{
	"id": "e436eb4b-014b-49ab-89f8-2033da526b17",
	"created_at": "2026-04-06T00:19:31.10017Z",
	"updated_at": "2026-04-10T03:21:28.594115Z",
	"deleted_at": null,
	"sha1_hash": "508872ee560c927c75560ebaf5d056b0226caab7",
	"title": "GitHub - C-Sto/gosecretsdump: Dump ntds.dit really fast",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46169,
	"plain_text": "GitHub - C-Sto/gosecretsdump: Dump ntds.dit really fast\r\nBy C-Sto\r\nArchived: 2026-04-05 21:21:19 UTC\r\nHave you been using Impacket to dump hashes out of (large) NTDS.dit files, and become increasingly frustrated\r\nat how long it takes? I sure have!\r\nAll credit for the original code to the impacket devs, it's much more complicated than I anticipated.\r\nThis is a conversion of the impacket secretsdump module into golang. It's not very good, but it is quite fast. Please\r\nlet me know if you find bugs, I'll try and fix where I can - bonus points if you can provide sample .dit files for me\r\nto bash against.\r\nFeatures\r\nDumps dits very fast. Operations that usually take hours are now done in minutes.\r\nCan dump SAM/SYSTEM backups\r\nCan dump local SAM/SYSTEM (must be run as the machine account/SYSTEM)\r\nA somewhat usable interface for integration other other tooling (See lib example below)\r\nUsage\r\nYou will need to obtain the NTDS.dit and SYSTEM file from the target domain controller as normal. This won't\r\ndump anything remotely, just local (for now at least).\r\n -enabled\r\n Only output enabled accounts\r\n -history\r\n Include Password History\r\n -livesam\r\n Get hashes from live system. Only works on local machine hashes (SAM), only works on Windows.\r\n -noprint\r\n Don't print output to screen (probably use this with the -out flag)\r\n -ntds string\r\n Location of the NTDS file (required)\r\n -out string\r\n Location to export output\r\n -sam string\r\n Location of SAM registry hive\r\n -status\r\n Include status in hash output\r\n -stream\r\nhttps://github.com/C-Sto/gosecretsdump\r\nPage 1 of 3\n\nStream to files rather than writing in a block. Can be much slower.\r\n -system string\r\n Location of the SYSTEM file (required)\r\n -version\r\n Print version and exit\r\nExample (there is a test .dit and system file in this repo)\r\ngosecretsdump -ntds test/ntds.dit -system test/system\r\nComparison\r\nUsing a large-ish .dit file (approx 1gb)\r\nImpacket secretsdump.py\r\ntime ./secretsdump.py local -system ~/go/src/github.com/c-sto/gosecretsdump/test/big/registry/SYSTEM\r\n\u003csnip\u003e\r\n./secretsdump.py -system registry/SYSTEM -ntds local 1197.36s user 12.01s system 98% cpu 20:23.78 t\r\ngosecretsdump\r\ntime go run main.go -system ~/go/src/github.com/c-sto/gosecretsdump/test/big/registry/SYSTEM -ntds ~/\r\n\u003csnip\u003e\r\ngo run main.go -system -ntds 26.28s user 3.78s system 114% cpu 26.178 total\r\nLib\r\nSo you want to use this in your cool Go implant? that should be easy. The pattern for all the 'dumping' functions is\r\nas follows:\r\nnote It's likely that the api will undergo changes. I'll try to keep to semver, but please understand that I don't really\r\nhave any idea what I'm doing.\r\n//Create the reader flavour of your choice\r\ndr, err = samreader.New(\"C:\\\\pentest\\\\system.hive\", \"C:\\\\pentest\\\\sam.hive\")\r\nif err != nil {\r\n return err\r\n}\r\n//Get the output channel\r\ndataChan := dr.GetOutChan()\r\n//start dumping\r\ngo dr.Dump()\r\nhttps://github.com/C-Sto/gosecretsdump\r\nPage 2 of 3\n\n//read from the output channel (the channel will be closed once dumping is complete)\r\nwg := sync.WaitGroup{}\r\nwg.Add(1)\r\ngo func(){\r\n defer wg.Done() //This probably won't actually work, I can never remember if defer works on inl\r\n for dh := range dataChan{\r\n fmt.Println(\"%+v\\n\", dh)\r\n }\r\n}()\r\n//do other things while you wait\r\nwg.Wait()\r\nSource: https://github.com/C-Sto/gosecretsdump\r\nhttps://github.com/C-Sto/gosecretsdump\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://github.com/C-Sto/gosecretsdump"
	],
	"report_names": [
		"gosecretsdump"
	],
	"threat_actors": [],
	"ts_created_at": 1775434771,
	"ts_updated_at": 1775791288,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/508872ee560c927c75560ebaf5d056b0226caab7.pdf",
		"text": "https://archive.orkl.eu/508872ee560c927c75560ebaf5d056b0226caab7.txt",
		"img": "https://archive.orkl.eu/508872ee560c927c75560ebaf5d056b0226caab7.jpg"
	}
}