Post-exploitation NTDS dump analyzer — correlates secretsdump output with hashcat potfiles to identify shared passwords and weak credentials in Active Directory
Project description
TattleTale
Analyze secretsdump output and hashcat potfiles to find shared passwords, weak credentials, and other issues in Active Directory. No dependencies.
Built from years of hands-on experience in enterprise penetration testing. Used in real-world assessments of Fortune 500 companies and critical infrastructure.
Install
pip
pip install tattletale
Standalone
It's a single Python file with no dependencies. Grab it and go:
curl -O https://raw.githubusercontent.com/coryavra/tattletale/master/tattletale.py
Container
The included Containerfile works with Apple Containers (macOS 26+) and Docker (OCI-compliant).
# Apple Containers (native to macOS)
container build -t tattletale .
container run --rm -v "$(pwd)/data:/mnt/shared" tattletale \
-d /mnt/shared/ntds.dit \
-p /mnt/shared/cracked.pot \
-o /mnt/shared/report
# Docker works too
docker build -t tattletale .
docker run --rm -v "$(pwd)/data:/mnt/shared" tattletale \
-d /mnt/shared/ntds.dit \
-p /mnt/shared/cracked.pot \
-o /mnt/shared/report
Usage
tattletale -d <file> -p <file> -b <zip> [options]
REQUIRED
-d, --dit <file> NTDS.DIT dump file from secretsdump
RECOMMENDED
-p, --pot <file> Hashcat potfile with cracked hashes
-b, --bloodhound <zip> SharpHound zip export for privileged group identification
OPTIONS
-t, --targets <files> Additional target lists (e.g. -t svc_accounts.txt)
-o, --output <dir> Export reports to directory
-r, --redact Hide passwords completely (************)
-R, --redact-partial Show first two chars only (Pa**********)
-h, --help Show this help message
-v, --version Show version number
SHOW (limit output to specific sections — shows all when omitted)
--show-stats Statistics and security warnings
--show-krbtgt krbtgt / Golden Ticket detection
--show-targets High value targets
--show-shared Shared target credentials
--show-cross-domain Cross-domain shared passwords
--show-analysis Password analysis and patterns
POLICY (check cracked passwords against requirements)
--policy-length <n> Minimum password length
--policy-complexity <n> Require n-of-4 character classes (1-4)
(uppercase, lowercase, digit, symbol)
Examples
# Full analysis — cracked hashes + BloodHound privileged group context
tattletale -d ntds.dit -p cracked.pot -b BloodHound.zip
# With additional target lists for accounts not in BloodHound
tattletale -d ntds.dit -p cracked.pot -b BloodHound.zip -t svc_accounts.txt
# Basic analysis (DIT only)
tattletale -d ntds.dit
# Target lists without BloodHound
tattletale -d ntds.dit -p cracked.pot -t domain_admins.txt local_admins.txt
# Redacted output for screenshotting
tattletale -d ntds.dit -p cracked.pot -r
# Check cracked passwords against policy (8 chars, 3-of-4 complexity)
tattletale -d ntds.dit -p cracked.pot --policy-length 8 --policy-complexity 3
Output
Statistics
Overview of the dump: total accounts, cracking progress, hash types, and security warnings like empty passwords or legacy LM hashes.
High Value Targets
Tracks accounts from target lists and BloodHound-identified privileged group members. Grouped by source with cracked passwords displayed inline.
Shared Credentials
Accounts that share the same password hash. Grouped by password with target and privileged accounts highlighted.
Cross-Domain Shared Passwords
Detects identical NT hashes appearing across multiple domains. Highlights lateral movement risk in multi-domain environments.
Password Analysis
Pattern analysis across all cracked passwords: length distribution, character composition, common patterns (seasons, years, keyboard walks), and most common passwords.
Input formats
| File | Format | Example |
|---|---|---|
| DIT dump | secretsdump output | DOMAIN\user:1001:LM_HASH:NT_HASH::: |
| Potfile | hashcat potfile | NT_HASH:cleartext |
| Targets | one username per line | administrator |
| BloodHound | SharpHound zip export | 20240115_BloodHound.zip |
See also
Standing on the shoulders of giants:
- secretsdump.py - extract hashes from NTDS.DIT
- hashcat - crack the hashes
- BloodHound - map Active Directory attack paths
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file tattletale-3.4.0.tar.gz.
File metadata
- Download URL: tattletale-3.4.0.tar.gz
- Upload date:
- Size: 22.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
5b5e2800f760f87c2e5e4773c31bbb3b3901ef1389044b678de7c3b840f68739
|
|
| MD5 |
de7268eb7164b8e47370fbb06d246834
|
|
| BLAKE2b-256 |
b3a02265ec33f33df0b7aa4bd8e0c62ea05f8ff4cfe9fede4e9475fa3407341e
|
File details
Details for the file tattletale-3.4.0-py3-none-any.whl.
File metadata
- Download URL: tattletale-3.4.0-py3-none-any.whl
- Upload date:
- Size: 22.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
fbbcd98306b9048942d888d4916899feb03248f3f6732402123aca0bac79ca71
|
|
| MD5 |
f1e6b7b402c9790b900971f9bbf2ffb4
|
|
| BLAKE2b-256 |
98c2e51f928464a1e77adfa8b22cd0d2acde8a47c1a0f74ee27f4d4a895ce382
|
