Cachedump – Metasploit Module

Cachedump post exploitation module for Metasploit.

This modules will dump MS domain cache information stored in the registry.
The code will NOT inject into lsass, it requires SYSTEM privileges to get into registry protected keys. Microsoft with Vista changed the code for cache entry encryption, see the new routines below.
Passscape’s engineers affirm that the SHA iterations on Vista based systems are stored into the cache entry, I didn’t find them. The default is 10240. (http://www.passcape.com/index.php?section=docsys&cmd=details&id=8)

Tested on Windows XP/2003/Vista/7/2008. This code was based on hashdump.rb and Credump

http://lab.mediaservice.net/code/cachedump.rb
MD5: 7676ddb35782a51da4ad6570234cfe44
SHA-1: 8448cb6db982d767f37866d37d1b9d9645cf6339

Leave a Reply