LSASS-Free Larceny: Extracting NTLMv1 Hashes with DumpGuard BOF
DumpGuard BOF
Beacon Object File (BOF) port of DumpGuard for extracting NTLMv1 hashes from sessions on modern Windows systems.
This repository contains a Beacon Object File (BOF) implementation of DumpGuard, ported from the original C#/.NET implementation to pure C for use with Havoc and other C2 frameworks that support BOF execution.
This is a Proof of Concept (PoC) and a learning exercise.
This BOF port was created as part of my personal journey to understand the details of the Remote Credential Guard protocol, Kerberos authentication flows, and the underlying Windows security mechanisms. The process of porting this tool from C# to pure C for BOF execution was primarily an educational endeavor.
Please be aware that:
- This code may contain bugs, errors, or incomplete implementations.
- It has not been extensively tested across all Windows versions or configurations.
- Some edge cases or protocol nuances may not be properly handled.
- The implementation may differ from the original in ways that affect reliability.
- This is not production-ready code. Use at your own risk Ü.
DumpGuard exploits Windows Remote Credential Guard (RCG) to extract NTLMv1 hashes from logged-in users without touching LSASS memory and without requiring admin privileges. It works even when Credential Guard is enabled.
How It Works
- Impersonate a CredSSP/RDP server locally. The BOF acts as a fake RDP server.
- Trick Windows SSPI into performing a full Kerberos + CredSSP authentication.
- Receive the user’s credentials wrapped in
TSRemoteGuardCreds. - Call LSA’s TSSSP package to compute an NTLMv1 response with a known challenge.
The 4-Round CredSSP Dance
| Round | Client -> Server | Server -> Client |
|---|---|---|
| 1 | SPNEGO + TGT-REQ | TGT-REPLY (from real KDC) |
| 2 | AP-REQ (service ticket) | AP-REP + MIC |
| 3 | PubKeyAuth (binding hash) | Server binding hash |
| 4 | AuthInfo (TSRemoteGuardCreds) | N/A |
After Round 4, we have the encrypted credential blob. The magic happens when we call LsaCallAuthenticationPackage with the TSSSP package. LSA routes our request through RDPEAR -> TSRemoteGuard -> MSV1_0, which decrypts the secrets and computes the NTLMv1 response for us.
Background
Credential Guard isolates NTLM and Kerberos secrets in a secure VBS space (LsaIso.exe), preventing direct memory access attacks like Mimikatz. However, Credential Guard still needs to use those secrets for legitimate authentication. That’s the interface this technique exploits.
For the full technical deep-dive, see: Catching Credential Guard Off Guard
Implementation
This BOF port only implements the “Self” mode from the original DumpGuard tool. The “All” modes are not implemented in this version.
Self Mode
Dumps the NTLMv1 hash of the current process user via the Remote Credential Guard protocol.
- Privilege Requirement: None (runs in current user context)
- Credential Guard Status: Works regardless of whether Credential Guard is enabled
- Requirements: Credentials for an account with a registered SPN
Extracting Other Users Hashes
While this BOF only implements “self” mode, you can still extract other users NTLMv1 hashes by, for example, injecting into a process running as that user. For example, if you have administrator privileges, you can inject the BOF into a process owned by another logged-in user to obtain their hash.
Download
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
