• Stars
    star
    357
  • Rank 119,149 (Top 3 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created over 10 years ago
  • Updated about 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Information

This repo is for my modifications to the original 'creddump' program available at:

https://code.google.com/p/creddump/

I did not write the original program.

I have combined many patches and fixes I have seen from different forums and user suggestions, as well as modified the usage to make it a little more clear.

I followed patches and fixes from the following links:

Enjoy! Ronnie Flathers (@ropnop)

Usage

Mount a Windows 7/Vista partition:

# mkdir /mnt/win
# ntfs-3g /dev/sda1 /mnt/win

Run cachedump.py on the SYSTEM and SECURITY hives to extract cached domain creds:

# ./cachedump.py
usage: ./cachedump.py <system hive> <security hive> <Vista/7>

Example (Windows Vista/7):
./cachedump.py /path/to/System32/config/SYSTEM /path/to/System32/config/SECURITY true

Example (Windows XP):
./cachedump.py /path/to/System32/SYSTEM /path/to/System32/config/SECURITY false

# ./cachedump.py /mnt/win/Windows/System32/config/SYSTEM /mnt/win/Windows/System32/config/SECURITY true |tee hashes
nharpsis:6b29dfa157face3f3d8db489aec5cc12:acme:acme.local
god:25bd785b8ff1b7fa3a9b9e069a5e7de7:acme:acme.local

If you want to crack the hashes and have a good wordlist, John can be used. The hashes are in the 'mscash2' format:

# john --format=mscash2 --wordlist=/usr/share/wordlists/rockyou.txt hashes
Loaded 2 password hashes with 2 different salts (M$ Cache Hash 2 (DCC2) PBKDF2-HMAC-SHA-1 [128/128 SSE2 intrinsics 8x])
g0d              (god)
Welcome1!        (nharpsis)

We now have the passwords for two domain users. Note: these passwords are really simple and I knew they were in the wordlist I used. Normally if you want to actually bruteforce the passwords, I wouldn't recommend John. Pull the hashes and use a GPU powered cracking box with oclHashcat.

Below is the original README file

OVERVIEW

creddump is a python tool to extract various credentials and secrets from
Windows registry hives. It currently extracts:
* LM and NT hashes (SYSKEY protected)
* Cached domain passwords
* LSA secrets

It essentially performs all the functions that bkhive/samdump2,
cachedump, and lsadump2 do, but in a platform-independent way.

It is also the first tool that does all of these things in an offline
way (actually, Cain & Abel does, but is not open source and is only
available on Windows).

REQUIREMENTS

alldump has only been tested on python 2.5. It should work on 2.4 as
well, but will likely need modification before it will work on 2.3 or
below.

python-crypto is required for its MD5/DES/RC4 support. To obtain it,
see: http://www.amk.ca/python/code/crypto

For lsadump: system and SECURITY hives
For cachedump: system and SECURITY hives
For pwdump: system and SAM hives

USAGE

Dump cached domain hashes:
  usage: ./cachedump.py <system hive> <security hive>

Dump LSA secrets:
  usage: ./lsadump.py <system hive> <security hive>

Dump local password hashes:
  usage: ./pwdump.py <system hive> <SAM hive>

FEATURES

* Platform independent operation. The only inputs are the hive files
  from the system--we don't rely on any Windows functionality at all.
* Open-source and (hopefully!) readble implementations of Windows
  obfuscation algorithms used to protect LSA secrets, cached domain
  passwords, and 
* A reasonably forgiving registry file parser in pure Python. Look
  through framework/types.py and framework/win32/rawreg.py to see how it
  works.
* The first complete open-source implementation of advapi32's
  SystemFunction005. The version in the Wine source code does not
  appear to allow for keys longer than 7 bytes, while the Windows
  version (and this version) does. See decrypt_secret() in
  framework/win32/lsasecrets.py

AUTHOR

creddump is written by Brendan Dolan-Gavitt ([email protected]).
For more information on Syskey, LSA secrets, cached domain credentials,
and lots of information on volatile memory forensics and reverse
engineering, check out:

http://moyix.blogspot.com/

CREDITS
* AAron Walters. Much of the data type parsing code is taken from
  Volatility, an excellent memory analysis framework written in Python.
  He's also a really nice guy, and has helped me out a lot in my
  research.
  
  https://www.volatilesystems.com/default/volatility

* Massimiliano Montoro (mao), for reversing the mechanism Windows uses
  to derive the LSA key so that it can be computed directly from the
  hive files, as decribed in this post:
  
  http://oxid.netsons.org/phpBB2/viewtopic.php?t=149
  http://www.oxid.it/
  
* Jeremy Allison, for the details of the obfuscation applied to password
  hashes in the SAM, as implemented in the original pwdump.
  
