creddump7
Python tool to extract credentials and secrets from Windows registry hives. Based on the original creddump program with many patches and fixes applied.
Description
creddump7 is a Python-based tool designed to extract various credentials and secrets stored in Windows registry hives. It serves as an enhanced version of the original creddump program, incorporating numerous patches and fixes contributed by Ronnie Flathers to improve reliability and functionality.
The tool is particularly useful in forensic investigations and post-exploitation scenarios where access to Windows registry hives has been obtained. It targets sensitive data such as password hashes, cached credentials, and other secrets that Windows stores in the registry for authentication purposes.
creddump7 finds application in red team engagements and digital forensics, specifically aligned with MITRE ATT&CK techniques under Credential Access (TA0006), including Windows Credentials from the SAM database. It is part of professional training curricula like OffSec's PEN-300 course.
How It Works
creddump7 operates by parsing Windows registry hive files, primarily SYSTEM, SECURITY, and SAM hives, to locate and decrypt stored credentials. The tool includes specialized modules: pwdump.py for password hashes from SAM, lsadump.py for LSA secrets, and cachedump.py for cached domain credentials. It leverages Python libraries like pycryptodome for cryptographic operations required to extract and decode the secrets from their encrypted forms in the registry structures.
Installation
sudo apt install creddump7Examples
creddump7 -hpython3 /usr/share/creddump7/pwdump.py [SAM] [SYSTEM]python3 /usr/share/creddump7/lsadump.py [SECURITY] [SYSTEM]python3 /usr/share/creddump7/cachedump.py [SYSTEM] [SECURITY]tree /usr/share/creddump7ls /usr/share/creddump7