Domain Cached Credentials
Domain Cached Credentials (DCC) was designed for instances where domain credentials are required to logon to a machine, even whilst it's disconnected from the domain (think of a roaming laptop for example). The local device caches the domain credentials so authentication can happen locally, but these can be extracted and cracked offline to recover plaintext credentials.
Unfortunately, the hash format is not NTLM so it can't be used with pass the hash. The only viable use for these is to crack them offline.
The lsadump::cache
Mimikatz module can extract these from HKLM\SECURITY
.
This command requires elevated privileges.
\
\
To crack these with hashcat, we need to transform them into the expected format. The example hashes page shows us it should be $DCC2$<iterations>#<username>#<hash>
.
DCC is orders of magnitude slower to crack than NTLM. OPSEC This module will open a handle to the SECURITY registry hive. Use the "Suspicious SECURITY Hive Handle" saved search in Kibana to see them.
\
Last updated