impacket-secretsdump

View documentation for the original command

$ tldr secretsdump.py

impacket-secretsdump.py [[-hashes LMHASH:NTHASH] | [-no-pass] | [-k] | [-aesKey hexkey]]
[[-just-dc] | [-just-dc-user username]] [-use-vss] [-outputfile file]
target_name/username[:password]@target_ip_or_hostname
OR
impacket-secretsdump.py -system SYSTEM_FILE -ntds NTDS_FILE
[-security SECURITY_FILE] [-sam SAM_FILE] [-bootkey BOOTKEY] [-outputfile file]

-hashes LMHASH:NTHASH
    Specifies the NTLM hash to use for authentication instead of a password.

-no-pass
    Do not ask for a password; use an empty string. Useful for anonymous or guest access.

-k
    Uses Kerberos authentication instead of NTLM. A TGT (Ticket Granting Ticket) must be available in the Kerberos cache.

-aesKey hexkey
    Specifies the AES key to use for Kerberos authentication (128 or 256 bits in hex format).

-just-dc
    Dumps only domain controller accounts (hashes and Kerberos keys). This method attempts to use DRSUAPI.

-just-dc-user username
    Dumps only the specified user's information from the domain controller.

-use-vss
    Uses the Volume Shadow Copy Service (VSS) to access the NTDS.dit database, allowing dumping without locking issues.

-outputfile file
    Writes the dumped credentials to the specified file.

-system SYSTEM_FILE
    Path to the local SYSTEM registry hive file for offline parsing. Required for offline mode.

-ntds NTDS_FILE
    Path to the local NTDS.dit database file for offline parsing. Required for offline mode.

-security SECURITY_FILE
    Path to the local SECURITY registry hive file for offline parsing.

-sam SAM_FILE
    Path to the local SAM registry hive file for offline parsing.

-bootkey BOOTKEY
    Specifies the bootkey (syskey) for decrypting offline data. If not provided, the tool attempts to extract it from the SYSTEM hive.

-user-history
    Dumps password history hashes for accounts, if available.

-format format
    Specifies the output format for hashes, e.g., 'john' for John the Ripper compatible format, or 'hashcat'.

-dc-ip ip address
    IP address of the domain controller when target is a member server or different from target IP.

-target-ip ip address
    IP address of the target machine, helpful when hostname resolution issues exist.

impacket-secretsdump is a powerful Python-based utility from the Impacket toolkit designed for extracting sensitive credential material from Windows machines, primarily domain controllers. It leverages various Windows authentication protocols (such as SMB, WMI, DRSUAPI, and SAMR) to remotely dump user hashes (NTLM), Kerberos AES keys, and LSA secrets. The tool can operate in two primary modes: remotely connecting to a live target system (e.g., a Domain Controller) or parsing offline system files (NTDS.dit, SYSTEM, SAM, SECURITY registry hives). It's a critical tool for penetration testers, red teamers, and security auditors to assess an organization's internal network security posture by identifying and extracting valuable credential data that can be used for further lateral movement or privilege escalation. Successful execution typically requires administrative or domain administrative privileges on the target.

Using impacket-secretsdump requires appropriate ethical authorization. Unauthorized use against systems is illegal.
The tool needs administrative privileges on the target Windows machine for remote dumping.
Its network activity can be detected by Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), or Endpoint Detection and Response (EDR) solutions.
Offline parsing requires direct access to specific system files (NTDS.dit, registry hives) and potentially the bootkey.

Remote Dumping: Connects to a live Windows machine (typically a Domain Controller) over the network to extract credentials. This mode requires valid administrative credentials on the target and relies on protocols like SMB, RPC, and DRSUAPI.
Offline Dumping: Parses previously extracted system files (NTDS.dit, SYSTEM, SAM, SECURITY hives) from a compromised machine to recover credentials without live network interaction. This method often requires the system's bootkey for decryption.

The default output for NTLM hashes typically follows the format: username:id:lmhash:nthash:::. This format is compatible with many hash cracking tools. Kerberos keys (RC4/AES) are usually presented alongside the NTLM hash for relevant accounts, especially for domain users/machines.

impacket-secretsdump (originally secretsdump.py) is a prominent utility within the Impacket framework, developed by SecureAuth (now part of Fortra/Core Security). Impacket was initially created to provide Python classes for working with network protocols, with a strong focus on SMB, RPC, and Kerberos. secretsdump.py emerged as one of its most impactful tools for post-exploitation, allowing security professionals to mimic techniques used by attackers to extract credential material from Windows systems. Its development has continuously adapted to changes in Windows security, maintaining its relevance in offensive security and red teaming engagements.

impacket-psexec, impacket-smbclient, impacket-wmiexec, john(1), hashcat(1)