Home

Awesome

#ImpDump

This script will parse the output from Impacket's esentutl.py tool and decode user hashes/hash histories.

This script uses the awesome creddump project to perform the decription, and is heavily based on dshashdump.py code from creddump. Proper credit for the original work is under 'AUTHOR' and 'CREDITS' below.

To extract the hash datatable using in a way to minimize space used, run: esentutl.py /path/to/ntds.dit export -table datatable | grep -E "ATTk590689|ATTm3|ATTm590045|ATTr589970|ATTk589914|ATTk589879|ATTk589984|ATTk589918" > output

Or run ./extract.sh (just wraps the syntax for esentutl.py): ./extract.sh /path/to/ntds.dit

Then, to extract all users hashes: ./impdump.py SYSTEM output

To extract user hash histories: ./impdump.py SYSTEM output -history

To extract just the krbtgt hash: ./impdump.py SYSTEM output -krbtgt

To decode a specific user hash using raw data: ./impdump.py SYSTEM rawRid rawPekKey

AUTHOR

I DID NOT WRITE CREDDUMP- all credit to the original author: creddump is written by Brendan Dolan-Gavitt (bdolangavitt@wesleyan.edu). For more information on Syskey, LSA secrets, cached domain credentials, and lots of information on volatile memory forensics and reverse engineering, check out: http://moyix.blogspot.com/

CREDITS

LICENSE

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.