> For the complete documentation index, see [llms.txt](https://www.impacket.wiki/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.impacket.wiki/reference/script-reference/credential-and-secrets-scripts.md).

# Credential & Secrets Scripts

This group covers scripts that extract, parse, or decrypt credential material. They are among the most powerful Impacket examples and should be studied carefully in a controlled lab.

## Script List

* `secretsdump.py` -- Dump SAM, LSA secrets, cached credentials, NTDS.dit (DCSync)
* `mimikatz.py` -- Limited mimikatz-style operations
* `dpapi.py` -- Decrypt DPAPI-protected secrets
* `dpapidump.py` -- Full DPAPI dump (master keys, credential files, vaults)
* `regsecrets.py` -- Extract secrets from offline registry hive files

## Main Scripts

| Script           | Purpose                                                                  | What to study                               |
| ---------------- | ------------------------------------------------------------------------ | ------------------------------------------- |
| `secretsdump.py` | Extracts SAM, LSA, NTDS, and related secrets through multiple techniques | Remote registry, DRSUAPI, VSS, parsing      |
| `dpapi.py`       | Demonstrates DPAPI and Vault structure handling                          | DPAPI masterkeys, vault parsing             |
| `dpapidump.py`   | Dumps DPAPI secrets remotely where possible                              | Remote collection and DPAPI decryption flow |
| `regsecrets.py`  | Extracts secrets from registry hives                                     | Offline registry parsing                    |
| `samedit.py`     | Replaces a local user's password in copies of the SAM and SYSTEM hives   | Offline SAM editing, hash replacement       |
| `mimikatz.py`    | Controls a remote Mimikatz RPC server                                    | SMB DCE/RPC, remote RPC shell behavior      |

## SecretsDump

`secretsdump.py` is one of the most widely used Impacket examples. It supports several extraction approaches and target types.

```bash
python examples/secretsdump.py CONTOSO/alice:'Passw0rd!'@dc01.contoso.local
```

With hashes:

```bash
python examples/secretsdump.py -hashes :8846f7eaee8fb117ad06bdd830b7586c CONTOSO/alice@dc01.contoso.local
```

Against local hive files:

```bash
python examples/secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL
```

What it teaches:

* Remote registry access.
* DRSUAPI usage for domain controller replication-style extraction.
* Offline hive parsing.
* Bootkey and secret decryption flow.
* Output formatting for hashes and keys.

## DPAPI

`dpapi.py` and `dpapidump.py` demonstrate DPAPI data structures and decryption workflows.

```bash
python examples/dpapi.py
python examples/dpapidump.py CONTOSO/alice:'Passw0rd!'@host01.contoso.local
```

DPAPI work often requires multiple pieces of material: encrypted blobs, masterkeys, user secrets, machine secrets, or domain backup keys. These scripts are helpful because they show where those pieces fit.

## Registry Secrets

`regsecrets.py` focuses on extracting secrets from registry material.

```bash
python examples/regsecrets.py SYSTEM SECURITY SAM
```

Pair it with `registry-read.py` and `secretsdump.py` when learning the difference between generic hive parsing and credential-specific extraction.

## Considerations

Credential scripts can create logs, trigger security controls, or access sensitive secrets. In documentation and tooling, be precise about inputs and outputs. Avoid burying credential material in debug logs, exceptions, or saved files unless the user explicitly requested that behavior.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://www.impacket.wiki/reference/script-reference/credential-and-secrets-scripts.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
