DumpGuard Tool Bypasses Credential Guard to Steal NTLMv1 Hashes
DumpGuard is a credential dumping tool that can extract the NTLMv1 hashes of users on modern Windows systems.
The tool relies on the Remote Credential Guard protocol, and allows credential dumping even when Credential Guard is enabled on the local host. You may download prebuilt copies from the release section of this repository.
Usage Overview
The following table depicts the different techniques supported by the program as well as their requirements and their ability to dump credentials protected by Credential Guard.
| Technique | Requires SYSTEM |
Requires SPN Account |
Can Dump Credential Guard |
|---|---|---|---|
| Extract own credentials via Remote Credential Guard protocol | ❌ | ✅ | ✅ |
| Extract all credentials via Remote Credential Guard protocol | ✅ | ✅ | ✅ |
| Extract all credentials via Microsoft v1 authentication package | ✅ | ❌ | ❌ |
Dumping Own Session (using Remote Credential Guard)
To dump an NTLMv1 response for the current user from an unprivileged context, we can authenticate towards an SPN-enabled account using Remote Credential Guard, and leverage the established security context to request an NTLMv1 hash from the NtlmCredIsoRemote interface.
This works regardless of the state of Credential Guard, but requires credentials for an SPN-enabled account.
Privilege Requirement: None.
[pastacode lang=”markup” manual=”DumpGuard.exe%20%2Fmode%3Aself%20%2Fdomain%3A%3CDOMAIN%3E%20%2Fusername%3A%3CSAMACCOUNTNAME%3E%20%2Fpassword%3A%3CPASSWORD%3E%20%5B%2Fspn%3A%3CSPN%3E%5D” message=”” highlight=”” provider=”manual”/]
Dumping All Sessions (using Remote Credential Guard)
To dump NTLMv1 responses for all currently authenticated users from a privileged SYSTEM context, we can impersonate tokens from running processes, then authenticate towards an SPN-enabled account using Remote Credential Guard, and leverage the established security context to request an NTLMv1 hash from the NtlmCredIsoRemote interface.
This works regardless of the state of Credential Guard, but requires credentials for an SPN-enabled account.
Privilege Requirement: SYSTEM.
[pastacode lang=”markup” manual=”DumpGuard.exe%20%2Fmode%3Aall%20%2Fdomain%3A%3CDOMAIN%3E%20%2Fusername%3A%3CSAMACCOUNTNAME%3E%20%2Fpassword%3A%3CPASSWORD%3E%20%5B%2Fspn%3A%3CSPN%3E%5D” message=”” highlight=”” provider=”manual”/]
Dumping All Sessions (using Microsoft v1 authentication package)
To dump NTLMv1 responses for all currently authenticated users from a privileged SYSTEM context, we can interact with the NTLM SSP and request responses for each individual logon session ID.
This works only under the following conditions:
- Credential Guard is disabled on the local system (we can extract from all local sessions).
- Remote users are authenticated to the local system from a remote host over Remote Credential Guard.
Privilege Requirement: SYSTEM.
[pastacode lang=”markup” manual=”DumpGuard.exe%20%2Fmode%3Aall” message=”” highlight=”” provider=”manual”/]
This attack can also be carried out using LSA Whisperer with the following command:
[pastacode lang=”markup” manual=”lsa-whisperer.exe%20msv1_0%20Lm20GetChallengeResponse%20–luid%20%7Bsession%20id%7D%20–challenge%20%7Bchallenge%20to%20clients%7D%20%5Bflags…%5D” message=”” highlight=”” provider=”manual”/]
Download
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
