Documentation
Impacket
secretsdump.py

secretsdump.py

Purpose

The secretsdump.py tool from the Impacket suite is used to extract sensitive credential information from a remote Windows system. It retrieves NTLM password hashes, plaintext passwords (if available), and other secrets stored in the Security Account Manager (SAM), Local Security Authority (LSA), and NTDS.dit databases. It is commonly used for post-exploitation activities in penetration testing to escalate privileges and pivot within a network.

How It Works

secretsdump.py leverages various techniques, including:

  • Accessing the SAM and SYSTEM registries to extract local user password hashes.
  • Dumping credentials from the LSA secrets.
  • Extracting domain credentials from the NTDS.dit database on a Domain Controller.

The tool can operate with administrative credentials or leverage techniques like DCSync to extract credentials without needing direct access to the NTDS.dit file.

Steps to Use secretsdump.py

1. Gather Required Information

  • The target system’s IP address or hostname.
  • Valid credentials (username and password or NTLM hashes).
  • The IP address of a Domain Controller (if targeting a domain).

2. Run the Command

Execute secretsdump.py with the appropriate arguments to retrieve credential data.

Command Syntax 

secretsdump.py <domain>/<username>:<password>@<target> [-just-dc] [-just-dc-user <username>] [-dc-ip <DomainControllerIP>]
  • /:: Specifies the domain, username, and password for authentication.
  • @: The IP address or hostname of the target machine.
  • -just-dc: Dumps credentials only from the NTDS.dit database on a Domain Controller.
  • -just-dc-user : Dumps credentials for a specific domain user.
  • -dc-ip : (Optional) Specifies the IP address of the Domain Controller.

Example Commands

Extract Local Credentials

To dump local SAM and LSA secrets from a system:

secretsdump.py WORKGROUP/Administrator:Password123@192.168.1.10

Extract Domain Credentials from NTDS.dit

To dump all domain credentials from a Domain Controller:

secretsdump.py example.com/Admin:Password123@192.168.1.100 -just-dc

Extract Specific Domain User Credentials

To target a specific user (e.g., johndoe):

secretsdump.py example.com/Admin:Password123@192.168.1.100 -just-dc-user johndoe

Additional Options

  • -hashes <LM_HASH>:<NT_HASH>: Use NTLM hashes instead of plaintext passwords for authentication:
secretsdump.py example.com/Admin -hashes aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c@192.168.1.100
  • -debug: Enables debug output for troubleshooting:
secretsdump.py example.com/Admin:Password123@192.168.1.100 -debug

Output

The output includes:

  • NTLM hashes of local and domain accounts.
  • LSA secrets, including plaintext passwords for certain accounts.
  • Kerberos tickets and cached credentials (if available).

The data can be saved and used for offline attacks or further exploitation, such as pass-the-hash or cracking passwords with tools like hashcat.

Security Implications

secretsdump.py demonstrates the risks of weak configurations and improper credential management. To mitigate:

  • Use strong, unique passwords for all accounts.
  • Regularly monitor and restrict access to sensitive files like SAM and NTDS.dit.
  • Enable auditing and alerts for suspicious account activity.

By identifying potential weaknesses with secretsdump.py, organizations can proactively strengthen their systems against credential-based attacks.

USHE DocsImpacket