Skip to content

bytewreck/DumpGuard

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

92 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

DumpGuard

BSD3 License Slack Sponsored by SpecterOps

Logo

DumpGuard is a credential dumping and protocol research tool for modern Windows systems. It abuses the Remote Credential Guard protocol to recover credential material even when Credential Guard is enabled, and also includes a Microsoft v1 authentication package path for session-oriented NTLM extraction.

Current functionality includes:

  • NTLMv1 responses
  • NTLMv2 responses
  • Kerberos service tickets
  • Microsoft v1 authentication package dumping for local logon sessions

You may download prebuilt copies from the release section of this repository.

Disclaimer: This tool is provided strictly for educational and legitimate testing purposes only. The author of this repository does not condone or support any type of misuse and assumes no responsibility for damages or legal consequences incurred as a result of using this tool.

Usage Overview

The following table summarizes the currently implemented techniques.

Technique Command Requires SYSTEM Requires
SPN Account
Can Dump
Credential Guard
Extract NTLMv1 via Remote Credential Guard ntlmv1 self: ❌
all: ✅
Extract NTLMv2 via Remote Credential Guard ntlmv2 self: ❌
all: ✅
Extract Kerberos TGS via Remote Credential Guard kerbtgs self: ❌
all: ✅
Extract NTLMv1 via Microsoft v1 authentication package msv10

DumpGuard uses a command plus target model.

  • command selects the extraction technique.
  • target selects whether to operate on the current session or enumerate sessions.

Supported commands:

  • /command:ntlmv1
  • /command:ntlmv2
  • /command:kerbtgs
  • /command:msv10

Supported targets:

  • /target:self
  • /target:all

Common Remote Credential Guard parameters:

  • /domain:<DOMAIN>
  • /username:<SAMACCOUNTNAME>
  • /password:<PASSWORD>
  • /spn:<SPN>

Kerberos TGS parameters:

  • /tgsdomain:<DOMAIN>
  • /tgsspn:<SPN>

If /spn is omitted for a computer account, DumpGuard defaults to HOST/<computername>.

Dumping Your Own Session via Remote Credential Guard

To dump credential material for the current user from an unprivileged context, DumpGuard authenticates to an SPN-enabled account using Remote Credential Guard, and then issue follow-up requests over the established security context.

This works regardless of the state of Credential Guard, but requires credentials for an SPN-enabled account.

Privilege requirement: None.

NTLMv1:

DumpGuard.exe /command:ntlmv1 /target:self /domain:<DOMAIN> /username:<SAMACCOUNTNAME> /password:<PASSWORD> [/spn:<SPN>]

NTLMv2:

DumpGuard.exe /command:ntlmv2 /target:self /domain:<DOMAIN> /username:<SAMACCOUNTNAME> /password:<PASSWORD> [/spn:<SPN>]

Kerberos TGS:

DumpGuard.exe /command:kerbtgs /target:self /domain:<DOMAIN> /username:<SAMACCOUNTNAME> /password:<PASSWORD> [/spn:<SPN>] [/tgsdomain:<DOMAIN>] /tgsspn:<service/host>

If /tgsdomain is omitted, it defaults to the Remote Credential Guard /domain value.

Dumping All Sessions via Remote Credential Guard

To dump credential material for all currently accessible users from a privileged context, DumpGuard impersonates tokens from running processes, authenticates to an SPN-enabled account using Remote Credential Guard, and then issue follow-up requests over the established security context.

This works regardless of the state of Credential Guard, but requires credentials for an SPN-enabled account.

Privilege requirement: SYSTEM or Administrator (requires SeImpersonatePrivilege).

NTLMv1:

DumpGuard.exe /command:ntlmv1 /target:all /domain:<DOMAIN> /username:<SAMACCOUNTNAME> /password:<PASSWORD> [/spn:<SPN>]

NTLMv2:

DumpGuard.exe /command:ntlmv2 /target:all /domain:<DOMAIN> /username:<SAMACCOUNTNAME> /password:<PASSWORD> [/spn:<SPN>]

Kerberos TGS:

DumpGuard.exe /command:kerbtgs /target:all /domain:<DOMAIN> /username:<SAMACCOUNTNAME> /password:<PASSWORD> [/spn:<SPN>] [/tgsdomain:<DOMAIN>] /tgsspn:<service/host>

If /tgsdomain is omitted, it defaults to the Remote Credential Guard /domain value.

Dumping All Sessions via the Microsoft v1 Authentication Package

To dump NTLM responses for currently authenticated users from a privileged SYSTEM context, DumpGuard interacts directly with the NTLM SSP and requests challenge responses for every discovered logon session.

This works only under the following conditions:

  • Credential Guard is disabled on the local system.
  • Remote users are authenticated to the local system from a remote host over Remote Credential Guard.

Privilege requirement: SYSTEM (requires SeTcbPrivilege).

DumpGuard.exe /command:msv10

This attack can also be carried out using LSA Whisperer with the following command:

lsa-whisperer.exe msv1_0 Lm20GetChallengeResponse --luid {session id} --challenge {challenge to clients} [flags...]

Bonus Information

I have reverse engineered and recreated the interfaces exposed by Credential Guard (LsaIso.exe) and included them in this repository for anyone interested in further research.

As of October 2025, the following interfaces are implemented:

  • BCryptIum
  • CloudApIum
  • KerberosIum
  • LsaIsoMgmtIum
  • NtlmIum
  • ProvIum

Acknowledgements

Thank you to SpecterOps for supporting this research and to my coworkers who have helped with its development.

  • Elad Shamir - for inspiring this tool and research, and for offering valuable perspective and encouragement whenever I hit a wall.
  • Evan McBroom - for sharing useful insights on LSA internals and providing ASN.1 encoders for most of the structures used in this project.

Related Tools

Related Work

  • Oliver Lyak (2022) - To my knowledge, the only public research on dumping credentials protected by Credential Guard.
  • James Forshaw (2022, 2022, 2022, 2022) - Vulnerability submissions that slightly documents some of the undocumented interfaces that we have researched.

About

Proof-of-Concept tool for extracting credential material from protected sessions on modern Windows systems.

Resources

License

Stars

701 stars

Watchers

1 watching

Forks

Packages

 
 
 

Contributors

Languages