ntds-tattletale 3.1.0

Post-exploitation NTDS dump analyzer — correlates secretsdump output with hashcat potfiles to identify shared passwords and weak credentials in Active Directory

TattleTale

Analyze secretsdump output and hashcat potfiles to find shared passwords, weak credentials, and other issues in Active Directory. No dependencies.

Built from years of hands-on experience in enterprise penetration testing. Used in real-world assessments of Fortune 500 companies and critical infrastructure.

Install

pip

pip install ntds-tattletale

Then run it:

tattletale -d dump.ntds -p cracked.pot

Standalone

It's a single Python file with no dependencies. Grab it and go:

curl -O https://raw.githubusercontent.com/coryavra/tattletale/master/tattletale.py
python3 tattletale.py -d dump.ntds -p cracked.pot

Container

The included Containerfile works with Apple Containers (macOS 26+) and Docker (OCI-compliant).

# Apple Containers (native to macOS)
container build -t tattletale .
container run --rm -v "$(pwd)/data:/mnt/shared" tattletale \
    -d /mnt/shared/ntds.dit \
    -p /mnt/shared/cracked.pot \
    -o /mnt/shared/report

# Docker works too
docker build -t tattletale .
docker run --rm -v "$(pwd)/data:/mnt/shared" tattletale \
    -d /mnt/shared/ntds.dit \
    -p /mnt/shared/cracked.pot \
    -o /mnt/shared/report

Usage

tattletale -d <file> [-p <file>] [-t <files>] [options]

REQUIRED
    -d, --dit <file>            secretsdump output file

OPTIONS
    -p, --pot <file>            hashcat potfile with cracked hashes
    -t, --targets <files>       target lists (admins.txt, svc.txt, etc)
    -o, --output <dir>          export reports to directory
    -r, --redact-partial        show first 2 chars only (Pa**********)
    -R, --redact-full           hide passwords completely (************)
    -h, --help                  show help message
    -V, --version               show version

POLICY
    --policy-length <n>         minimum password length
    --policy-complexity <n>     require n-of-4 character classes (upper, lower, digit, symbol)
    --policy-no-username        password cannot contain username

Examples

# Basic analysis - just the dump file
tattletale -d ntds.dit

# With cracked hashes from hashcat
tattletale -d ntds.dit -p hashcat.pot

# Track high-value targets with multiple lists
tattletale -d ntds.dit -p hashcat.pot -t domain_admins.txt svc_accounts.txt

# Redacted output for client reports
tattletale -d ntds.dit -p hashcat.pot -r -o ./report

# Check cracked passwords against policy (8 chars, 3-of-4 complexity)
tattletale -d ntds.dit -p hashcat.pot --policy-length 8 --policy-complexity 3

Output

Statistics

Overview of the dump: total accounts, cracking progress, hash types, and security warnings like empty passwords or legacy LM hashes.

High Value Targets

Shows the status of accounts from your target lists. Grouped by file so you can track domain admins separately from service accounts.

Shared Credentials

Accounts that share the same password hash. Grouped by password with target accounts highlighted.

Password Analysis

Pattern analysis across all cracked passwords: length distribution, character composition, common patterns (seasons, years, keyboard walks), and most reused passwords.

Input formats

File	Format	Example
DIT dump	secretsdump output	DOMAIN\user:1001:LM_HASH:NT_HASH:::
Potfile	hashcat potfile	NT_HASH:cleartext
Targets	one username per line	administrator

See also

Standing on the shoulders of giants:

• secretsdump.py - extract hashes from NTDS.DIT
• hashcat - crack the hashes
• CrackMapExec - password spraying and more

License

MIT