impacket-secretsdump

View documentation for the original command

$ tldr secretsdump.py

impacket-secretsdump [options] //domain/user@target[:password]

-h, --help
    Show help message and exit

-hashes LMHASH:NTHASH
    NTLM hashes for authentication (empty LM implies NT only)

-no-pass
    Don't prompt for password (use hashes or Kerberos)

-k, --kerberos
    Use Kerberos authentication from ccache

-aesKey AESKEY domain
    AES key for Kerberos

-dc-ip IP
    IP of Domain Controller for Kerberos

-target-ip IP
    IP of target system (spoof source)

-port PORT
    SMB port (default 445)

--use-vss
    Use VSS for NTDS.dit extraction on DCs

--just-dc
    Dump only DC secrets (faster)

--just-dc-user user
    Dump single DC user

-system SYSTEM.hive
    Local SYSTEM hive file

-sam SAM.hive
    Local SAM hive file

-security SECURITY.hive
    Local SECURITY hive file

-bootkey BOOTKEY
    Bootkey for local hive decryption

-debug
    Turn DEBUG output ON

--outputfile FILE
    Base output filename (no extension)

impacket-secretsdump is a powerful tool from the Impacket suite, designed for extracting credential secrets from Windows systems. It supports remote dumping of SAM hashes, SYSTEM/LSA secrets, and cached domain credentials over SMB. For Domain Controllers, it can extract NTDS.dit hashes using Volume Shadow Copy Service (VSS).

Authentication uses NTLM (password or hashes) or Kerberos tickets. Output mimics lsass dumps, compatible with tools like hashcat or John the Ripper for cracking. Ideal for penetration testing, it requires administrative access (e.g., via DCSync or SMBExec).

Key features include support for various Windows versions (XP to 2019+), custom output formats, and local hive file parsing as fallback. It's scriptable for automation in red team operations but demands network access and valid creds/hashes. Usage highlights ethical security assessments only.

Requires SMB (445/tcp) access and admin privileges. Detectable by EDR/AV. Fails on patched/modern Windows without bypasses. Not for unpatched targets post-2020.

Hashes in $krb5tgs$23$*user$realm$krbtgt$hash* or NTLM format. Includes RID:LM:NT:::. Use hashcat -m 1000 for cracking.

impacket-secretsdump -just-dc domain/admin:pass@dc01
impacket-secretsdump -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 -system SYSTEM SAM

Part of Impacket, originally by SecureAuth Corporation (2010s). secretsdump.py inspired by Mimikatz (2011+). Evolved with Windows updates; VSS support added ~2016. Maintained on GitHub by fortra/impacket.

impacket-psexec(1), impacket-smbexec(1), crackmapexec(1)