impacket-secretsdump and netexec. All three authentication methods (password, NTLM hash, Kerberos ccache) are supported.
Navigate to DATA → SecretsDump or the dedicated SecretsDump section in the sidebar.
Dump types
| Dump type | Tool | What it extracts |
|---|---|---|
ntds | impacket-secretsdump | NTDS.dit — all domain user NTLM hashes via DRSUAPI replication |
remote | impacket-secretsdump | SAM/LSA from a remote workstation/server |
nxc-sam | netexec smb --sam | SAM hive (local accounts) from one or more targets |
nxc-lsa | netexec smb --lsa | LSA secrets from one or more targets |
nxc-ntds | netexec smb --ntds | NTDS via netexec with DRSUAPI or VSS method |
custom | impacket-secretsdump | Custom flags passed by the user |
POST /api/secretsdump/run
Launches a SecretsDump operation asynchronously.Request parameters
| Field | Type | Required | Description |
|---|---|---|---|
dump_type | string | Yes | One of: ntds, remote, nxc-sam, nxc-lsa, nxc-ntds, custom |
auth_type | string | No | password (default), hash, or kerberos |
domain | string | Yes | Domain name (e.g. CORP.LOCAL) |
username | string | Yes | Username to authenticate with |
password | string | No | Plaintext password (when auth_type=password) |
nt_hash | string | No | NT hash (when auth_type=hash) |
ccache_path | string | No | Path to ccache file (when auth_type=kerberos) |
dc_ip | string | Conditional | DC IP — required for ntds and nxc-ntds |
target | string | Conditional | Target IP — required for remote, nxc-sam, nxc-lsa, custom |
target_list | array | No | List of IPs for multi-target nxc-sam / nxc-lsa operations |
extra_params | string | No | Extra flags appended to the command (only used with custom dump type) |
ntds_method | string | No | drsuapi (default) or vss — applies to nxc-ntds only |
ntds_scope | string | No | all (default), enabled, or user — applies to nxc-ntds only |
ntds_user | string | No | Specific username to dump (when ntds_scope=user) |
Response
GET /api/secretsdump/output
Retrieve output from a running or completed SecretsDump operation.| Query param | Description |
|---|---|
file | Filename returned by the run endpoint |
offset | Byte offset for incremental reads (default: 0) |
GET /api/secretsdump/status
Check whether a SecretsDump scan is currently running.{"running": true, "scan": {...}} or {"running": false, "scan": null}.
Commands generated
- NTDS dump (password)
- NTDS dump (hash)
- NTDS dump (Kerberos)
- NXC SAM dump
- NXC NTDS (VSS)
Output files
| Pattern | Contents |
|---|---|
recon/secretsdump_<timestamp>.txt | Full tool output log |
recon/ntds_<timestamp>.ntds | Raw NTDS hashes (ntds dump type only) |
recon/ntds_<timestamp>_stripped.ntds | Cleaned NTDS file with disabled accounts removed |
For
ntds dumps, the output file (recon/ntds_<timestamp>.ntds) contains all NTLM hashes in secretsdump format: DOMAIN\user:RID:lmhash:nthash:::. This file can be imported directly into the credentials database via DATA → Credentials → Import from file.Workflow: Full domain dump
Obtain DA credentials
Use Kerberoast, ESC1, AS-REP Roast, or another method to obtain Domain Admin credentials. Save them to the credentials database.
Run NTDS dump
Open SecretsDump. Select dump type ntds, select your DA credentials from the Saved Credentials dropdown, confirm the DC IP, and click Run.
Monitor output
The output panel streams the secretsdump output as it runs. The DRSUAPI replication approach (default) is faster than VSS for most environments.