🐲
OSCP Notes
  • 🐲OSCP Notes
  • 🐲OSCP Methodology
  • 💡Misc
    • Metasploit
    • Antivirus Evasion
    • Password attacks
    • Reverse Shells
    • Port Forwarding, Tunneling and Pivoting
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
      • Lingolo-ng
    • Information Gathering
      • Passive Reconnaissance
        • Whois
        • Google Dorks
        • NetCraft
        • Git Repository
      • Active Reconnaissance
        • DNS Enumeration
        • Host Discovery
        • Port scanning
        • SMTP - 25
        • SNMP
  • Linux
    • Local Enumeration
    • Local Privileges Escalation
      • Scheduled tasks
      • Password Authentication
      • Monitor Processes
      • SetUID Binaries and Capabilities
      • Sudoers
      • Kernel Exploits
  • Windows
    • 🧠Mindmap
    • 🥝Mimikatz Basics
    • Enumeration
      • External Enumeration
      • Local Enumeration
      • Active Directory
        • PowerView
    • NTLM Hashes
    • Local Privilege Escalation
      • Service Binary Hijacking
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Scheduled Tasks
      • Token impersonation
      • Backup Operators Group
    • Lateral Movement
      • WMI and WinRM
      • PsExec
      • Pass The Hash
      • Overpass The Hash
      • Pass The Ticket
      • DCOM
    • Persistence
      • Golden Ticket
      • Shadow Copy
    • Authentication Attacks
      • AS-REP Roasting
      • Kerberoasting
      • Password Spray
      • Silver Ticket
      • DC Sync
    • Client Side
    • NTLM Authentication
    • Kerberos Authentication
    • Cached Credentials
  • Web attacks
    • WordPress
    • SQL Injection (SQLi)
    • Command Injection
    • Directory Traversal
    • Local File Inclusion (LFI)
    • File Upload
Powered by GitBook
On this page
  1. Windows

Cached Credentials

PreviousKerberos AuthenticationNextWordPress

Last updated 7 months ago

In Kerberos authentication, Ticket Granting Tickets (TGTs) have a limited lifespan. To avoid requiring the user to manually re-enter their password every time the TGT needs to be renewed, the user's credentials (like their password hash) are temporarily cached on the system. This allows automatic renewal of the TGT without user intervention.

LSASS Process

LSASS (Local Security Authority Subsystem Service): The LSASS process is responsible for handling security tokens, enforcing security policies, and managing user logins on a Windows system. It also securely stores credentials.

LSASS temporarily holds these credentials in memory so that it can automatically renew the TGT when it expires.

User with local administrator permissions is able to dump all logged-in users hashes using :

privilege::debug # verify permissions
skeurlsa::logonpasswords # extracting cached credentials

Tickets can also be dumped using the following command

sekurlsa::tickets  # extracting cached tickets
mimikatz