reddit hackernews mail facebook facebook linkedin
dumpcreds

dumpcreds

May be used to extract various credentials from running processes.

It is able to recover the following credential types :
- Auth Basic : Extract every "Authorization: Basic" strings from RW segments.
- Simple FTP authentication : Search "LOGIN" and "PASS".
- /etc/shadow kind hashes : As mimipeguin do, it searches shadow hash patterns from processes memory and perform a dictionary attack with every strings that may be extracted from RW segments.
- Samba NTLMv2 authentication : It searches NTLMv2 challenge/response in processes memory and use them to search the matching password from memory. As it doesn't seem to work in every case (probably because it's implemented poorly), it also displays unresolved challenges/responses which may be cracked with JohnTheRipper dictionary attacks.
- Simple IMAP authentication : It searches every "imap://test@mail.pony.com" patterns from RW segments, and use the username to search "\0username\0password" encoded in base64.
- Simple patterns : May be used to search and extract specific patterns from memory (useful to extract "password" strings)

To extract these credentials, dumpcreds require to read the processes memory using "/proc/[PID]/mem" which implies to have the permission for it. That is why, even it may be launched as simple user, some modules ("--shadow") will only produce interesting output if they are launched as root.