How to extract Cached Credentials & LSA secrets

Intro

/!\ This is for educational purposes only, and should not be used for unauthorized access, tampering or accessed illegally without owner permission.

This page will help you to extract and manipulate the Windows Cached Credentials.
"Cached and Stored Credentials Technical Overview" from Microsoft is a must-reading to understand oh it works.

LSA secrets

LSA secrets is an area in the registry where Windows stores important information. This includes:

Account passwords for services that are set to run by operating system users as opposed to Local System, Network Service and Local Service.
Password used to logon to Windows if auto-logon is enabled or, generally, the password of the user logged to the console (DefaultPassword entry).

LSA secrets are stored in registry hive HKEY_LOCAL_MACHINE/Security/Policy/Secrets. Each secret has its own key. The parent key, HKEY_LOCAL_MACHINE/Security/Policy, contains the data necessary for accessing and decoding the secrets.

Tools to extract Windows Credentials & LSA secrets

These tools will extract cached credentials and LSA secrets from the Regsitry and/or from lsass.exe process. Thus, they can be considered as 'hacking tools' and blocked by some Antivirus. Use at your own risks !

Creddump

creddump is a python tool to extract various credentials and secrets from Windows registry hives. It currently extracts:

LM and NT hashes (SYSKEY protected)
Cached domain passwords
LSA secrets

It essentially performs all the functions that bkhive/samdump2, cachedump, and lsadump2 do, but in a platform-independent way. It is also the first tool that does all of these things in an offline way (actually, Cain & Abel does, but is not open source and is only available on Windows).

CacheDump

CacheDump will create a CacheDump NT Service to get SYSTEM right and make his stuff on the registry. Then, it will retrieve the LSA Cipher Key to decrypt (rc4/hmac_md5 GloubiBoulga) cache entries values.

QuarksPwdump

quarkspwdump is a native Win32 tool to extract credentials from Windows operating systems. It currently extracts :

Local accounts NT/LM hashes + history
Domain accounts NT/LM hashes + history
Cached domain password
Bitlocker recovery information (recovery passwords & key packages)

Supported OS : XP/2003/Vista/7/2008/8

gsecdump

gsecdump extracts hashes from SAM/AD and active logon sessions.
It can also extract LSA secrets. Works for both x86 and x64. Windows 2000 - 2008.

mimikatz

mimikatz can, among other things, extract hashes and other cendentials stored in memory and in registry.
Check papers for more informationn : http://blog.gentilkiwi.com/presentations

Remove stored passwords, certificates, and other credentials

Windows 7 and upper

Open User Accounts by clicking the Start button Picture of the Start button, clicking Control Panel, clicking User Accounts and Family Safety (or clicking User Accounts, if you are connected to a network domain), and then clicking User Accounts.
In the left pane, click Manage your credentials.
Click the vault that contains the credential that you want to remove.
Click the credential that you want to remove, and then click Remove from vault.

Windows XP and lower

You can run this command :

rundll32.exe keymgr.dll,KRShowKeyMgr

How to extract Cached and Stored Credentials & LSA secrets

Cached Credentials & LSA secrets