A tool that matches hashes extracted from NTDS.dit against Troy Hunts HIBP NTLM hash collection using Java concurrency.
Parameters:
-p, --pwned-hashes=<pwndHashesFile>
path to hibp ntlm hash file, required
-a, --ad-hashes=<adHashesFile>
path to prepared ntlm hash file, required
-h, --help Show this help message and exit.
-V, --version Print version information and exit.
The list can be downloaded here: https://haveibeenpwned.com/Passwords
- Dump NTDS.dit on a DC:
C:\>mkdir c:\windows\temp\dump\
C:\>ntdsutil "activate instance ntds" "ifm" "create full c:\windows\temp\dump" "quit" "quit"
- Extract hashes using
impacket-secretsdump:
sudo impacket-secretsdump -ntds Active\ Directory/ntds.dit -system registry/SYSTEM -outputfile hashes LOCAL
- Separate user accounts:
grep -v "\\$" hashes.ntds > hashes.ntds.users
- Filter disabled and expired user accounts (requires Active Directory Powershell cmdlets):
$accounts = Get-Content -Path .\hashes.ntds.users -Encoding "UTF8"
$results=@()
$forest=[system.directoryservices.activedirectory.forest]::GetCurrentForest().Name+':3268'
ForEach ($account in $accounts ) {
$current = $account| Select-String -Pattern "(?<=\\)(.*?)(?=\:)" -AllMatches | Select-Object -Expand matches | Select-Object -Expand Value
if($null -ne $current) {
$currentAdUser = Get-ADUser -filter {SamAccountName -eq $current } -Properties SamAccountName,Enabled,AccountExpirationDate -Server $forest
if($currentAdUser.Enabled -and ($null -eq $currentAdUser.AccountExpirationDate -or $currentAdUser.AccountExpirationDate -gt (Get-Date))) {
$results += $account
}
}
}
$results | Out-File "hashes.ntds.users.enabled" -Encoding "UTF8"java -jar JFindPwndHashes.jar -a hashes.ntds.users.enabled -p pwned-passwords-ntlm.txt