What is credential dumping and why you should be aware of it?

  • Home
  • What is credential dumping and why you should be aware of it?

Isn't it wonderful how every time you visit a web site that you've previously visited, your browser conveniently remembers your password? It feels good to be remembered, right? But, have you ever thought of the possibilities of someone snooping around and getting their hands on your password?

Credential dumping refers to the act of obtaining user credentials (username and password) from an operating system or a software. These are normally obtained in the form of a hash or a clear text, which is then used to perform lateral movement, access restricted information, or to install malware. Once this is done, the attacker can login to the system at will and access the information available in it.

For better understanding, credential dumping is more like a thief getting a duplicate key of your car or house. Once a credential is compromised, an attacker can get inside the network whenever he wants and, like a germ in the human body which damages vital organs, the attacker can thrive and multiply and cause damage to your organization's crown jewels.

Once inside the network, they keep changing important settings, until an affected user contacts their administrator. When the administrator logs on to the user's system, the attacker happily compromises the admin credential which can then be used to manipulate other systems in the network.

So, where do these passwords get stored and how does the attacker get them?

  1. Security Accounts Manager (SAM)
  2. In Windows, the SAM is a database file that contains local accounts for the host, typically those found with the ‘net user’ command. To enumerate the SAM database, system level access is required. The file can be retrieved through in-memory techniques such as:

    • Mimikatz
    • gsecdump
    • pwdumpx.exe
    • secretsdump.py

    Apart from these, the SAM can be extracted from the registry with the reg command.

    reg save HKLM\sam sam

    reg save HKLM\system system

    The Creddump7 tool can then be used to process the SAM database locally to retrieve hashes.

  3. WDigest
  4. This is a heritage protocol used to authenticate users in Windows. The Local Security Authority Subsystem Service (LSASS) keeps a plain-text copy of the password of the current user in the memory, when WDigest is enabled. Though this service is disabled by default, it still exists even in the latest versions of Windows. Attackers often enable it to steal the user credentials.

  5. Kerberos
  6. The Kerberos protocol uses the ticketing system to grant various permissions to users and services. However, this authentication protocol, considered strong and secure, can also be used to gain access. This can be done by forging or injecting stolen tickets into the system.

  7. LSA Secrets
  8. The Local Security Authority (LSA) manages authentication and the logging of users on a Windows system. It also manages the local security policy for a computer and the data that this subsystem uses is stored in a protected area called LSA secrets. Attackers can obtain sensitive data if they gain access to this storage area.

  9. Proc filesystem
  10. In Linux, the procfile system stores information about the state of the OS. If an attacker manages to run a process with root privileges, live memory can be scrapped from other applications. Any credentials stored as password hashes or plain texts can be extracted.

Further, if an attacker manages to get access to the domain controller, the network server that is responsible for managing authentication on a domain, they can find additional places where the credentials gets stored such as:

  1. NTDS
  2. The Active Directory stores information about the members of the domain to verify the users and credentials, here.

  3. Group Policy Preference files
  4. These Windows files enable the creation of domain policies with embedded credentials and administrative privileges. These policies are stored in a share called the SYSVOL which can be viewed, and potentially be decrypted by any domain user.

  5. DCSync
  6. DCSync is a technique in which the attacker mimics the behavior of a domain controller through API calls and gets the Domain Controller to send the credential hashes to the attacker's system by simulating replication process. With this technique, the attacker takes advantage of the way the domain controller handles the available API calls.

How does an attacker use the credentials?

Once an attacker gathers the credentials, things are pretty straightforward. They can use these credentials to gain access right away. However, if an attacker only gets an encrypted version of credentials, they might need to use a few more techniques to decipher it.

For instance, most of the credentials are encrypted in the authenticating server. One way of verifying the user is to decrypt the password and compare them with the decrypted text available in the server. Another way is to encrypt the password that arrives and compare it with the encrypted password on the file. Either way, if they match, access is granted.

If an attacker manages to steal the user credentials but can't decrypt them, they may try passing the encrypted file to the authenticating server. If the server simply compares the encrypted files, the access is granted. This technique is known as passing the hash.

Similarly, when Kerberos is used for authenticating, an attacker might try to pass the ticket that has been obtained from a compromised system, in an attempt to gain access. This technique is known as passing the ticket.

What can be done?

There are several ways by which you can protect your network from a credential dumping attack. Some of them are:

  1. Monitor the access to services like LSASS and databases like SAM regularly.
  2. Manage domain controller replication permissions.
  3. Disable or restrict NT LAN Manager (NTLM).
  4. Monitor the logs for unscheduled activities on a domain controller.
  5. Watch out for the command line arguments used in credential dumping attacks.
  6. Do not blend the admin domain accounts with the local administrator groups.

How a log management solution can help prevent credential dumping.

A log management solution can help you to monitor your network activities regularly.EventLog Analyzer,a comprehensive log management solution helps you with real-time alerts and out of box reports on your network activities such as registry changes, privilege abuse, account lockouts, and more.

what-is-credential-dumping-and-why-you-should-be-aware-of-it what-is-credential-dumping-and-why-you-should-be-aware-of-it

Products mentioned on this page:

Recently added chapters


Get the latest content delivered
right to your inbox!


Cyber Security - Knowledge Base


  Zoho Corporation Pvt. Ltd. All rights reserved.