impacket-secretsdump

extracts credentials from Windows systems via SAM, LSA secrets, cached

TLDR

Dump secrets from domain controller

$ impacket-secretsdump [domain]/[user]:[password]@[target]

Dump using NTLM hash

$ impacket-secretsdump -hashes :[hash] [domain]/[user]@[target]

Dump from local SAM file

$ impacket-secretsdump -sam [SAM] -system [SYSTEM] LOCAL

Dump NTDS.dit

$ impacket-secretsdump -ntds [ntds.dit] -system [SYSTEM] LOCAL

Just DCSync (no registry)

$ impacket-secretsdump -just-dc [domain]/[user]:[password]@[dc]

SYNOPSIS

impacket-secretsdump [options] target

impacket-secretsdump extracts credentials from Windows systems via SAM, LSA secrets, cached credentials, and NTDS.dit. Part of the Impacket toolkit. Supports DCSync for domain controllers. For authorized penetration testing and security assessments only.

PARAMETERS

-hashes lm:nt

Use NTLM hashes.

-sam file

Local SAM file.

-system file

Local SYSTEM hive.

-ntds file

NTDS.dit file.

-just-dc

Extract only NTDS.dit data via DCSync.

-just-dc-ntlm

Extract only NTLM hashes.

-k

Use Kerberos authentication.

CAVEATS

Highly sensitive operation. Requires administrator/domain admin access. For authorized security testing only.