  http://us4.samba.org/samba/ftp/pwdump/

* Nicola Cuomo, for his excellent description of the syskey mechanism
  and how it is used to encrypt the SAM in Windows 2000 and above.

  http://www.studenti.unina.it/~ncuomo/syskey/

* Eyas[at]xfocus.org, for x_dialupass2.cpp, which demonstrates how to
  read LSA secrets directly from the registry, given the LSA key.

  http://www.xfocus.net/articles/200411/749.html

  [Note: the above is in Chinese, but quite comprehensible if you use
   Google Translate and can read C ;)]

* Nicholas Ruff, for his perl implementation of des_set_odd_parity,
  which he apparently took from SSLEAY:

  http://seclists.org/pen-test/2005/Jan/0180.html

* Arnaud Pilon, for the details of how to retrieve cached domain, as
  implemented in cachedump.

  http://www.securiteam.com/tools/5JP0I2KFPA.html

* S�bastien Ke, for his cute hexdump recipe:

  http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/142812

LICENSE

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.

More Repositories

1

enum4linux

enum4Linux is a Linux alternative to enum.exe for enumerating data from Windows and Samba hosts
Perl
936
star
2

bbqsql

SQL Injection Exploitation Tool
Python
673
star
3

NeoPI

Python
462
star
4

linikatz

linikatz is a tool to attack AD on UNIX
C
425
star
5

rdp-sec-check

rdp-sec-check is a Perl script to enumerate security settings of an RDP Service (AKA Terminal Services)
Perl
166
star
6

suddensix

IPV6 MITM attack tool
Shell
92
star
7

udp-proto-scanner

udp-proto-scanner is a Perl script which discovers UDP services by sending triggers to a list of hosts
Perl
86
star
8

unix-audit

Framework for generating audit commands for Unix security audits
Shell
65
star
9

mptcp-abuse

A collection of tools and resources to explore MPTCP on your network. Initially released at Black Hat USA 2014.
Python
58
star
10

udpy_proto_scanner

udpy_proto_scanner is a Python script which discovers UDP services by sending triggers to a list of hosts
Python
40
star
11

QRCode-Video-Data-Exfiltration

Exfiltrate data with QR code videos generated from files by HTML5/JS.
JavaScript
35
star
12

presentations

Presentations from the CX Security Labs team
28
star
13

ssl-cipher-suite-enum

ssl-cipher-suite enum is a Perl script to enumerate supported SSL cipher suites supported by network services (principally HTTPS)
Perl
28
star
14

sslxray

sslxray is an SSL/TLS scanning tool designed to detect a wide range of issues
Python
22
star
15

log4j

Detection rules to look for Log4J usage and exploitation
YARA
18
star
16

http-dir-enum

http-dir-enum is a tool for finding content that is not linked on a website. Its main use is for finding directories that exist on a server. Simply provide a dictionary file and a URL.
Perl
15
star
17

httpShell

CoffeeScript
14
star
18

WXPolicyEnforcer

Injectable Windows DLL which enforces a W^X memory policy on a process
C
14
star
19

sudo-parser

sudo-parser is a tool to audit complex sudoers files
Perl
13
star
20

CVE-2015-5119_walkthrough

Archive from the article CVE-2015-5119 Flash ByteArray UaF: A beginner's walkthrough
ActionScript
13
star
21

tlsplayback

tlsplayback is a set of Proof of Concepts (PoC) showing real-world replay attacks against TLS 1.3 libraries and browsers by exploiting 0-RTT
Python
12
star
22

mat

MAT is a tool to assess mobile applications
HTML
5
star
23

secdump

secdump is a simple meterpreter module that uploads and runs gsecdump
Ruby
4
star
24

FreeRDP-pth

FreeRDP-pth is a slightly modified version of FreeRDP that tries to authenticate using a password hash instead of a password
C
4
star
25

onesixtyone

Onesixtyone is an SNMP scanner that sends multiple SNMP requests to multiple IP addresses, trying different community strings and waiting for replies
C
3
star
26

