Forensicscredentialswindowsregistrysecretspython

creddump7

Python tool to extract credentials and secrets from Windows registry hives. Based on the original creddump program with many patches and fixes applied.

Description

creddump7 is a Python-based tool designed to extract various credentials and secrets stored in Windows registry hives. It serves as an enhanced version of the original creddump program, incorporating numerous patches and fixes contributed by Ronnie Flathers to improve reliability and functionality.

The tool is particularly useful in forensic investigations and post-exploitation scenarios where access to Windows registry hives has been obtained. It targets sensitive data such as password hashes, cached credentials, and other secrets that Windows stores in the registry for authentication purposes.

creddump7 finds application in red team engagements and digital forensics, specifically aligned with MITRE ATT&CK techniques under Credential Access (TA0006), including Windows Credentials from the SAM database. It is part of professional training curricula like OffSec's PEN-300 course.

How It Works

creddump7 operates by parsing Windows registry hive files, primarily SYSTEM, SECURITY, and SAM hives, to locate and decrypt stored credentials. The tool includes specialized modules: pwdump.py for password hashes from SAM, lsadump.py for LSA secrets, and cachedump.py for cached domain credentials. It leverages Python libraries like pycryptodome for cryptographic operations required to extract and decode the secrets from their encrypted forms in the registry structures.

Installation

bash
sudo apt install creddump7

Examples

Displays help information and usage for the creddump7 tool
creddump7 -h
Extracts password hashes from the SAM hive using the SYSTEM hive for decryption keys
python3 /usr/share/creddump7/pwdump.py [SAM] [SYSTEM]
Dumps LSA secrets from the SECURITY hive using the SYSTEM hive
python3 /usr/share/creddump7/lsadump.py [SECURITY] [SYSTEM]
Extracts cached domain credentials from SYSTEM and SECURITY hives
python3 /usr/share/creddump7/cachedump.py [SYSTEM] [SECURITY]
Shows the directory structure of the creddump7 installation
tree /usr/share/creddump7
Lists the main files and directories in the creddump7 package
ls /usr/share/creddump7
Updated 2026-04-16kali.org ↗