Skip to content
›_Secrets Dump

Posts tagged: #credentials

Back to all posts
Decrypting local account hashes from the SAM hive
From the hashed boot key to a user's NT hash: the F and V structures, the RC4 vs AES storage formats, and the per-RID DES layer that wraps every Windows password hash.
windowscredentialssamntlm
How the Windows boot key (syskey) works
The boot key is the root of all offline credential dumping. Here is where it lives, why it is scrambled across four registry keys, and how to reassemble it from the SYSTEM hive.
windowscredentialsregistrysyskey
LSA secrets and cached domain credentials
The SECURITY hive stores service passwords, the machine account, DPAPI keys, and offline logon caches. Here is how the LSA key unlocks them — and why DCC2 is salted but still dumpable.
windowscredentialslsadcc2