Post-exploitation credential harvesting and extraction — LSASS memory, SAM database, NTDS.dit, browser vaults, Windows Credential Manager, SSH keys and cloud token stores. Outputs crackable hashes and cleartext credentials with chain-of-custody evidence.
🧠
LSASS Memory Dump
Multiple LSASS extraction techniques — handles protected processes, PPL and Credential Guard scenarios.
🗄️
SAM & NTDS Extraction
Volume Shadow Copy-based NTDS.dit extraction and SYSTEM hive decryption — no DC reboot required.
🌐
Browser Vault Harvesting
Decrypts saved credentials from Chrome, Firefox, Edge, Brave and Opera — all on-disk processing.
☁️
Cloud Token Extraction
Harvests AWS, Azure and GCP tokens and service account credentials from disk and environment.
🔑
SSH Key Discovery
Locates private keys, known_hosts files and SSH agent sockets for lateral movement.
📄
Evidence Export
Structured output with provenance — hash type, source, timestamp — for pentest report inclusion.