• Stars
    star
    882
  • Rank 51,756 (Top 2 %)
  • Language
    Python
  • License
    MIT License
  • Created about 8 years ago
  • Updated over 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Domain Password Audit Tool for Pentesters

Domain Password Audit Tool (DPAT)

This is a python script that will generate password use statistics from password hashes dumped from a domain controller and a password crack file such as hashcat.potfile generated from the Hashcat tool during password cracking. The report is an HTML report with clickable links.

alt text alt text

A full video tutorial and demo can be viewed here: http://www.blackhillsinfosec.com/?p=5527.

You can run the python script as follows.

dpat.py -n customer.ntds -c hashcat.potfile -g "Domain Admins.txt" "Enterprise Admins.txt"

The two required parameters are the hashes extracted from the domain controller -n and the list of cracked passwords -c generated by tools like Hashcat or JohnTheRipper.

Note that the group lists at the end (-g "Domain Admins.txt" "Enterprise Admins.txt") are optional. Try this out on the example files provided in the sample_data folder of this project. The sample data was built from census data for common first and last names and passwords from the well known rockyou list.

Your customer.ntds file should be in this format:

domain\username:RID:lmhash:nthash:::

You can get this file by first dumping the password hashes from your domain controller by executing the following command in an administrative command prompt on a domain controller. Just make sure you have enough disk space to store the output in c:\temp. The amount of space needed will be slightly larger than the size of the ntds.dit file that is currently on the disk, as this performs a backup of that file and some registry settings.

ntdsutil "ac in ntds" "ifm" "cr fu c:\temp" q q

The ntdsutil command will create the two files, Active Directory\ntds.dit and registry\SYSTEM, that are needed. You can then turn this output into the format expected by DPAT using secretsdump.py. Secretsdump comes pre-installed on Kali Linux or can be easily installed on Windows using these instructions.

secretsdump.py -system registry/SYSTEM -ntds "Active Directory/ntds.dit" LOCAL -outputfile customer

If you would like to report on password history, include the -history flag as shown below. Note: Jan/2020 Josh Wright reported that the history hashes are not exported correctly on ntds.dit files from Win2K16 TP4 and later. See this issue.

secretsdump.py -system registry/SYSTEM -ntds "Active Directory/ntds.dit" LOCAL -outputfile customer -history

Note: Try using impacket-secretsdump instead of secretsdump.py on Kali Linux if secrectsdump.py can't be found.

The command above will create a file called "customer.ntds" which you will use with this tool (DPAT) as well as for password cracking. You can now proceed with your password cracking efforts to create a crack file in this format (which is the default output of the Hashcat tool):

nthash:password

Or for LM Hashes:

lmhashLeftOrRight:leftOrRightHalfPasswordUpcased

The DPAT tool also supports output from John the Ripper (same format as hashcat.potfile but prepended with $NT$ or $LM$)

The optional "-g" option is followed by a list of any number of files containing lists of users who are in the given group such as "Enterprise Admins" or "Domain Admins". The file can be in the format output by the PowerView PowerShell script as shown in the example below:

Get-NetGroupMember -Recurse -GroupName "Domain Admins" > "Domain Admins.txt"

or to read a group from another domain use something like the following (note that name of the other domain and the domain controller can be obtained with Get-NetForestDomain)

Get-NetGroupMember -Recurse -GroupName "Enterprise Admins" -Domain "some.domain.com" -DomainController "DC01.some.domain.com" > "Enterprise Admins.txt"

Alternatively, the group files can simply be a list of users, one per line, in the following format:

domain\username

Here is a PowerShell one-liner to create group files for all groups.

The Domain Password Audit Tool also has the handy feature to finish cracking the LM hashes for any hashes where the NT hash was not cracked. This asssumes that you have used Hashcat to brute force all 7 character passwords with the following command:

./hashcat.bin -m 3000 -a 3 customer.ntds -1 ?a ?1?1?1?1?1?1?1 --increment

Or to crack LM hashes with John the Ripper instead:

john --format=LM customer.ntds

To see all available DPAT options use the '-h' or '--help' option

usage: dpat.py [-h] -n NTDSFILE -c CRACKFILE [-o OUTPUTFILE]
               [-d REPORTDIRECTORY] [-w] [-s]
               [-g [GROUPLISTS [GROUPLISTS ...]]]