SSHatter

SSHatter is a Perl script to perform brute force attacks on SSH
Perl
3
star
27

UNIXSocketScanner

UNIXSocketScanner is a Perl script to scan UNIX domain sockets
Perl
2
star
28

cspCalculator

cspCalculator is a PoC implementation of a dynamic Content Security Policy creator
JavaScript
2
star
29

ms08-067-check

MS08-067 check is Python script which can anonymously check if a target machine or a list of target machines are affected by MS08-067 vulnerability
Python
2
star
30

allthevhosts

allthevhosts is a tool to scrape a series of web applications (including Bing and You Get Signal’s database) and looks at Subject Alternative Names in the SSL certificate to find as many web applications which resolve to an IP address as possible
Python
2
star
31

detect-horizontal-user-brute-force-attack

PowerShell PoC for detecting horizontal user brute force attacks
PowerShell
1
star
32

rmiInfo

rmiInfo is a tool to help extract information from Java Remote Method Invocation (RMI) services, which can then be used to find possible security vulnerabilities
Java
1
star
33

bsql-brute-forcer

bsql-brute-forcer is a Perl script allows extraction of data from Blind SQL Injections
Perl
1
star
34

iker

iker is a Python script to analyse the security of the key exchange phase in IPsec based VPNs
Python
1
star
35

nbtscan

NBTscan is a program for scanning IP networks for NetBIOS name information
C
1
star
36

hoppy

hoppy is a Python script to probe HTTP options and perform scanning for information disclosure issues
Python
1
star
37

ownCloud_RCE_CVE-2013-0303

ownCloud PoC for CVE-2013-0303
Python
1
star
38

acccheck

acccheck is a Perl script is designed as a password dictionary attack tool that targets windows authentication via the SMB protocol
Perl
1
star
39

massSSgrab

massSSgrab is a tool that uses the JCIFS library to grab copies of both system and SAM files from “C:\windows\repair\” directory from multiple hosts
Java
1
star
40

vessl

vessl is a bash script that can fetch and verify the SSL certificate of a remote server
Shell
1
star
41

protoanal

Protocol analysis is a Python module which can be used in scripted analysis or interactively using ipython
Python
1
star
42

tcpy_scanner

Fast cross-platform TCP Connect Scanner written in Python
Python
1
star
43

viewstate

Viewstate is an ASP.Net viewstate decoder, checker, parser and encoder
C
1
star
44

NVAPT

NVAPT is a set of shell scripts for a Not Very Advanced Persistent Threat PoC for iOS
Shell
1
star
45

apache-users

apache-users is a Perl script for finding user home directories that are exposed from Apache web server
Perl
1
star
46

AMES

AMES is a tool to parse the new Nessus output files and autogenerate an easy to copy and paste command line exploit using Metasploit CLI
Python
1
star
47

osboxdeploy

OSBoxDeploy is a set of Ansible playbooks and associated artefacts to deploy OpenStack compute hosted Docker containers. It is work in progress, so do not expect too much, too soon
Python
1
star
48

MIBparse

MIBparse.pl has been designed as an offline parser to quickly parse output from SNMP tools such as ‘snmpwalk’
Perl
1
star
49

bannergrab

BannerGrab is a tool that performs connection, trigger-based and basic information collection from network services
C
1
star
50

openssl3-nov2022

Detection rules to look for OpenSSL 3.x usage and exploitation
1
star
51

ManySSL

ManySSL is a Perl script to enumerate supported SSL cipher suites supported by network services (principally HTTPS)
Perl
1
star
52

smaSHeM

smaSHeM is a System V shared memory segment manipulator
Shell
1
star
53

wordpress-build-review

WordPress Build Review is a tool to check the basic security settings in a WordPress installation
Shell
1
star
54

RPDscan

RPDscan (Remmina Password Decrypt Scanner) is a tool to find and decrypt saved passwords in Remmina RDP configurations
Python
1
star
55

crash

crash is a tool to catch crashes from OS X applications and print debugging information such as registers, disassembled code and a memory dump of the stack
C
1
star
56

mysql-bruteforcer

MySQL Bruteforcer is a Python script to assess the strength of the local MySQL access passwords
Python
1
star
57

whitepapers

Papers from the CX Security Labs team
1
star
58

HeaderCheck

HeaderCheck is a Python script used to check the security settings of various headers returned by web servers
Python
1
star
59

get-dhcp-opts

get-dhcp-opts is a tool to discover DHCP/BOOTP servers on your LAN, and dump the DHCP/BOOTP options
Python
1
star
60

whoislikeaboss

whoislikeaboss is a tool that takes the IP addresses given in a file (one per line), and will give you the range and owner of each of the addresses (with duplicates removed) so you can spot anything that looks fishy before you start testing
Python
1
star
61

winlanfoe

winlanfoe is a tool that parses the output from enum4linux and displays Domain/Workgroup membership, IP address, Operating System (OS) information and if a host is a domain controller
Perl
1
star