LinuxCommandLibrary

secretsdump.py

Dump secrets from Windows systems

TLDR

Dump credentials from a Windows machine using a username and password

$ secretsdump.py [domain]/[username]:[password]@[target]
copy

Dump hashes from a machine using pass-the-hash authentication
$ secretsdump.py -hashes [LM_Hash]:[NT_Hash] [domain]/[username]@[target]
copy

Dump credentials from Active Directory's NTDS.dit file
$ secretsdump.py -just-dc [domain]/[username]:[password]@[target]
copy

Extract credentials from a local SAM database using registry hives
$ secretsdump.py -sam [path/to/SAM] -system [path/to/SYSTEM]
copy

Dump hashes from a machine without providing a password (if a valid authentication session exists, e.g. via Kerberos or NTLM SSO)
$ secretsdump.py -no-pass [domain]/[username]@[target]
copy

SYNOPSIS

secretsdump.py [options] target_specification

Where target_specification can be:
    local (for dumping credentials from the local system where secretsdump.py is executed)
    [[DOMAIN\]USERNAME[:PASSWORD]@]TARGET_IP_OR_HOSTNAME (for remote target systems)

PARAMETERS

-h, --help
    Shows the help message and exits.

-system
    Path to the SYSTEM hive file for offline credential extraction.

-sam
    Path to the SAM hive file for offline credential extraction.

-security
    Path to the SECURITY hive file for offline credential extraction.

-ntds
    Path to the NTDS.dit database file for offline Active Directory credential extraction.

-bootkey
    The System Boot Key (Syskey) to decrypt offline hive files.

-hashes LMHASH:NTHASH
    NTLM hash (LMHASH:NTHASH) for authentication instead of a password.

-k
    Uses Kerberos authentication instead of NTLM. Automatically requests a TGT and uses it.

-no-pass
    Don't ask for a password (useful when using -k or -hashes).

-just-dc
    Performs a DCSync operation to dump all domain user hashes from an Active Directory Domain Controller.

-just-dc-user
    Performs a DCSync operation for a specific user instead of all users.

-outputfile
    Saves the dumped credentials to a specified output file.

-target-ip
    IP address of the target machine, useful if a hostname is provided and DNS resolution is an issue.

-exec-method
    Specifies the remote execution method (e.g., smbexec, wmiexec, atsvc) when dumping LSASS remotely.

DESCRIPTION

secretsdump.py is a powerful Python script, part of the Impacket toolkit, designed for extracting various types of credentials from Windows operating systems. It is widely used in penetration testing, red teaming, and forensic analysis to obtain password hashes (NTLM, LM), Kerberos keys, and other sensitive authentication material.

The tool can retrieve credentials from several sources:

  • Local SAM/SYSTEM/SECURITY hives: By parsing these registry files offline or remotely.
  • LSASS process memory: Directly from the Live Session Security Authority Subsystem Service (LSASS) process, which stores credentials in memory. This often requires administrative privileges.
  • NTDS.dit: The Active Directory database file on domain controllers, allowing for the extraction of all domain user hashes via techniques like DCSync.

Its versatility makes it an indispensable tool for privilege escalation and lateral movement within Windows environments.

CAVEATS

Using secretsdump.py often requires administrative or domain administrative privileges on the target system. Its activities, especially remote LSASS dumping or DCSync, can be detected by Endpoint Detection and Response (EDR) solutions, antivirus software, and Security Information and Event Management (SIEM) systems. It should only be used in authorized environments for legitimate security testing or forensic purposes, adhering strictly to ethical guidelines and legal regulations.

COMMON USAGE SCENARIOS

  • Offline Dumping from Hives:
        secretsdump.py -sam /path/to/SAM -system /path/to/SYSTEM local
  • Dumping Active Directory Hashes via DCSync:
        secretsdump.py -just-dc DOMAIN/ADMIN_USER:PASSWORD@DOMAIN_CONTROLLER_IP
  • Remote LSASS Dumping with Administrative Credentials:
        secretsdump.py DOMAIN/ADMIN_USER:PASSWORD@TARGET_IP
        secretsdump.py -hashes :NTHASH DOMAIN/ADMIN_USER@TARGET_IP

OUTPUT FORMAT

The output of secretsdump.py typically follows a standardized format, usually resembling:
    USERNAME:RID:LMHASH:NTHASH:::
For Kerberos keys from NTDS.dit, it might include:
    USERNAME:RID:LMHASH:NTHASH:KrbTGT_Hash:Krb_AES128_Hash:Krb_AES256_Hash:::
This format is compatible with many password cracking tools like Hashcat or John the Ripper, allowing for offline brute-forcing or dictionary attacks on the extracted hashes.

HISTORY

secretsdump.py is a key component of the Impacket library, an open-source collection of Python classes for working with network protocols. Impacket was originally developed by SecureAuth (later acquired by Core Security and then Fortra) with a focus on providing programmatic access to network protocols like SMB, MSRPC, and Kerberos. secretsdump.py emerged as one of its most powerful post-exploitation tools, leveraging these protocol implementations to achieve credential dumping functionality. It has been continuously updated to adapt to new Windows versions and security features, maintaining its relevance in the cybersecurity landscape.

SEE ALSO

mimikatz, crackmapexec, impacket-psexec.py, impacket-getnpusers, impacket-getuserinfo, impacket-reg.py

Copied to clipboard