SAM · SECURITY · SYSTEM · NTDS.dit

Dump Windows credentials, in your browser.

A faithful, fully client-side reimplementation of impacket's offline secretsdump.py — boot key, SAM NT/LM hashes, LSA secrets, cached domain logons (DCC2) and NTDS.dit domain hashes. Written in Rust, compiled to WebAssembly. Nothing ever leaves the page.

For education and authorized testing only. Only use hives you are permitted to analyze (your own lab, a sanctioned engagement, or a CTF).

›_

Drop your hives here

Drag in SYSTEM, SAM, SECURITY and/or NTDS.dit— or click to choose. They're auto-detected; order and filenames don't matter.

Everything runs in your browser via WebAssembly. No file or hash ever leaves this page.

How it works — field notes

Read the blog

Decrypting local account hashes from the SAM hive

From the hashed boot key to a user's NT hash: the F and V structures, the RC4 vs AES storage formats, and the per-RID DES layer that wraps every Windows password hash.

6/16/2026

windowscredentialssamntlm

How the Windows boot key (syskey) works

The boot key is the root of all offline credential dumping. Here is where it lives, why it is scrambled across four registry keys, and how to reassemble it from the SYSTEM hive.

6/16/2026

windowscredentialsregistrysyskey

Inside NTDS.dit: the ESE database and the PEK

A domain controller stores every account hash in an ESE database. Here is how the datatable is laid out, how the Password Encryption Key is derived, and how each hash is unwrapped.

6/16/2026

windowsactive-directoryntdsese