Credential dumping is extracting stored account credentials from a system, typically password hashes from the Windows SAM and the LSASS process, the NTDS.dit database on a Domain Controller, or /etc/shadow on Linux. The dumped hashes are then cracked or passed to authenticate elsewhere. It usually requires local admin or SYSTEM, and tools like Mimikatz and secretsdump automate it. It maps to MITRE T1003.
What credential dumping is
Credential dumping is reaching into the places an operating system stores credentials and pulling them out. On Windows that means the LSASS process memory, the SAM registry hive, and LSA secrets; on a Domain Controller, the NTDS.dit database; on Linux, /etc/shadow.
What comes out is mostly password hashes, which are then cracked or reused directly.
How it is done
Dumping generally needs local admin or SYSTEM on the target. Common routes:
- LSASS memory: Mimikatz
sekurlsa::logonpasswordsor a process dump parsed offline. - SAM + SYSTEM hives: save the registry hives and extract local hashes (
secretsdump.py). - NTDS.dit: pull it from a DC (often via a Volume Shadow Copy) or with DCSync.
- /etc/shadow: read it as root and crack with John.
What happens to the dump
Dumped credentials are turned into access two ways:
- Crack the hash offline with Hashcat or John to recover the cleartext password.
- Use the hash directly with Pass-the-Hash, no cracking needed for NTLM authentication.
Either way the attacker now authenticates as that account and continues across the network.