Dumping credentials from host in post-exploitation phase is a common step during internal infrastructure assessment or red teaming engagement. The most well-known target is undoubtedly Local Security Authority Subsystem Service (LSASS) which is a process that handles logging verification, access tokens creation, password changes, etc. Memory content of this process used to be treasure trove of interesting data, most of all passwords in clear text. Nowadays, the chances you’ll find plain text passwords there are getting slimmer (albeit non-negligible) and it also comes with it’s own price. It probably became the most guarded process on system by most AV/EDR systems and Windows OS itself. It’s a non-trivial task to extract credentials from lsass.exe process without any detection with a decent EDR in place.
That said, we might still find interesting data inside LSASS dump even with default configuration, most notably NTLM hashes which is a quick win anyway as we can use them for lateral movement. Sometimes however, we can’t pass the hash for instance if LmCompatibilityLevel is set to level 5, or the account whose hash we collected is in protected group, or only Kerberos authentication is allowed. Sure enough, dumping Kerberos tickets to the rescue! Unless they’re already expired. And with plaintext passwords we can further go on with credential stuffing and some passwords I recovered in the past really made me chuckle. :) Yeah, we can still resort to cracking, but if the password is sufficiently complex, we’ll have to look probably elsewhere.
Or maybe not? Of course, not! There are still options, especially with legacy protocols being hacker’s best friends since… forever?!