|
CacheDump, licensed under the GPL, demonstrates how to recover cache entry information: username and MSCASH. Administrators or security consultants are welcomed to use this program; malicious users can't do anything with it as long as they do not have Administrator privileges. CacheDump does not rely on the dll-injection method used in pwdump or lsadump2; it creates a NT service on the fly in order to read the static LSA key from LSASS.EXE's process memory, and deciphers the cache entries to expose the MSCASH values. CacheDump's output is similar to pwdump's, with of course a different hash function; a plugin for john the ripper password cracker has been developed for offline dictionnary and bruteforce cracking. These flags are helpful for troubleshooting: - -v : Verbose mode;
- -vv : Very Verbose mode - displays every step of the dump process;
- -K : Kill and remove the service, in case a previous run of CacheDump died unexpectedly.
|
|
|