This script will perfrom a domain password audit based on an extracted NTDS
file and password cracking output such as Hashcat.

optional arguments:
  -h, --help            Show this help message and exit
  -n NTDSFILE, --ntdsfile NTDSFILE
                        NTDS file name (output from SecretsDump.py)
  -c CRACKFILE, --crackfile CRACKFILE
                        Password Cracking output in the default form output by
                        Hashcat, such as hashcat.potfile
  -o OUTPUTFILE, --outputfile OUTPUTFILE
                        The name of the HTML report output file, defaults to
                        _DomainPasswordAuditReport.html
  -d REPORTDIRECTORY, --reportdirectory REPORTDIRECTORY
                        Folder containing the output HTML files, defaults to
                        DPAT Report
  -w, --writedb         Write the SQLite database info to disk for offline
                        inspection instead of just in memory. Filename will be
                        "pass_audit.db"
  -s, --sanitize        Sanitize the report by partially redacting passwords
                        and hashes. Appends the report directory with
                        " - Sanitized"
  -g [GROUPLISTS [GROUPLISTS ...]], --grouplists [GROUPLISTS [GROUPLISTS ...]]
                        The name of one or multiple files that contain lists
                        of usernames in particular groups. The group names
                        will be taken from the file name itself. The username
                        list must be in the same format as found in the NTDS
                        file such as some.ad.domain.com\username. Example: -g
                        "Domain Admins.txt" "Enterprise Admins.txt"

Originally Sponsored by:

Black Hills Information Security

More Repositories

1

GatherContacts

A Burp Suite Extension to pull Employee Names from Google and Bing LinkedIn Search Results
Java
182
star
2

SlackExtract

A PowerShell script to download all files, messages and user profiles that a user has access to in slack.
PowerShell
137
star
3

CookieCrimesJS

A cross-platform one-liner to steal a user's cookies from Chrome <- cool
HTML
86
star
4

Detect-SSLmitm

This PowerShell script will determine if your connection to external servers over HTTPS is being decrypted by an intercepting proxy such as the internet proxies commonly found in corporate environments. It does this by comparing the SSL intermediate certificate being used for your connection to the true/known SSL certificate for the server.
PowerShell
67
star
5

Commentator

PowerShell
50
star
6

VBAstomp

A repository of example VBA stomped documents
24
star
7

G-chimp

An automated way to send phishing emails from Google/G-suite.
JavaScript
18
star
8

PowerShellForInfoSec

PowerShell
18
star
9

DeployREMnux

DeployREMnux is a Python script that will deploy a cloud instance of the public REMnux distribution in the Amazon cloud (AWS).
Python
16
star
10

TellTail

A tool to display Windows Event logs as they happen.
C#
12
star
11

AtomicRunner

PowerShell
12
star
12

Presentations

Slides from Security Conferences Presentations
5
star
13

Gather-Usernames-From-Google-LinkedIn-Results

4
star
14

AttackEmulationTools

PowerShell
4
star
15

ChromeShot

Capture web screenshots using Chrome. No other dependencies required. Works cross platform.
HTML
4
star
16

dc8-deployment-PUBLIC

PowerShell
4
star
17

YaraRules

A collection of yara rules for detection of malicious content
3
star
18

AtomicRedTeamHooks

PowerShell
2
star
19

Invoke-SheetUnprotect

PowerShell
2
star
20

Export-ATPCustomDetections

This cross-platform PowerShell script will download all ATP detections you have access to including scheduled (custom), shared and user (personal) queries.
PowerShell
2
star
21

AtomicRedteam

PowerShell
1
star
22

clr2of8.github.io

HTML
1
star
23

community

Open-source ATT&CK procedures
1
star