Cachedump – Metasploit Module

Cachedump post exploitation module for Metasploit.

This modules will dump MS domain cache information stored in the registry.
The code will NOT inject into lsass, it requires SYSTEM privileges to get into registry protected keys. Microsoft with Vista changed the code for cache entry encryption, see the new routines below.
Passscape’s engineers affirm that the SHA iterations on Vista based systems are stored into the cache entry, I didn’t find them. The default is 10240. (http://www.passcape.com/index.php?section=docsys&cmd=details&id=8)

Tested on Windows XP/2003/Vista/7/2008. This code was based on hashdump.rb and Credump

http://lab.mediaservice.net/code/cachedump.rb
MD5: 7676ddb35782a51da4ad6570234cfe44
SHA-1: 8448cb6db982d767f37866d37d1b9d9645cf6339