Description
Performs various techniques to dump hashes from the remote machine without executing any agent there. For SAM and LSA Secrets (including cached creds) we try to read as much as we can from the registry and then we save the hives in the target system (%SYSTEMROOT%\\Temp dir) and read the rest of the data from there.
| Platform | Python |
| Author | Alberto Solino |
| License | Modified Apache License 1.1 |
| URL | secretsdump.py |
Usage
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
usage: secretsdump.py [-h] [-ts] [-debug] [-system SYSTEM] [-bootkey BOOTKEY]
[-security SECURITY] [-sam SAM] [-ntds NTDS]
[-resumefile RESUMEFILE] [-outputfile OUTPUTFILE]
[-use-vss] [-exec-method [{smbexec,wmiexec,mmcexec}]]
[-just-dc-user USERNAME] [-just-dc] [-just-dc-ntlm]
[-pwd-last-set] [-user-status] [-history]
[-hashes LMHASH:NTHASH] [-no-pass] [-k]
[-aesKey hex key] [-keytab KEYTAB] [-dc-ip ip address]
[-target-ip ip address]
target
Performs various techniques to dump secrets from the remote machine without
executing any agent there.
positional arguments:
target [[domain/]username[:password]@]<targetName or address>
or LOCAL (if you want to parse local files)
optional arguments:
-h, --help show this help message and exit
-ts Adds timestamp to every logging output
-debug Turn DEBUG output ON
-system SYSTEM SYSTEM hive to parse
-bootkey BOOTKEY bootkey for SYSTEM hive
-security SECURITY SECURITY hive to parse
-sam SAM SAM hive to parse
-ntds NTDS NTDS.DIT file to parse
-resumefile RESUMEFILE
resume file name to resume NTDS.DIT session dump (only
available to DRSUAPI approach). This file will also be
used to keep updating the session's state
-outputfile OUTPUTFILE
base output filename. Extensions will be added for
sam, secrets, cached and ntds
-use-vss Use the VSS method insead of default DRSUAPI
-exec-method [{smbexec,wmiexec,mmcexec}]
Remote exec method to use at target (only when using
-use-vss). Default: smbexec
display options:
-just-dc-user USERNAME
Extract only NTDS.DIT data for the user specified.
Only available for DRSUAPI approach. Implies also
-just-dc switch
-just-dc Extract only NTDS.DIT data (NTLM hashes and Kerberos
keys)
-just-dc-ntlm Extract only NTDS.DIT data (NTLM hashes only)
-pwd-last-set Shows pwdLastSet attribute for each NTDS.DIT account.
Doesn't apply to -outputfile data
-user-status Display whether or not the user is disabled
-history Dump password history, and LSA secrets OldVal
authentication:
-hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
-no-pass don't ask for password (useful for -k)
-k Use Kerberos authentication. Grabs credentials from
ccache file (KRB5CCNAME) based on target parameters.
If valid credentials cannot be found, it will use the
ones specified in the command line
-aesKey hex key AES key to use for Kerberos Authentication (128 or 256
bits)
-keytab KEYTAB Read keys for SPN from keytab file
connection:
-dc-ip ip address IP Address of the domain controller. If ommited it use
the domain part (FQDN) specified in the target
parameter
-target-ip ip address
IP Address of the target machine. If omitted it will
use whatever was specified as target. This is useful
when target is the NetBIOS name and you cannot resolve
itExamples
secretsdump.py -ntds ./ntds.dit -system ./system -outputfile /tmp/hashes.txt LOCAL
This will dump the hashes from a saved copy of ntds.dit using the encryption key in a saved copy of the SYSTEM hive.
Blog Posts