Offline crawl domain Login cache hash (Mscash)

Note: This crawl is a domain member hash is not a domain-controlled hash

Registry export:

Reg save Hklm\sam c:\sam.hive & reg save Hklm\system c:\system.hive & reg Save Hklm\security c:\security.hive

Mscash (domain cache hash) extraction

Cain can be extracted from the hive file Mscash, but does not support replication, only one character knocked out, very egg pain; Getsyskey+gethashes can also be exported, but only local accounts hash,creddump is a python-written tool , not only can export local hash, also support export Mscash (domain cache hash), the default version of Creddump does not support MSCASH2, someone modified according to the original version, and named CREDDUMP7, can support all system version of the registry extraction Mscash.

Mscash Cached password information has two encrypted versions, before Vista encryption method is relatively simple, with the user name as a salt, called Mscash, and then the encryption method not only the user name as a salt, encryption algorithm is more complex, called MSCASH2

cachedump.py system.hive security.hive True

The third parameter followed by True indicates that this is the MSCASH2 version, if it is 2003 above the extracted registry is written here false

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6F/A0/wKioL1WjenvCynirAACXggI56eA692.jpg "title=" 12313. JPG "alt=" wkiol1wjenvcyniraacxggi56ea692.jpg "/>

Https://github.com/Neohapsis/creddump7

Simple to use:

For example, you get a Kill the local Administrator account password, go to bulk connection host, then get sam.hive system.hive security.hive file, then can extract hash can see whether there is domain-controlled hash.

This article is from the "Sanr" blog, make sure to keep this source http://0x007.blog.51cto.com/6330498/1673840

Offline crawl domain Login cache hash (Mscash)