Credential dumping is a critical post-exploitation technique emphasized in the CompTIA PenTest+ curriculum under the 'Attacks and Exploits' domain. It involves the unauthorized extraction of valid authentication information—such as usernames, cleartext passwords, NTLM hashes, or Kerberos tickets—fr…Credential dumping is a critical post-exploitation technique emphasized in the CompTIA PenTest+ curriculum under the 'Attacks and Exploits' domain. It involves the unauthorized extraction of valid authentication information—such as usernames, cleartext passwords, NTLM hashes, or Kerberos tickets—from a compromised system's memory or file system. The primary objective is to facilitate privilege escalation or lateral movement, allowing the attacker to access additional resources or systems within the network.
Once a penetration tester gains administrative or SYSTEM-level access to a host, they typically target specific storage locations where the operating system caches credentials. On Windows systems, the primary targets are the Security Account Manager (SAM) database, which stores local user account hashes, and the Local Security Authority Subsystem Service (LSASS) process memory. The tool most synonymous with this technique is Mimikatz, which can scrape LSASS memory to retrieve plaintext passwords (if WDigest is enabled) or hashes. In an Active Directory environment, attackers seek the 'NTDS.dit' database on Domain Controllers, which contains the credentials for every user in the domain.
Successfully dumped credentials enable further attacks, such as 'Pass-the-Hash,' where an attacker uses a captured hash to authenticate to remote servers without cracking the password, or offline cracking using tools like Hashcat. Understanding credential dumping is essential for penetration testers to demonstrate the impact of a breach, showing how a single compromised endpoint can lead to total domain compromise. Mitigation strategies include enabling Windows Defender Credential Guard, restricting local administrator privileges, and monitoring for suspicious process injection into LSASS.exe.
Credential Dumping: CompTIA PenTest+ Study Guide
What is Credential Dumping? Credential dumping is a post-exploitation technique used to extract login information—such as usernames, cleartext passwords, and password hashes—from a compromised system. This data is typically harvested from the operating system's memory, the registry, or specific database files.
Why is it Important? It is a pivotal step in the Kill Chain. Once a pentester gains initial access to a machine, they rarely have the privileges needed to access the 'crown jewels' of the network. Credential dumping facilitates: 1. Privilege Escalation: Finding an Administrator's password on a low-level machine. 2. Lateral Movement: Using extracted credentials to log into other machines in the network to hunt for the Domain Controller.
How it Works Operating systems must store credentials to handle authentication and Single Sign-On (SSO) processes. Pentesters target these storage locations.
Windows Targets: The primary target is the LSASS (Local Security Authority Subsystem Service) process, which holds credentials in memory. Attackers also target the SAM (Security Account Manager) database for local account hashes and the NTDS.dit file on Domain Controllers for Active Directory hashes.
Linux Targets: The focus is usually on reading /etc/shadow (which stores hashes) and combining it with /etc/passwd to crack passwords offline.
Key Tools: Mimikatz is the most frequently tested tool for this purpose. Others include FGdump, Pwdump, and Procdump (sysinternals).
Exam Tips: Answering Questions on Credential Dumping When facing scenario-based questions on the CompTIA PenTest+ exam, look for these specific indicators:
1. The LSASS Process: If a question asks what process is being targeted to steal credentials, or mentions a dump of a specific process ID (PID), look for lsass.exe. Dumping the memory of LSASS is the standard method for retrieving NTLM hashes or cleartext tickets.
2. Registry Hives: Questions may ask which files are needed to crack local passwords offline. You must export both the SAM and SYSTEM registry hives (e.g., using reg save HKLM\SAM and reg save HKLM\SYSTEM). The SYSTEM hive contains the boot key necessary to decrypt the SAM.
3. Recognizing Mimikatz: Be familiar with Mimikatz syntax. If you see commands like sekurlsa::logonpasswords or lsadump::sam, the activity is credential dumping.
4. Domain Controllers (NTDS.dit): If the scenario involves compromising a Domain Controller to get all user hashes, the target file is NTDS.dit. This is the Active Directory database.
5. Remediation: If the question asks for mitigation strategies, the correct answers usually involve enabling Credential Guard (in Windows 10/Server 2016+), disabling WDigest negotiation, or restricting 'Debug programs' privileges.