 00    E.J.&.8.H.o.1.I.
0010   00 63 00 72 00 48 00 68 00 53 6B 00 00 00          h.S.c.r.H.k...

_SC_MSDTC

_SC_SSDPSRV

_SC_Alerter

_SC_RpcSs

_SC_LmHosts

_SC_BthServ

No comments

Powered by Blogger.