What Is Credential Dumping & How To Prevent It?

Robert MacDonald

While phishing and network attacks are still the most common hacks around, old-fashioned system hacking is still a threat to enterprises.

What is credential dumping? It is when a hacker uses exploits to expose authentication credentials that they can use or sell.

Who Authenticates the Authenticators–Storing Credentials

When we talk about authentication, we typically talk about identity verification from the outside in–a specific paradigm in which we can offload a significant amount of responsibility to end users. This is not so when it comes to securing authentication credentials.

Usernames, passwords, and PINs must be stored somewhere, and this somewhere is usually in a few specific places. Larger application and system-wide credentials (particularly those associated with online accounts) will often exist in databases. System passwords, such as those with local access to a machine or network, will be stored on a local database or filesystem.

Credential dumping triggers a release of these passwords so that a hacker can steal them for further use. In both cases (databases or local storage), the hacker will use some sort of leverage (like a bug) to force the exposure of password information (called a “dump”).

Let’s dig a little deeper. Some of the common sources from which a credential dump can be triggered include:

  • Database Dump: A hacker triggers the exposure of critical tables from a database containing user authentication information. Typical approaches include MySQL injections or malformed URLs, like those used in the recent Log4Shell exploit of Java servers. Database dumps will (if the database manager is practicing good security hygiene) include hashed passwords rather than plain text, which means the attacker will still have to crack the hashing algorithm.
  • Security Accounts Manager (SAM): SAM is a database file used on Windows since XP to authenticate system users. It is usually encrypted, but like a database dump, once in a hacker’s possession, they can take their time in breaking the encryption.
  • Local Security Authority (LSA): LSA handles local authentication and security policies and utilizes an area in memory called “LSA Secrets” that protects authentication credentials. This storage area is typically encrypted.
  • Active Directory: Active Directory supports several kinds of authentication, from user login to certificate management and federated authentication services. Authentication credentials are stored in an Active Directory database.

One common factor that astute readers may have noticed is that all of these credential storage locations use hashing and/or encryption. If hackers steal the database, they still have to penetrate the encryption.

An additional, more insidious form of credential dumping can steal plain text passwords in real-time. Since user credentials have to live in RAM for specific and critical operating system tasks, the hacker can exploit some components and dump a password directly to a terminal or text file.

Common attacks that can lead to a credential dump include:

  • Zero-Day Exploits: Zero-day exploits are those that have just been found, meaning they are not patched. Hackers with knowledge of zero-day bugs in systems may leverage them to gain admin access to a piece of software or system.
  • Unpatched Software: A zero-day exploit at least gives software developers and admins an excuse since it’s brand new. But it is unfortunate that many hardware, software, and platforms end up unpatched even when critical security updates become available.
  • Social Engineering: If hackers can use email to access an administrator’s system, they have full reign to expose passwords. Phishing attacks are typically the front-line for most hacks, and can serve as the first sign of further attacks.

According to MITRE ATT&CK, several popular and widespread utilities are used for credential dumping, including the trendsetting and open-source mimikatz utility.

Why Is Credential Dumping Such a Major Problem?

Any attack that exposes system credentials presents a significant problem to overall system security and integrity. But dumping provides an additional issue in that these attacks use multiple avenues to get into these credentials in a way that system management or users may never know.

Some of the common problems will include:

  • Total System or Account Control: Dumping local security credentials means losing control of that system. Following that, the hacker is free to install malware, place monitoring software that doesn’t register as malware, or use the computer as a zombie machine in a large botnet.
  • Lateral System Movement: In a system of network computers, a hacker with local security or Active Directory credentials can move throughout the network with the same privileges and authority as the associated user. One of the critical components of an Advanced Persistent Threat (APTs) is the ability to move laterally through a network to attack other systems.
  • Business Account Phishing Attacks: If the hacker gains access to credentials that are shared or reused across enterprise accounts, then they have plenty of leeway to use those accounts to, for example, send emails or direct messages as a user throughout an organization to steal other credentials.
  • The Credentials Black Market: The worst part of a database dump? The propensity of hackers to sell databases, cracked or uncracked, on the dark web. Once these databases are in the wild, it’s only a short time after that these credentials will be signed up for random services or serve as targets for password spraying attacks.

