impacket-secretsdump

View documentation for the original command

$ tldr secretsdump.py

secretsdump.py [options]

-debug
    Turns DEBUG output ON

-ts
    Adds timestamp to every line

-dc-ip
    IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter

-target-ip
    IP Address of the target machine. If omitted it will use whatever was specified as target (hostname, FQDN, etc.)

-port
    Port to connect to (default: 445)

-userfile
    File containing usernames to use for brute-forcing

-no-pass
    Don't ask for password. Useful for Kerberos authentication

-k
    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified, if any

-aesKey
    AES key to use for Kerberos Authentication (128 or 256 bits)

-hashes
    NTLM hashes, format is lmhash:nthash

-domain
    Domain name to use for Kerberos authentication. If omitted, the domain part of the target parameter will be used

-outputfile

    Base output filename. Extensions will be added for each type of secret

-use-vss
    Use VSS method for reading NTDS.dit (only useful against Domain Controllers)

-pwd-last-set
    Shows the pwdLastSet attribute for each user

-system
    SYSTEM hive file (required for local SAM dumping)

-sam
    SAM hive file (required for local SAM dumping)

-security
    SECURITY hive file (required for LSA secrets dumping)

-ntds
    NTDS.DIT file (required for DCSync)

-resumefile
    Resume file to resume the last ntfsdump session

-dc-host
    Hostname of the domain controller to use. If omitted, the domain part (FQDN) specified in the target parameter will be used


    [[domain/]username[:password]@]

impacket-secretsdump is a Python script from the Impacket library that extracts secrets (hashes, passwords, Kerberos keys, etc.) from various targets, including local SAM database files, remote Windows systems via RPC, and Active Directory domains.

It's a powerful tool used in penetration testing and security audits to retrieve sensitive information that can be leveraged for lateral movement and privilege escalation within a Windows environment. The script supports different dumping methods such as remote SAM registry dumping, DRSUAPI, and VSS snapshots. It prioritizes methods according to the available user rights and network configuration.

Successfully extracting secrets often depends on having sufficient privileges (e.g., administrator or domain administrator) and properly configured network connectivity to the target. It is vital to use this tool responsibly and ethically, only on systems where you have explicit authorization to do so.

This command requires appropriate privileges on the target system to function correctly. Failure to have the necessary permissions will result in errors or incomplete data retrieval. Using this tool without authorization is illegal and unethical.

Extracting secrets from a local SAM database using SAM and SYSTEM hives:
secretsdump.py -sam SAM -system SYSTEM LOCAL

Extracting secrets from a remote machine via RPC:
secretsdump.py administrator:password@targetmachine

Extracting secrets from NTDS.dit:
secretsdump.py -ntds ntds.dit -system system LOCAL

impacket-secretsdump is part of the Impacket collection of Python classes for working with network protocols. Impacket has been actively developed and maintained by SecureAuth Corporation and the open-source community. The tool's usage has evolved alongside Windows security mechanisms, adapting to new authentication protocols and security measures implemented by Microsoft.

psexec(1), smbclient(1), net(1)