Cached Credentials & LSA secrets

Use creddump to extract various credentials and secrets from Windows registry hives. It currently extracts LM, NT, Cached domain passwords and LSA secrets.
cachedump does the same.

You can also use John The Ripper or Cain and Abel to retrieve the hashes.

Please note that Cached Credentials use a different hash than LM or NTLM. The lowercase username is salted with the password.

XP Cached Credentials

The username is appended to the NTLM hash of the password and then that value is hashed using MD4 :
MD4(username + MD4(password).

Vista/Seven Cached Credentials

Uses same process to create the cached credential that XP uses, except it applies PBKDF2 as well. PBKDF2 takes the SHA1 cryptographic hash function and applies it to the XP cached credential salting it with the lower case username, repeating this for the specified number of iterations (1024).


We currently do not support cached credentials cracking. If you are interested, answer the poll !