secretsdump.py

Dump credentials from a Windows machine using a username and password

$ secretsdump.py [domain]/[username]:[password]@[target]

$ secretsdump.py -hashes [LM_Hash]:[NT_Hash] [domain]/[username]@[target]

$ secretsdump.py -just-dc [domain]/[username]:[password]@[target]

$ secretsdump.py -sam [path/to/SAM] -system [path/to/SYSTEM]

$ secretsdump.py -no-pass [domain]/[username]@[target]

secretsdump.py [options]

-h, --help
    Show help message and exit.

-debug
    Turn DEBUG output ON

-ts
    Adds timestamp to every logging output

-quiet
    Reduces output amount to errors only

-user-agent
    Sets the User-Agent string to be used when accessing web servers

-k, --kerberos
    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified via the command line options (username:password).

-hashes
    NTLM hashes, format is LM:NT

-no-pass
    Don't ask for password (useful for Kerberos authentication)

-aesKey
    AES key to use for Kerberos Authentication (128 or 256 bits)

-dc-ip
    IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter

-use-vss
    Tries to extract NTDS.dit from the VSS shadow copy

-just-dc
    Only extract domain controller data

-just-dc-user
    Only extract the data for the specified user

-pwd-last-set
    Show password last set timestamp for each user

-userfile
    File containing usernames to extract the data from (one per line)

-outputfile
    Base filename for output files. If not specified, defaults to .

-dump-json
    Produce JSON files instead of TXT

-resumefile
    Resume the dump from the point it was left

-sam
    Dump SAM secrets (requires local administrator privileges)

-system
    Dump SYSTEM secrets (requires local administrator privileges)

-ntds
    Dump NTDS.dit secrets (requires domain administrator privileges)


    Specifies the target. It can be the hostname or IP address of the target system, or a path to an offline NTDS.dit file.

/[:]
    Specifies the domain, username, and optional password for authentication. If no password is provided, the script will prompt for it.

secretsdump.py is a Python script, part of the Impacket suite, used to dump secrets (hashes, passwords, Kerberos keys, etc.) from Windows systems. It leverages various techniques to extract this information, including: remote registry access, NTDS.dit parsing, vssadmin.exe usage (for shadow copies), and more.

The tool is valuable for penetration testing and security auditing, allowing security professionals to assess the security posture of Windows environments by identifying potentially weak or compromised credentials. secretsdump.py supports dumping secrets from live systems, offline NTDS.dit files, and shadow copies. It supports different authentication methods such as username/password, hash and Kerberos.

It is important to use this tool responsibly and ethically, as unauthorized access to sensitive information can have serious consequences.

secretsdump.py requires appropriate privileges to access the target system or NTDS.dit file. Domain administrator privileges are often required to dump the NTDS.dit. Enabling SMB signing on the target server will cause this tool to fail.

The tool supports various authentication methods: username/password, NTLM hashes, and Kerberos. Using Kerberos (-k) is recommended in environments where it's properly configured, as it avoids sending NTLM hashes over the network.

When specifying credentials with password and domain name, make sure that the target system has access to the specified domain. This might become a problem with NTDS file parsing.

secretsdump.py can output the extracted secrets in various formats, including plain text and JSON. The -outputfile option allows specifying a prefix for the output files, while the -dump-json option enables JSON output for machine-readable parsing.

secretsdump.py is part of the Impacket suite, developed by Fortra (Core Security). It has been actively maintained and updated over the years to incorporate new techniques and address vulnerabilities in Windows systems.

smbclient(1), ntlmrelayx.py(1), getST.py(1)