Windows Gather Credential Cache Dump
This module uses the registry to extract the stored domain hashes that have been cached as a result of a GPO setting. The default setting on Windows is to store the last ten successful logins.
Rank
- Normal
Authors
- Maurizio Agazzini < inode [at] mediaservice.net >
- Rob Fuller < mubix [at] hak5.org >
Vulnerability References
Development
Similar Modules
- post/windows/gather/arp_scanner
- post/windows/gather/bitcoin_jacker
- post/windows/gather/checkvm
- post/windows/gather/credentials/coreftp
- post/windows/gather/credentials/credential_collector
- post/windows/gather/credentials/dyndns
- post/windows/gather/credentials/enum_cred_store
- post/windows/gather/credentials/enum_picasa_pwds
- post/windows/gather/credentials/epo_sql
- post/windows/gather/credentials/filezilla_server
Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use post/windows/gather/cachedump
msf post(cachedump) > set SESSION [INTEGER]
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use post/windows/gather/cachedump
msf post(cachedump) > set SESSION [INTEGER]
Module Options
| DEBUG | Debugging output |
| SESSION | The session to run this module on. |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |