def decKrbtgt(hiveFile, hashFile): #get the bootkey from the system hive bootkey = get_syskey(hiveFile) f = open(hashFile) raw = f.read() f.close() krbtgt_acct = None rawPekKey = None rawRID = None rawNTLMhash = None # split along account boundaries accts = raw.split("ATTm3") for acct in accts: if "ATTk590689" in acct: for part in acct.split('\n'): if part.startswith("ATTk590689"): rawPekKey = part.split(":")[1].strip().strip('\'') elif "u\'krbtgt\'" in acct and "ATTk589914" in acct: for part in acct.split('\n'): if part.startswith("ATTr589970"): rawRID = part.split(":")[1].strip().strip('\'') elif part.startswith("ATTk589914"): rawNTLMhash = part.split(":")[1].strip().strip('\'') print decUserHash(bootkey, rawPekKey, "krbtgt", rawRID, "", rawNTLMhash)
def decKrbtgt(hiveFile,hashFile): #get the bootkey from the system hive bootkey = get_syskey(hiveFile) f = open(hashFile) raw = f.read() f.close() krbtgt_acct = None rawPekKey = None rawRID = None rawNTLMhash = None # split along account boundaries accts = raw.split("ATTm3") for acct in accts: if "ATTk590689" in acct: for part in acct.split('\n'): if part.startswith("ATTk590689"): rawPekKey = part.split(":")[1].strip().strip('\'') elif "u\'krbtgt\'" in acct and "ATTk589914" in acct: for part in acct.split('\n'): if part.startswith("ATTr589970"): rawRID = part.split(":")[1].strip().strip('\'') elif part.startswith("ATTk589914"): rawNTLMhash = part.split(":")[1].strip().strip('\'') print decUserHash(bootkey, rawPekKey, "krbtgt", rawRID, "", rawNTLMhash)
def decUserHashHistories(hiveFile, hashFile): #get the bootkey from the system hive bootkey = get_syskey(hiveFile) f = open(hashFile) raw = f.read() f.close() krbtgt_acct = None rawPekKey = None rawRID = None rawNTLMhash = None rawLMhash = None rawNTLMhashHistory = None rawLMhashHistory = None # split along account boundaries accts = raw.split("ATTm3") for acct in accts: if "ATTk590689" in acct: for part in acct.split('\n'): if part.startswith("ATTk590689"): rawPekKey = part.split(":")[1].strip().strip('\'') # only examine accts with a valid NTLM hash history elif "ATTk589918" in acct: parts = acct.split('\n') for part in parts: if part.startswith("ATTm590045"): name = part.split(":")[1].strip()[1:].strip('\'') elif part.startswith("ATTr589970"): rawRID = part.split(":")[1].strip().strip('\'') elif part.startswith("ATTk589984"): rawLMhashHistory = part.split(":")[1].strip().strip('\'') elif part.startswith("ATTk589918"): rawNTLMhashHistory = part.split(":")[1].strip().strip('\'') histories = decUserHashHistory(bootkey, rawPekKey, name, rawRID, rawLMhashHistory, rawNTLMhashHistory) for history in histories: print history
def decUserHashHistories(hiveFile,hashFile): #get the bootkey from the system hive bootkey = get_syskey(hiveFile) f = open(hashFile) raw = f.read() f.close() krbtgt_acct = None rawPekKey = None rawRID = None rawNTLMhash = None rawLMhash = None rawNTLMhashHistory = None rawLMhashHistory = None # split along account boundaries accts = raw.split("ATTm3") for acct in accts: if "ATTk590689" in acct: for part in acct.split('\n'): if part.startswith("ATTk590689"): rawPekKey = part.split(":")[1].strip().strip('\'') # only examine accts with a valid NTLM hash history elif "ATTk589918" in acct: parts = acct.split('\n') for part in parts: if part.startswith("ATTm590045"): name = part.split(":")[1].strip()[1:].strip('\'') elif part.startswith("ATTr589970"): rawRID = part.split(":")[1].strip().strip('\'') elif part.startswith("ATTk589984"): rawLMhashHistory = part.split(":")[1].strip().strip('\'') elif part.startswith("ATTk589918"): rawNTLMhashHistory = part.split(":")[1].strip().strip('\'') histories = decUserHashHistory(bootkey, rawPekKey, name, rawRID, rawLMhashHistory, rawNTLMhashHistory) for history in histories: print history
histories = decUserHashHistory(bootkey, rawPekKey, name, rawRID, rawLMhashHistory, rawNTLMhashHistory) for history in histories: print history if len(sys.argv) == 3: decUserHashes(sys.argv[1], sys.argv[2]) elif len(sys.argv) == 4: if (sys.argv[3].lower() == "-history"): decUserHashHistories(sys.argv[1], sys.argv[2]) else: decKrbtgt(sys.argv[1], sys.argv[2]) elif len(sys.argv) == 5: bootkey = get_syskey(sys.argv[1]) decUserHash(bootKey, sys.argv[2], "user", sys.argv[3], sys.argv[4]) else: print "\nFirst dump the datatable using esentutl.py:" print "\tesentutl.py /path/to/ntds.dit export -table datatable | grep -E \"ATTk590689|ATTm3|ATTm590045|ATTm590045|ATTr589970|ATTk589914|ATTk589879|ATTk589984|ATTk589918\" > outfile.txt\n" print "Then : %s <system hive> <hash file>" % sys.argv[0] print "\tor : %s <system hive> <hash file> -krbtgt" % sys.argv[0] print "\tor : %s <system hive> <hash file> -history" % sys.argv[0] print "\tor : %s <system hive> <rawPekKey> <rawRid> <rawNTLMhash>\n" % sys.argv[ 0] sys.exit(1)
rawNTLMhashHistory = part.split(":")[1].strip().strip('\'') histories = decUserHashHistory(bootkey, rawPekKey, name, rawRID, rawLMhashHistory, rawNTLMhashHistory) for history in histories: print history if len(sys.argv) == 3: decUserHashes(sys.argv[1], sys.argv[2]) elif len(sys.argv) == 4: if (sys.argv[3].lower() == "-history"): decUserHashHistories(sys.argv[1], sys.argv[2]) else: decKrbtgt(sys.argv[1], sys.argv[2]) elif len(sys.argv) == 5: bootkey = get_syskey(sys.argv[1]) decUserHash(bootKey, sys.argv[2], "user", sys.argv[3], sys.argv[4]) else: print "\nFirst dump the datatable using esentutl.py:" print "\tesentutl.py /path/to/ntds.dit export -table datatable | grep -E \"ATTk590689|ATTm3|ATTm590045|ATTm590045|ATTr589970|ATTk589914|ATTk589879|ATTk589984|ATTk589918\" > outfile.txt\n" print "Then : %s <system hive> <hash file>" % sys.argv[0] print "\tor : %s <system hive> <hash file> -krbtgt" % sys.argv[0] print "\tor : %s <system hive> <hash file> -history" % sys.argv[0] print "\tor : %s <system hive> <rawPekKey> <rawRid> <rawNTLMhash>\n" % sys.argv[0] sys.exit(1)