impacket-ntfs-read

Read a file from a remote NTFS share

$ impacket-ntfs-read '[domain]/[user]:[password]@[192.168.1.100]' '[C$\Windows\System32\config\SAM]'

$ impacket-ntfs-read -hashes ':[nthash]' '[domain]/[user]@[192.168.1.100]' '[share\path\to\file]'

$ impacket-ntfs-read -k -no-pass '[domain]/[user]@[target]' '[C$\path\to\file]'

impacket-ntfs-read [-h] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey KEY] [-dc-ip IP] target path

impacket-ntfs-read reads files from remote Windows systems via SMB by directly parsing the NTFS file system structures. This allows reading files that might be locked by the operating system, such as registry hives or other system files.
The tool connects to administrative shares (C$, ADMIN$) and reads files at the raw NTFS level, bypassing Windows file locking mechanisms. This is particularly useful for extracting sensitive files during penetration tests.

-hashes LMHASH:NTHASH

Use NTLM hashes for authentication instead of password

Don't ask for password (useful with -k)

Use Kerberos authentication from ccache file

AES key to use for Kerberos authentication

IP address of the domain controller (for Kerberos)

Requires administrative access to the target system (access to C$ or ADMIN$ shares). Some files may still be inaccessible due to NTFS permissions. The path should use backslashes and reference the share name.

Part of the Impacket library by SecureAuth. The tool implements NTFS parsing over SMB to enable reading locked files, a technique commonly used in credential extraction workflows.

impacket-secretsdump(1), smbclient(1), impacket-smbclient(1)