Dump or analyze existing NTDS data, crack NT hashes with hashcat and match them to their corresponding user accounts.
Project description
about revealhashed-python v0.2.1
revealhashed is a streamlined utility to correlate ntds usernames, nt hashes, and cracked passwords in one view while cutting out time-consuming manual tasks.
dependencies
hashcat
impacket or python3-impacket
neo4j
how to install
from pypi:
pipx install revealhashed
from github:
pipx install git+https://github.com/crosscutsaw/revealhashed-python
git clone https://github.com/crosscutsaw/revealhashed-python; pipx install revealhashed-python/
how to use
revealhashed v0.3.0
usage: revealhashed [-h] [-r] {dump,reveal} ...
positional arguments:
{dump,reveal}
dump Dump NTDS from a DC and reveal credentials.
reveal Reveal credentials from an existing NTDS dump.
options:
-h, --help show this help message and exit
-r, --reset Delete old session data in ~/.revealhashed
revealhashed -r
just execute revealhashed -r to remove contents of ~/.revealhashed
revealhashed dump
revealhashed v0.3.0
usage: revealhashed dump [-h] [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey HEXKEY] [-dc-ip IP] [-codec CODEC] [-e] [-nd] [-csv] [-bh] [--dburi DBURI] [--dbuser DBUSER] [--dbpassword DBPASSWORD]
[-m {ntdsutil,drsuapi,vss}] [-history] [-just-dc-user USER] -w WORDLIST [WORDLIST ...]
target
positional arguments:
target [[domain/]username[:password]@]<host>
options:
-h, --help show this help message and exit
-debug Turn DEBUG output on
-hashes LMHASH:NTHASH
NTLM hashes to authenticate with
-no-pass Don't prompt for a password
-k Use Kerberos authentication
-aesKey HEXKEY AES key for Kerberos authentication
-dc-ip IP IP address of the domain controller
-codec CODEC Encoding used for output decoding
-e, --enabled-only Only show enabled accounts
-nd, --no-domain Strip the domain from displayed usernames (output only)
-csv Also save output as CSV
-bh Mark cracked users as owned in BloodHound
--dburi DBURI BloodHound Neo4j URI (default: bolt://localhost:7687)
--dbuser DBUSER BloodHound Neo4j username (default: neo4j)
--dbpassword DBPASSWORD
BloodHound Neo4j password (default: 1234)
-m, --method {ntdsutil,drsuapi,vss}
NTDS dump method (default: ntdsutil)
-history Dump password history
-just-dc-user USER Only extract this user's data
-w, --wordlists WORDLIST [WORDLIST ...]
Wordlists to use with hashcat
this command executes zblurx's ntdsutil.py to dump ntds safely as default. if it doesn't work, drsuapi or vss methods can be used. after dump it does classic revealhashed operations.
-w (wordlist) switch is needed. one or more wordlists can be supplied.
-e (enabled-only) switch is suggested. it's only shows enabled users.
-nd (no-domain) switch strips domain names from usernames.
-bh (bloodhound) switch marks cracked users as owned in bloodhound. if used, --dburi, --dbuser and --dbpassword are also needed to connect neo4j database. it supports both legacy and ce.
-csv (csv) switch saves output to csv, together with txt.
for example:
revealhashed dump '<domain>/<username>:<password>'@<dc_ip> -w wordlist1.txt wordlist2.txt -e -nd -csv -bh --dburi bolt://localhost:7687 --dbuser neo4j --dbpassword 1234
revealhashed reveal
revealhashed v0.3.0
usage: revealhashed reveal [-h] [-e] [-nd] [-csv] [-bh] [--dburi DBURI] [--dbuser DBUSER] [--dbpassword DBPASSWORD] [-ntds NTDS] [-nxc] [-w WORDLIST [WORDLIST ...]]
options:
-h, --help show this help message and exit
-e, --enabled-only Only show enabled accounts
-nd, --no-domain Strip the domain from displayed usernames (output only)
-csv Also save output as CSV
-bh Mark cracked users as owned in BloodHound
--dburi DBURI BloodHound Neo4j URI (default: bolt://localhost:7687)
--dbuser DBUSER BloodHound Neo4j username (default: neo4j)
--dbpassword DBPASSWORD
BloodHound Neo4j password (default: 1234)
-ntds NTDS Path to a secretsdump .ntds file
-nxc Pick a .ntds file from ~/.nxc/logs/ntds
-w, --wordlists WORDLIST [WORDLIST ...]
Wordlists to use with hashcat
this command wants to get supplied with ntds file by user or netexec then does classic revealhashed operations.
ntds file should contain usernames and hashes. it should be not ntds.dit. example ntds dump can be obtained from repo.
-ntds or -nxc switch is needed. -ntds switch is for a file you own with hashes. -nxc switch is for scanning ~/.nxc/logs/ntds directory then selecting an ntds file.
-w (wordlist) switch is needed. one or more wordlists can be supplied.
-e (enabled-only) switch is suggested. it's only shows enabled users.
-nd (no-domain) switch strips domain names from usernames.
-bh (bloodhound) switch marks cracked users as owned in bloodhound. if used, --dburi, --dbuser and --dbpassword are also needed to connect neo4j database. it supports both legacy and ce.
-csv (csv) switch saves output to csv, together with txt.
for example:
revealhashed reveal -ntds <ntds_file>.ntds -w wordlist1.txt -e -nd -csv
revealhashed reveal -nxc -w wordlist1.txt -e -nd -csv
example outputs
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file revealhashed-0.3.0.tar.gz.
File metadata
- Download URL: revealhashed-0.3.0.tar.gz
- Upload date:
- Size: 16.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
337898f78e99e01c6fe71a9829bb160cf1cdfc0ab0fb4b87bb750b3958bb20a9
|
|
| MD5 |
197fc9bf60817fef79c255c922517283
|
|
| BLAKE2b-256 |
8d6dda0be9e3f3ad06a961c331904f1a2e3b79a8403f2eccd7d597e68d94a0f4
|
File details
Details for the file revealhashed-0.3.0-py3-none-any.whl.
File metadata
- Download URL: revealhashed-0.3.0-py3-none-any.whl
- Upload date:
- Size: 17.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4f0ebf78a8f230b61323103eca500bcaa814bb738b72ebb2dbbb770f6a93563d
|
|
| MD5 |
5c12eec15f0f39db74ded0379952c6d7
|
|
| BLAKE2b-256 |
927483f8dcfb4a4d7a10849b9187b1b14ebcc01ab7ed3a9e8c9374e8a8bd7e63
|