Owlglass

Impacket - Secrets Dump

Impacket - SecretsDump

secretsdump is a tool in the Impacket collection that extracts account secrets from a Windows domain — typically NT/NTLM password hashes, cached credentials, and other LSA secrets. It supports multiple modes (offline extraction from files, or remote extraction using replication/LSA APIs). The important point: the tool reads encrypted credential data and then uses system key material to decrypt it so the raw hashes/credentials become visible.

NTDS.dit

NTDS.dit is the main Active Directory database (an Extensible Storage Engine / ESE database).

It contains domain objects: users, groups, computer accounts — and importantly the credential hashes for domain accounts (e.g., NTLM hashes and other secret blobs stored with the user objects), plus other secret blobs used by AD.

The credential data inside NTDS.dit is not stored in plaintext; parts of it are encrypted or protected.

SYSTEM (the SYSTEM registry hive)

The SYSTEM hive (the offline file is typically C:\Windows\System32\config\SYSTEM) contains the machine’s BootKey (sometimes called the syskey) and other registry data.

That BootKey (plus other key material derived from the machine’s LSA/DPAPI keys) is used to decrypt certain secrets stored by the system and in NTDS.dit (and LSA secrets). Without the SYSTEM hive (or the equivalent keys), the encrypted blobs in NTDS.dit cannot be trivially decrypted.

Where those files are found in AD environments

NTDS.dit (on a Domain Controller)

  • Default path on a DC: C:\Windows\NTDS\NTDS.dit (or a custom NTDS folder if the DC was configured differently).

  • Only domain controllers host the authoritative NTDS.dit for the domain.

SYSTEM hive (on any Windows system)

  • On a live system it’s in memory / the registry. The on-disk hive lives as: C:\Windows\System32\config\SYSTEM.

  • Copies of the SYSTEM hive can also be obtained from offline backups or from Volume Shadow Copies.

The SAM and SECURITY hives (also in C:\Windows\System32\config\) contain additional secrets for local accounts and LSA secrets; secretsdump can use those as well for local/standalone machines.

Volume Shadow Copy snapshots and Windows Backup files are common sources attackers use to get offline copies of these hives and the NTDS database.

Links to this note