Extract Windows Hashes Offline

If you have the SAM and SYSTEM files, you can use the impacket-secretsdump script to dump the hashes.

The SAM and SYSTEM files are located at C:\Windows\System32\config\

impacket-secretsdump -sam SAM -system SYSTEM local
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

### Results will be here ;)

# Explaining the arguments
positional arguments:
  target                [[domain/]username[:password]@]<targetName or address>
                        or LOCAL (if you want to parse local files)

optional arguments:
  -h, --help            show this help message and exit
  -debug                Turn DEBUG output ON
  -system SYSTEM        SYSTEM hive to parse
  -bootkey BOOTKEY      bootkey for SYSTEM hive
  -security SECURITY    SECURITY hive to parse
  -sam SAM              SAM hive to parse
  -ntds NTDS            NTDS.DIT file to parse

PreviousPost-Exploitation NextDumping Domain Password Hashes

Last updated 4 years ago