How Can I Prevent Credential Dumping Attacks?

In terms of prevention, we run into a more diverse set of best practices as compared to narrow attacks like password guessing or phishing. The fact is that, in some cases, dumping attacks can come through vectors that admins don’t even know about.

That doesn’t mean your company shouldn’t follow every possible security practice necessary to prevent the issue. Some of the most important practices to put into place include:

  • Patch Your Operating Systems and Network Software: Always, always, always patch hardware and software as soon as security alerts come out. These patches are almost always released on the tail end of a security breach or zero-day exploit, and these patches must be installed.
  • Force Use of Unique Credentials: If an employee uses the same credentials across several platforms or systems, then a dump will render all those accounts vulnerable. A crafty hacker can use those credentials, try them across these platforms, and essentially take control of them. By forcing the changing of credentials with unique passphrases, you can reduce the chance of a credential dump affecting other systems.
  • Secure Administrator Passwords: Administrator passwords are essentially the keys to the kingdom. Most security experts recommend using a local admin password solution on top of other advanced security. Additionally, these credentials are best stored off public networks and, where possible, tied to physical media authentication tools (like authentication keys).

Additionally, you can take a few effective steps on the user side to reduce the impact of a credential dump should it lead to hackers gaining access to the system. These include:

  • Force MFA for All Authentication: While MFA will most likely not stop a hacker who has snuck into a system via a zero-day, it can halt outside attacks. More importantly, MFA can halt a hacker in their tracks if they attempt to move laterally to a system that requires a secondary authentication factor.
  • Use Passwordless Authentication: If someone steals a password from a local system, does passwordless even help? Yes and no. Passwordless is more of a solution for software and platforms, and as such they essentially eliminate the weakness of a password as it relates to the overall network or app security. Much like MFA, utilizing passwordless authentication can fence in hackers attempting to leverage dumped credentials.
  • Operate Using Principles of Least Privilege and Zero-Trust: Most mission-critical systems in the industrial and government sectors are turning to PoLP and zero-trust specifically to minimize the impact of a vulnerable user account. Depending on your organization’s work and the data processed, this might be the right path for you as well.

Lock Down User Accounts with 1Kosmos

No system is 100% secure. As hackers dig into exploits that could expose databases or even credentials stored in RAM, there is a hard limit as to what an authentication solution may accomplish to prevent credential dumping.

But, good authentication security can prevent common threats that stem from dumping and should not be overlooked.

1Kosmos helps with such security by including the following features:

  • SIM Binding: The BlockID application uses SMS verification, identity proofing, and SIM card authentication to create solid, robust, and secure device authentication from any employee’s phone.
  • Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API and SDK.
  • Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
  • Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture and the encrypted data is only accessible by the user.
  • Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target.
  • Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out-of-the-box integrations or via API/SDK.

To learn about the next generation of contact-free authentication solutions powered by biometrics and blockchain technology, read more on Passwordless Enterprise solutions. Also, sign up for the email newsletter to stay up to date on 1Kosmos products and services.

Overcoming Resistance to Change on the Journey to Passwordless MFA
Read More

Expert Insights in Your Inbox

Subscribe to the blog
Meet the Author

Robert MacDonald

Vice President of Product Marketing

Robert is the Vice President of Product Marketing at 1Kosmos. He is a highly influential senior global marketer with more than 15 years of marketing experience in B2B and B2C software in the biometric authentication space. Prior to 1Kosmos, Rob managed product strategy and vision for the Identity and Access Management portfolio at Micro Focus, leading a team of product marketers to drive sales and support the channel. Earlier in his career he set the foundation for content planning, sales enablement and GTM activities for ForgeRock. He has also held senior marketing positions at Entrust, Dell, Quest and Corel Corporation.