Skip to main content

Dump or analyze existing NTDS data, crack NT hashes with hashcat and match them to their corresponding user accounts.

Project description

about revealhashed-python v0.2.1

revealhashed is a streamlined utility to correlate ntds usernames, nt hashes, and cracked passwords in one view while cutting out time-consuming manual tasks.

dependencies

hashcat
impacket or python3-impacket
neo4j

how to install

from pypi:
pipx install revealhashed

from github:
pipx install git+https://github.com/crosscutsaw/revealhashed-python

git clone https://github.com/crosscutsaw/revealhashed-python; pipx install revealhashed-python/

how to use

revealhashed v0.3.0

usage: revealhashed [-h] [-r] {dump,reveal} ...

positional arguments:
  {dump,reveal}
    dump         Dump NTDS from a DC and reveal credentials.
    reveal       Reveal credentials from an existing NTDS dump.

options:
  -h, --help     show this help message and exit
  -r, --reset    Delete old session data in ~/.revealhashed

revealhashed -r

just execute revealhashed -r to remove contents of ~/.revealhashed

revealhashed dump

revealhashed v0.3.0

usage: revealhashed dump [-h] [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey HEXKEY] [-dc-ip IP] [-codec CODEC] [-e] [-nd] [-csv] [-bh] [--dburi DBURI] [--dbuser DBUSER] [--dbpassword DBPASSWORD]
                         [-m {ntdsutil,drsuapi,vss}] [-history] [-just-dc-user USER] -w WORDLIST [WORDLIST ...]
                         target

positional arguments:
  target                [[domain/]username[:password]@]<host>

options:
  -h, --help            show this help message and exit
  -debug                Turn DEBUG output on
  -hashes LMHASH:NTHASH
                        NTLM hashes to authenticate with
  -no-pass              Don't prompt for a password
  -k                    Use Kerberos authentication
  -aesKey HEXKEY        AES key for Kerberos authentication
  -dc-ip IP             IP address of the domain controller
  -codec CODEC          Encoding used for output decoding
  -e, --enabled-only    Only show enabled accounts
  -nd, --no-domain      Strip the domain from displayed usernames (output only)
  -csv                  Also save output as CSV
  -bh                   Mark cracked users as owned in BloodHound
  --dburi DBURI         BloodHound Neo4j URI (default: bolt://localhost:7687)
  --dbuser DBUSER       BloodHound Neo4j username (default: neo4j)
  --dbpassword DBPASSWORD
                        BloodHound Neo4j password (default: 1234)
  -m, --method {ntdsutil,drsuapi,vss}
                        NTDS dump method (default: ntdsutil)
  -history              Dump password history
  -just-dc-user USER    Only extract this user's data
  -w, --wordlists WORDLIST [WORDLIST ...]
                        Wordlists to use with hashcat

this command executes zblurx's ntdsutil.py to dump ntds safely as default. if it doesn't work, drsuapi or vss methods can be used. after dump it does classic revealhashed operations.

-w (wordlist) switch is needed. one or more wordlists can be supplied.
-e (enabled-only) switch is suggested. it's only shows enabled users.
-nd (no-domain) switch strips domain names from usernames.
-bh (bloodhound) switch marks cracked users as owned in bloodhound. if used, --dburi, --dbuser and --dbpassword are also needed to connect neo4j database. it supports both legacy and ce.
-csv (csv) switch saves output to csv, together with txt.

for example:
revealhashed dump '<domain>/<username>:<password>'@<dc_ip> -w wordlist1.txt wordlist2.txt -e -nd -csv -bh --dburi bolt://localhost:7687 --dbuser neo4j --dbpassword 1234

revealhashed reveal

revealhashed v0.3.0

usage: revealhashed reveal [-h] [-e] [-nd] [-csv] [-bh] [--dburi DBURI] [--dbuser DBUSER] [--dbpassword DBPASSWORD] [-ntds NTDS] [-nxc] [-w WORDLIST [WORDLIST ...]]

options:
  -h, --help            show this help message and exit
  -e, --enabled-only    Only show enabled accounts
  -nd, --no-domain      Strip the domain from displayed usernames (output only)
  -csv                  Also save output as CSV
  -bh                   Mark cracked users as owned in BloodHound
  --dburi DBURI         BloodHound Neo4j URI (default: bolt://localhost:7687)
  --dbuser DBUSER       BloodHound Neo4j username (default: neo4j)
  --dbpassword DBPASSWORD
                        BloodHound Neo4j password (default: 1234)
  -ntds NTDS            Path to a secretsdump .ntds file
  -nxc                  Pick a .ntds file from ~/.nxc/logs/ntds
  -w, --wordlists WORDLIST [WORDLIST ...]
                        Wordlists to use with hashcat

this command wants to get supplied with ntds file by user or netexec then does classic revealhashed operations.

ntds file should contain usernames and hashes. it should be not ntds.dit. example ntds dump can be obtained from repo.

-ntds or -nxc switch is needed. -ntds switch is for a file you own with hashes. -nxc switch is for scanning ~/.nxc/logs/ntds directory then selecting an ntds file.
-w (wordlist) switch is needed. one or more wordlists can be supplied.
-e (enabled-only) switch is suggested. it's only shows enabled users.
-nd (no-domain) switch strips domain names from usernames.
-bh (bloodhound) switch marks cracked users as owned in bloodhound. if used, --dburi, --dbuser and --dbpassword are also needed to connect neo4j database. it supports both legacy and ce.
-csv (csv) switch saves output to csv, together with txt.

for example:
revealhashed reveal -ntds <ntds_file>.ntds -w wordlist1.txt -e -nd -csv
revealhashed reveal -nxc -w wordlist1.txt -e -nd -csv

example outputs

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

revealhashed-0.3.0.tar.gz (16.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

revealhashed-0.3.0-py3-none-any.whl (17.6 kB view details)

Uploaded Python 3

File details

Details for the file revealhashed-0.3.0.tar.gz.

File metadata

  • Download URL: revealhashed-0.3.0.tar.gz
  • Upload date:
  • Size: 16.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.5

File hashes

Hashes for revealhashed-0.3.0.tar.gz
Algorithm Hash digest
SHA256 337898f78e99e01c6fe71a9829bb160cf1cdfc0ab0fb4b87bb750b3958bb20a9
MD5 197fc9bf60817fef79c255c922517283
BLAKE2b-256 8d6dda0be9e3f3ad06a961c331904f1a2e3b79a8403f2eccd7d597e68d94a0f4

See more details on using hashes here.

File details

Details for the file revealhashed-0.3.0-py3-none-any.whl.

File metadata

  • Download URL: revealhashed-0.3.0-py3-none-any.whl
  • Upload date:
  • Size: 17.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.5

File hashes

Hashes for revealhashed-0.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 4f0ebf78a8f230b61323103eca500bcaa814bb738b72ebb2dbbb770f6a93563d
MD5 5c12eec15f0f39db74ded0379952c6d7
BLAKE2b-256 927483f8dcfb4a4d7a10849b9187b1b14ebcc01ab7ed3a9e8c9374e8a8bd7e63

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page