Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/C-Sto/gosecretsdump

Dump ntds.dit really fast
https://github.com/C-Sto/gosecretsdump

cracking cracking-hashes dit dit-files impacket impacket-secretsdump ntds password securiy windows

Last synced: 28 days ago
JSON representation

Dump ntds.dit really fast

Awesome Lists containing this project

README

        

# Gosecretsdump

Have you been using Impacket to dump hashes out of (large) NTDS.dit files, and become increasingly frustrated at how long it takes? I sure have!

All credit for the original code to the impacket devs, it's much more complicated than I anticipated.

This is a conversion of the impacket secretsdump module into golang. It's not very good, but it is quite fast. Please let me know if you find bugs, I'll try and fix where I can - bonus points if you can provide sample .dit files for me to bash against.

## Features

- Dumps dits very fast. Operations that usually take hours are now done in minutes.
- Can dump SAM/SYSTEM backups
- Can dump local SAM/SYSTEM (must be run as the machine account/SYSTEM)
- A somewhat usable interface for integration other other tooling (See lib example below)

## Usage
You will need to obtain the NTDS.dit and SYSTEM file from the target domain controller as normal. This won't dump anything remotely, just local (for now at least).
```
-enabled
Only output enabled accounts
-history
Include Password History
-livesam
Get hashes from live system. Only works on local machine hashes (SAM), only works on Windows.
-noprint
Don't print output to screen (probably use this with the -out flag)
-ntds string
Location of the NTDS file (required)
-out string
Location to export output
-sam string
Location of SAM registry hive
-status
Include status in hash output
-stream
Stream to files rather than writing in a block. Can be much slower.
-system string
Location of the SYSTEM file (required)
-version
Print version and exit
```

Example (there is a test .dit and system file in this repo)

`gosecretsdump -ntds test/ntds.dit -system test/system`

## Comparison
Using a large-ish .dit file (approx 1gb)

Impacket secretsdump.py
```bash
time ./secretsdump.py local -system ~/go/src/github.com/c-sto/gosecretsdump/test/big/registry/SYSTEM -ntds ~/go/src/github.com/c-sto/gosecretsdump/test/big/Active\ Directory/ntds.dit

./secretsdump.py -system registry/SYSTEM -ntds local 1197.36s user 12.01s system 98% cpu 20:23.78 total
```

gosecretsdump
```bash
time go run main.go -system ~/go/src/github.com/c-sto/gosecretsdump/test/big/registry/SYSTEM -ntds ~/go/src/github.com/c-sto/gosecretsdump/test/big/Active\ Directory/ntds.dit

go run main.go -system -ntds 26.28s user 3.78s system 114% cpu 26.178 total
```

## Lib

So you want to use this in your cool Go implant? that should be easy. The pattern for all the 'dumping' functions is as follows:

**note**
It's likely that the api will undergo changes. I'll try to keep to semver, but please understand that I don't really have any idea what I'm doing.

```go
//Create the reader flavour of your choice
dr, err = samreader.New("C:\\pentest\\system.hive", "C:\\pentest\\sam.hive")
if err != nil {
return err
}

//Get the output channel
dataChan := dr.GetOutChan()

//start dumping
go dr.Dump()

//read from the output channel (the channel will be closed once dumping is complete)
wg := sync.WaitGroup{}
wg.Add(1)
go func(){
defer wg.Done() //This probably won't actually work, I can never remember if defer works on inline funcs
for dh := range dataChan{
fmt.Println("%+v\n", dh)
}
}()
//do other things while you wait
wg.Wait()
```