Advertisement
opexxx

dshashes.py

Jun 13th, 2014
507
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.92 KB | None | 0 0
  1. # This file was derived from dsusers.py, which is is part of ntdsxtract.
  2. #
  3. # ntdsxtract is free software: you can redistribute it and/or modify
  4. # it under the terms of the GNU General Public License as published by
  5. # the Free Software Foundation, either version 3 of the License, or
  6. # (at your option) any later version.
  7. #
  8. # ntdsxtract is distributed in the hope that it will be useful,
  9. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  10. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  11. # GNU General Public License for more details.
  12. #
  13. # You should have received a copy of the GNU General Public License
  14. # along with ntdsxtract.  If not, see <http://www.gnu.org/licenses/>.
  15.  
  16. '''
  17. @editor:        LaNMaSteR53
  18. @author:        Csaba Barta
  19. @license:       GNU General Public License 2.0 or later
  20. @contact:       csaba.barta@gmail.com
  21. '''
  22.  
  23. from ntds.dsdatabase import *
  24. from ntds.dsrecord import *
  25. from ntds.dslink import *
  26. from ntds.dstime import *
  27. from ntds.dsobjects import *
  28.  
  29. def usage():
  30.     print "DSHashes"
  31.     print "Extracts user hashes in a user-friendly format\n"
  32.     print "usage: %s <datatable> <linktable> [option]" % sys.argv[0]
  33.     print "  options:"
  34.     print "    --rid <user rid>"
  35.     print "          List user identified by RID"
  36.     print "    --name <user name>"
  37.     print "          List user identified by Name"
  38.     print "    --passwordhashes <system hive>"
  39.     print "          Extract password hashes"
  40.     print "    --passwordhistory <system hive>"
  41.     print "          Extract password history"
  42.     print "    --exclude-disabled"
  43.     print "          Exclude disabled accounts from output"
  44.  
  45. if len(sys.argv) < 3:
  46.     usage()
  47.     sys.exit(1)
  48.  
  49. rid = -1
  50. name = ""
  51. syshive = ""
  52. pwdump = False
  53. pwhdump = False
  54. optid = 0
  55. excl_dsbl = False
  56. print "Running with options:"
  57. for opt in sys.argv:
  58.     if opt == "--rid":
  59.         if len(sys.argv) < 5:
  60.             usage()
  61.             sys.exit(1)
  62.         rid = int(sys.argv[optid + 1])
  63.         print "\tUser RID: %d" % rid
  64.     if opt == "--name":
  65.         if len(sys.argv) < 5:
  66.             usage()
  67.             sys.exit(1)
  68.         name = sys.argv[optid + 1]
  69.         print "\tUser name: %s" % name
  70.     if opt == "--passwordhashes":
  71.         if len(sys.argv) < 5:
  72.             usage()
  73.             sys.exit(1)
  74.         syshive = sys.argv[optid + 1]
  75.         pwdump = True
  76.         print "\tExtracting password hashes"
  77.     if opt == "--passwordhistory":
  78.         if len(sys.argv) < 5:
  79.             usage()
  80.             sys.exit(1)
  81.         syshive = sys.argv[optid + 1]
  82.         pwhdump = True
  83.         print "\tExtracting password history"
  84.     if '--exclude-disabled' in sys.argv:
  85.         excl_dsbl = True
  86.     optid += 1
  87.  
  88. db = dsInitDatabase(sys.argv[1])
  89. dl = dsInitLinks(sys.argv[2])
  90.  
  91. if pwdump or pwhdump:
  92.     dsInitEncryption(syshive)
  93.  
  94. utype = -1
  95. utype = dsGetTypeIdByTypeName(db, "Person")
  96. if utype == -1:
  97.     print "Unable to get type id for Person"
  98.     sys.exit()
  99.  
  100. print "\nList of hashes:"
  101. print "=============="
  102. for recordid in dsMapLineIdByRecordId:
  103.     if int(dsGetRecordType(db, recordid)) == utype:
  104.         user = dsUser(db, recordid)
  105.         if rid != -1 and user.SID.RID != rid:
  106.             continue
  107.         if name != "" and user.Name != name:
  108.             continue
  109.         if excl_dsbl:
  110.             user_disabled = False
  111.             for uac in user.getUserAccountControl():
  112.                 if uac == 'Disabled': user_disabled = True
  113.             if user_disabled: continue
  114.  
  115.         if pwdump == True:
  116.             nthash = ''
  117.             lmhash = 'aad3b435b51404eeaad3b435b51404ee'
  118.             (lm, nt) = user.getPasswordHashes()
  119.             if nt != '':
  120.                 nthash = nt
  121.                 if lm != '':
  122.                     lmhash = lm
  123.             hash = "%s:%s:%s:%s:::" % (user.SAMAccountName, user.SID.RID, lmhash, nthash)
  124.             if nt != '':
  125.                 print hash
  126.  
  127.         if pwhdump == True:
  128.             lmhistory = None
  129.             nthistory = None
  130.             (lmhistory, nthistory) = user.getPasswordHistory()
  131.             if nthistory != None:
  132.                 hashid = 0
  133.                 for nthash in nthistory:
  134.                     print "%s_nthistory%d:%s:E52CAC67419A9A224A3B108F3FA6CB6D:%s:::" % (user.SAMAccountName, hashid, user.SID.RID, nthash)
  135.                     hashid += 1
  136.                 if lmhistory != None:
  137.                     hashid = 0
  138.                     for lmhash in lmhistory:
  139.                         print "%s_lmhistory%d:%s:%s:8846F7EAEE8FB117AD06BDD830B7586C:::" % (user.SAMAccountName, hashid, user.SID.RID, lmhash)
  140.                         hashid += 1
  141.  
  142. if pwhdump == True:
  143.   print "\n[*] NOTE: NT and LM hashes are shown on individual lines with the respective hash of 'password' in the opposing position."
  144.   print "This is done in order to make sure the output plays nice with various hash cracking tools. Account for this when cracking historical hashes.\n"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement