{"id":13475083,"url":"https://github.com/moyix/creddump","last_synced_at":"2025-08-03T06:15:26.651Z","repository":{"id":29914938,"uuid":"33460801","full_name":"moyix/creddump","owner":"moyix","description":"Automatically exported from code.google.com/p/creddump","archived":false,"fork":false,"pushed_at":"2019-05-08T14:26:25.000Z","size":30,"stargazers_count":249,"open_issues_count":6,"forks_count":51,"subscribers_count":17,"default_branch":"master","last_synced_at":"2025-04-24T04:08:34.683Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/moyix.png","metadata":{"files":{"readme":"README","changelog":"CHANGELOG","contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-04-06T00:59:49.000Z","updated_at":"2025-03-09T17:14:30.000Z","dependencies_parsed_at":"2022-09-06T15:40:43.768Z","dependency_job_id":null,"html_url":"https://github.com/moyix/creddump","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moyix%2Fcreddump","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moyix%2Fcreddump/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moyix%2Fcreddump/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moyix%2Fcreddump/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/moyix","download_url":"https://codeload.github.com/moyix/creddump/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250560052,"owners_count":21450172,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T16:01:17.244Z","updated_at":"2025-04-24T04:08:42.899Z","avatar_url":"https://github.com/moyix.png","language":"Python","readme":"OVERVIEW\n\ncreddump is a python tool to extract various credentials and secrets from\nWindows registry hives. It currently extracts:\n* LM and NT hashes (SYSKEY protected)\n* Cached domain passwords\n* LSA secrets\n\nIt essentially performs all the functions that bkhive/samdump2,\ncachedump, and lsadump2 do, but in a platform-independent way.\n\nIt is also the first tool that does all of these things in an offline\nway (actually, Cain \u0026 Abel does, but is not open source and is only\navailable on Windows).\n\nREQUIREMENTS\n\nalldump has only been tested on python 2.5. It should work on 2.4 as\nwell, but will likely need modification before it will work on 2.3 or\nbelow.\n\npython-crypto is required for its MD5/DES/RC4 support. To obtain it,\nsee: http://www.amk.ca/python/code/crypto\n\nFor lsadump: system and SECURITY hives\nFor cachedump: system and SECURITY hives\nFor pwdump: system and SAM hives\n\nUSAGE\n\nDump cached domain hashes:\n  usage: ./cachedump.py \u003csystem hive\u003e \u003csecurity hive\u003e\n\nDump LSA secrets:\n  usage: ./lsadump.py \u003csystem hive\u003e \u003csecurity hive\u003e\n\nDump local password hashes:\n  usage: ./pwdump.py \u003csystem hive\u003e \u003cSAM hive\u003e\n\nFEATURES\n\n* Platform independent operation. The only inputs are the hive files\n  from the system--we don't rely on any Windows functionality at all.\n* Open-source and (hopefully!) readble implementations of Windows\n  obfuscation algorithms used to protect LSA secrets, cached domain\n  passwords, and \n* A reasonably forgiving registry file parser in pure Python. Look\n  through framework/types.py and framework/win32/rawreg.py to see how it\n  works.\n* The first complete open-source implementation of advapi32's\n  SystemFunction005. The version in the Wine source code does not\n  appear to allow for keys longer than 7 bytes, while the Windows\n  version (and this version) does. See decrypt_secret() in\n  framework/win32/lsasecrets.py\n\nAUTHOR\n\ncreddump is written by Brendan Dolan-Gavitt (bdolangavitt@wesleyan.edu).\nFor more information on Syskey, LSA secrets, cached domain credentials,\nand lots of information on volatile memory forensics and reverse\nengineering, check out:\n\nhttp://moyix.blogspot.com/\n\nCREDITS\n* AAron Walters. Much of the data type parsing code is taken from\n  Volatility, an excellent memory analysis framework written in Python.\n  He's also a really nice guy, and has helped me out a lot in my\n  research.\n  \n  https://www.volatilesystems.com/default/volatility\n\n* Massimiliano Montoro (mao), for reversing the mechanism Windows uses\n  to derive the LSA key so that it can be computed directly from the\n  hive files, as decribed in this post:\n  \n  http://oxid.netsons.org/phpBB2/viewtopic.php?t=149\n  http://www.oxid.it/\n  \n* Jeremy Allison, for the details of the obfuscation applied to password\n  hashes in the SAM, as implemented in the original pwdump.\n  \n  http://us4.samba.org/samba/ftp/pwdump/\n\n* Nicola Cuomo, for his excellent description of the syskey mechanism\n  and how it is used to encrypt the SAM in Windows 2000 and above.\n\n  http://www.studenti.unina.it/~ncuomo/syskey/\n\n* Eyas[at]xfocus.org, for x_dialupass2.cpp, which demonstrates how to\n  read LSA secrets directly from the registry, given the LSA key.\n\n  http://www.xfocus.net/articles/200411/749.html\n\n  [Note: the above is in Chinese, but quite comprehensible if you use\n   Google Translate and can read C ;)]\n\n* Nicholas Ruff, for his perl implementation of des_set_odd_parity,\n  which he apparently took from SSLEAY:\n\n  http://seclists.org/pen-test/2005/Jan/0180.html\n\n* Arnaud Pilon, for the details of how to retrieve cached domain, as\n  implemented in cachedump.\n\n  http://www.securiteam.com/tools/5JP0I2KFPA.html\n\n* S�bastien Ke, for his cute hexdump recipe:\n\n  http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/142812\n\nLICENSE\n\nThis program is free software: you can redistribute it and/or modify\nit under the terms of the GNU General Public License as published by\nthe Free Software Foundation, either version 3 of the License, or\n(at your option) any later version.\n\nThis program is distributed in the hope that it will be useful,\nbut WITHOUT ANY WARRANTY; without even the implied warranty of\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\nGNU General Public License for more details.\n\nYou should have received a copy of the GNU General Public License\nalong with this program.  If not, see \u003chttp://www.gnu.org/licenses/\u003e.\n","funding_links":[],"categories":["Uncategorized","Forensics","Tools"],"sub_categories":["Uncategorized"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmoyix%2Fcreddump","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmoyix%2Fcreddump","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmoyix%2Fcreddump/lists"}