Contact Us

What Is Hash Dumping?

IT Index > What Is Hash Dumping?

Share This Article

Updated on September 10, 2025

Hash dumping is a critical technique in the post-exploitation phase of a cyber attack. It is the process of extracting password hashes and other credentials from a computer’s memory or a database. While this may sound like a complex, low-level operation, it’s a common practice for both malicious actors and ethical red teamers to facilitate lateral movement, privilege escalation, and domain compromise.

Understanding the technical mechanisms of hash dumping is essential for cybersecurity professionals to defend against it effectively. This technique is a foundational step in many attack chains, making its prevention a high priority for any security-conscious organization.

This guide provides a technical breakdown of hash dumping, its common targets, and the defensive strategies organizations can implement to protect their systems.

JumpCloud

How to Modernize Your AD Instance

The IT Professional’s Roadmap to Augmenting or Replacing AD

Download Today

Definition and Core Concepts

Hash dumping is the act of retrieving password hashes and other authentication material from a system’s local storage or volatile memory. This process is distinct from password cracking. The goal is to obtain the hash itself, which can then be used for offline cracking or, more efficiently, for attacks like “Pass-the-Hash.”

To understand hash dumping, it’s important to be familiar with a few core concepts.

  • Password Hash: A password hash is the one-way cryptographic output of a password. Instead of storing passwords in plaintext, modern operating systems store their hashes for security.
  • Credential Caching: Windows caches user credentials in memory to enable single sign-on (SSO) and improve user experience. This makes memory a primary target for hash dumping.

How Hash Dumping Works

Hash dumping relies on an attacker gaining sufficient privileges to access sensitive memory and file locations. With the right level of access, an attacker can use specialized tools to extract credentials.

Targeting the LSASS.exe Process

The primary target for hash dumping on Windows systems is the Local Security Authority Subsystem Service (LSASS.exe) process. LSASS is responsible for managing security policy and user authentication on the system. To perform these functions, it stores credentials—including NT LAN Manager (NTLM) hashes, Kerberos tickets, and sometimes even plaintext passwords—in its protected memory space.

An attacker with administrator or SYSTEM-level privileges can use a specialized tool to access this memory and dump its contents. Tools like Mimikatz are commonly used for this task. These tools leverage specific Application Programming Interfaces (APIs) to read the memory of the LSASS process and parse its data structures to locate credentials.

Tooling and Permissions

Successfully performing a hash dump requires a high level of privilege. This access is often obtained through a prior exploit or a privilege escalation technique. Once an attacker has the necessary permissions, they can execute credential dumping tools.

These tools are designed to interact with protected system processes and files. They can read the raw data from memory or a database and extract the relevant credential information.

Common Targets for Credential Dumping

Hashes and other credentials can be dumped from multiple locations beyond just the memory of a single process.

  • LSASS.exe Memory: This is the most common target on a live system. It contains NTLM hashes and Kerberos tickets for all users who have logged on to the machine since the last reboot.
  • SAM Database: The Security Account Manager (SAM) database stores the hashes for all local user accounts on a Windows machine. Accessing this file typically requires SYSTEM-level privileges.
  • NTDS.DIT File: This is the Active Directory database file on a domain controller. It stores the hashes for all users and computers in the entire domain, making it an extremely high-value target for attackers.

Use Cases and Applications

Hash dumping is a foundational technique that enables several subsequent attack phases. It is rarely the end goal itself but rather a means to an end.

Lateral Movement

An attacker can dump a user’s NTLM hash and use a Pass-the-Hash (PtH) attack. This technique allows them to authenticate to other machines on the network using the hash directly, without needing to crack the password to get its plaintext version. This is a common method for moving laterally across a network.

Privilege Escalation

By dumping hashes from a compromised machine, an attacker may find a hash for a more powerful user, such as a domain administrator. If a privileged user has logged into that machine, their credentials may be cached in LSASS memory. An attacker can then use this stolen hash to escalate their privileges and potentially take control of the entire domain.

Red Teaming and Penetration Testing

Ethical hackers and red teams use hash dumping to simulate real-world attacks. By demonstrating that they can dump hashes from a single compromised machine, they can show an organization the significant risk of lateral movement and domain compromise. This helps the organization understand its security posture and identify weaknesses.

JumpCloud

Breaking Up with Active Directory

Don’t let your directory hold you back. Learn why it’s time to break up with AD.

Read Now

Troubleshooting and Considerations

Defending against hash dumping involves both detection and mitigation strategies. Organizations should focus on preventing attackers from gaining the necessary privileges and on monitoring for suspicious activities.

Detection Strategies

Organizations can detect hash dumping by monitoring for suspicious system activity. Security solutions like Endpoint Detection and Response (EDR) can alert administrators when a process attempts to access the memory of LSASS.exe or other protected system files. Creating alerts for known credential dumping tool signatures or behaviors is a key detection measure.

Mitigation Strategies

The most effective defense against hash dumping is to prevent it from happening in the first place. This involves hardening systems and implementing security controls to protect credentials.

  • LSA Protection: This feature in modern Windows versions hardens the LSASS.exe process. It prevents unauthorized processes from injecting code into LSASS or reading its memory, which blocks many common hash dumping techniques.
  • Credential Guard: This is a powerful security feature that uses virtualization-based security (VBS) to isolate and protect credentials. It runs the LSASS process in a secure, isolated memory region, making it extremely difficult for attackers to access and dump hashes from memory, even with SYSTEM-level privileges.
  • Principle of Least Privilege: Limiting administrative access on endpoints is a fundamental security practice. It reduces the ability of an attacker to gain the high-level privileges needed to perform hash dumping in the first place.

Key Terms Appendix

  • Hash Dumping: The process of extracting password hashes and other credentials from a system.
  • LSASS.exe: The Windows process that stores user credentials, such as NTLM hashes and Kerberos tickets, in memory.
  • NTLM Hash: A specific password hash format used in Windows authentication protocols.
  • Lateral Movement: The technique an attacker uses to move from one compromised system to another within a network.
  • Pass-the-Hash (PtH): An attack that uses a stolen hash for authentication without needing to crack the password.
  • Credential Guard: A Windows security feature that uses virtualization-based security to protect LSASS credentials from theft.

Get Started With JumpCloud

Guided Simulations

Free Trial

Contact Sales

Continue Learning with Related Posts

Continue Learning with our Newsletter