Skip to content

hvs-consulting/adhashcheck

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
ad.go
ad.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 
reusedPassword.go
reusedPassword.go
 
 

Repository files navigation

ADHashCheck

Compare the NTLM hashes of all Active Directory accounts to find accounts with same password

The tool can read the NTLM hashes either from a secretsdump, from a CSV file or from the NTDS.dit and SYSTEM registry hive.

Warning

If you follow this guide, you extract all NTLM hashes from your Active Directory. These hashes can be used for authentication, so if someone gets access to it, your Active Directory is fully compromised. You are responsible to verify the integrity of the used third-party libraries and tools.

HvS-Consulting AG is not liably for any damage caused by the use of this tool.

Security tools also do not like this.

Use it

Get NTLM hashes

Option 1: Get ntds.dit and system registriy hive from DC

Export the system registry hive:

reg save HKLM\SYSTEM system.hive

Get the ntds.dit (for example with FTKImager)

Option 2: DCSync

The hashes can be collected with DCSync using impacket's secretsdump:

python secretsdump.py -just-dc-ntlm <domain>/<user>[:<password>]@<dc> > secretsdump.txt

Option 3: CSV file

Got the hashes somehow different? The tool also accepts a CSV file in the format:

username,hash

Analyze

Depending on the input files, run:

For the ntds.dit option:

./adhashcheck --ntds <ntds.dit> --system <system.hive> --output <output directory>

For the secretsdump option:

./adhashcheck --secretsdump <secretsdump.txt> --output <output directory>

For the CSV option:

./adhashcheck --csv <hashes.csv> --output <output directory>

The output directory now contains three files:

  • reuse.csv: Password hashes that are used more than once (including count and usernames)
  • reuse-without-hash.csv: Like reuse.csv, but without NTLM hashes
  • reuse.json: Like reuse.csv, but as JSON, which allows better post-processing
  • reuse-without-hash.json: Same as above, but without hashes

License

Copyright 2021 HvS-Consulting AG

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

About

Analyze Active Directory password hashes for reuse

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

4 stars

Watchers

3 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages