Skip to main content

Credential Extraction


Memory forensics is one of the most reliable methods for credential extraction β€” credentials must pass through memory to be used, and many authentication mechanisms cache them there. The techniques below range from structured plugins to full memory dump analysis with offline tools.

Authorization Required

Credential extraction produces sensitive data. Ensure proper authorization and handling procedures are followed β€” extracted hashes and credentials must be stored and transmitted in accordance with applicable security policies.


Windows Password Hashes​

hashdump β€” SAM Database Hash Extraction​

Extracts NTLM password hashes from the SAM hive using the SYSKEY stored in the SYSTEM hive β€” both must be present in memory. Returns username:RID:LM_hash:NTLM_hash format, directly usable with offline cracking tools.

vol.py -f <image> --profile=<profile> hashdump
Vol3 Equivalent
vol3 -f <image> windows.hashdump
Offline Hash Cracking
# Hashcat β€” NTLM mode (3000 = LM, 1000 = NTLM)
hashcat -m 1000 /output/hashes.txt /wordlists/rockyou.txt

# Pass-the-Hash with impacket (no cracking required)
impacket-psexec -hashes :<NTLM_hash> administrator@<target_ip>

cachedump β€” Cached Domain Credentials​

Extracts cached domain credentials (DCC2 / MSCACHEv2 hashes) stored in HKLM\SECURITY\Cache. These are stored on domain-joined machines to allow logon when the DC is unreachable β€” up to 10 entries by default.

vol.py -f <image> --profile=<profile> cachedump
Vol3 Equivalent
vol3 -f <image> windows.cachedump
Cracking DCC2 Hashes

DCC2 hashes are slow to crack β€” they use PBKDF2 with 10,240 iterations. Use hashcat mode 2100:

hashcat -m 2100 /output/cached_hashes.txt /wordlists/rockyou.txt

lsadump β€” LSA Secrets​

Extracts LSA secrets from HKLM\SECURITY\Policy\Secrets β€” includes service account passwords, DPAPI master keys, auto-logon credentials, and VPN/wireless PSKs stored by Windows.

vol.py -f <image> --profile=<profile> lsadump
Vol3 Equivalent
vol3 -f <image> windows.lsadump
What LSA Secrets Contain
Secret NameContents
_SC_<ServiceName>Service account password for the named service
DPAPI_SYSTEMDPAPI master key β€” used to decrypt user DPAPI blobs
DefaultPasswordAuto-logon password (if configured)
$MACHINE.ACCMachine account password for domain join
NL$KMCached credentials encryption key

LSASS Memory Analysis​

lsass.exe holds plaintext credentials, NTLM hashes, Kerberos tickets, and DPAPI keys in memory for all currently and recently logged-on users. Dumping its memory is the most comprehensive credential extraction technique.

Step 1 β€” Identify the LSASS PID​

vol.py -f <image> --profile=<profile> pslist | grep lsass
Vol3
vol3 -f <image> windows.pslist | grep lsass

Step 2 β€” Dump Full LSASS Memory​

vol.py -f <image> --profile=<profile> memdump -p <lsass_PID> -D /output/
Vol3
vol3 -f <image> windows.memmap --dump --pid <lsass_PID>

Output file: pid.<lsass_PID>.dmp

Step 3 β€” Extract Credentials with pypykatz (Offline Mimikatz)​

pypykatz is a pure Python implementation of Mimikatz that runs offline against a memory dump:

# Install
pip install pypykatz

# Parse lsass memdump β€” outputs all credential material
pypykatz lsa minidump /output/<lsass_PID>.dmp

# Output to JSON for easier parsing
pypykatz lsa minidump /output/<lsass_PID>.dmp -o /output/creds.json --json

pypykatz will extract:

  • msv β€” NTLM hashes (from NTLM SSP)
  • wdigest β€” Plaintext passwords (if WDigest enabled β€” Windows 7/2008 R2 and older by default, or if registry key set by attacker)
  • kerberos β€” Kerberos tickets and plaintext passwords
  • ssp β€” SSP credential cache
  • credman β€” Windows Credential Manager entries
  • dpapi β€” DPAPI master keys
WDigest Plaintext Credentials

On Windows 8.1+ and Server 2012 R2+, WDigest is disabled by default (no plaintext in memory). However, attackers can re-enable it via: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest β†’ UseLogonCredential = 1

Check if this key was set:

vol.py -f <image> --profile=<profile> printkey \
-o <SYSTEM_offset> \
-K "ControlSet001\Control\SecurityProviders\WDigest"

Kerberos Tickets​

kerberos / Ticket Extraction​

Extract Kerberos TGTs and service tickets cached in memory. Kerberos tickets can be used for pass-the-ticket attacks to impersonate users without needing their password.

# Vol2 β€” via pypykatz after memdump (most reliable)
pypykatz lsa minidump /output/<lsass_PID>.dmp | grep -A5 "kerberos"

# Vol2 plugin (if available in your build)
vol.py -f <image> --profile=<profile> mimikatz
Vol3 Approach
# Dump lsass memory and process with pypykatz
vol3 -f <image> windows.memmap --dump --pid <lsass_PID>
pypykatz lsa minidump pid.<lsass_PID>.dmp
Using Extracted Tickets

Exported Kerberos tickets (.kirbi format from Mimikatz or Rubeus) can be used for lateral movement:

# Convert to ccache for Linux tools
impacket-ticketConverter ticket.kirbi ticket.ccache
export KRB5CCNAME=/output/ticket.ccache

# Use with impacket tools
impacket-psexec -k -no-pass administrator@<target_hostname>

DPAPI Master Keys​

DPAPI (Data Protection API) is used by Windows to encrypt browser-saved passwords, Wi-Fi keys, RDP credentials, and more. The master keys needed to decrypt this material are cached in lsass memory.

# Extract DPAPI master keys from lsass memdump
pypykatz lsa minidump /output/<lsass_PID>.dmp --json | python3 -c "
import json,sys
data=json.load(sys.stdin)
for luid,entry in data.items():
for mk in entry.get('dpapi',[]):
print(mk)
"

With the master key, decrypt DPAPI blobs offline:

# Decrypt Chrome saved passwords (example)
impacket-dpapi masterkey -file /output/masterkey_blob -pvk /output/domain_backup.pvk
impacket-dpapi credential -masterkey <masterkey_hex> -file /Chrome/Login\ Data