Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/C-Sto/gosecretsdump
Dump ntds.dit really fast
https://github.com/C-Sto/gosecretsdump
cracking cracking-hashes dit dit-files impacket impacket-secretsdump ntds password securiy windows
Last synced: 28 days ago
JSON representation
Dump ntds.dit really fast
- Host: GitHub
- URL: https://github.com/C-Sto/gosecretsdump
- Owner: C-Sto
- License: gpl-3.0
- Created: 2018-12-24T05:54:19.000Z (almost 6 years ago)
- Default Branch: master
- Last Pushed: 2021-10-01T09:11:33.000Z (about 3 years ago)
- Last Synced: 2024-02-15T10:36:21.233Z (10 months ago)
- Topics: cracking, cracking-hashes, dit, dit-files, impacket, impacket-secretsdump, ntds, password, securiy, windows
- Language: Go
- Homepage:
- Size: 2.59 MB
- Stars: 345
- Watchers: 9
- Forks: 48
- Open Issues: 6
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- cybersecurity-golang-security - gosecretsdump - Fast hash dumper for NTDS.dit files (Windows Specific)
- awesome-go-security - gosecretsdump - Fast hash dumper for NTDS.dit files (Windows Specific)
- awesome-hacking-lists - C-Sto/gosecretsdump - Dump ntds.dit really fast (Go)
README
# Gosecretsdump
Have you been using Impacket to dump hashes out of (large) NTDS.dit files, and become increasingly frustrated at how long it takes? I sure have!
All credit for the original code to the impacket devs, it's much more complicated than I anticipated.
This is a conversion of the impacket secretsdump module into golang. It's not very good, but it is quite fast. Please let me know if you find bugs, I'll try and fix where I can - bonus points if you can provide sample .dit files for me to bash against.
## Features
- Dumps dits very fast. Operations that usually take hours are now done in minutes.
- Can dump SAM/SYSTEM backups
- Can dump local SAM/SYSTEM (must be run as the machine account/SYSTEM)
- A somewhat usable interface for integration other other tooling (See lib example below)## Usage
You will need to obtain the NTDS.dit and SYSTEM file from the target domain controller as normal. This won't dump anything remotely, just local (for now at least).
```
-enabled
Only output enabled accounts
-history
Include Password History
-livesam
Get hashes from live system. Only works on local machine hashes (SAM), only works on Windows.
-noprint
Don't print output to screen (probably use this with the -out flag)
-ntds string
Location of the NTDS file (required)
-out string
Location to export output
-sam string
Location of SAM registry hive
-status
Include status in hash output
-stream
Stream to files rather than writing in a block. Can be much slower.
-system string
Location of the SYSTEM file (required)
-version
Print version and exit
```Example (there is a test .dit and system file in this repo)
`gosecretsdump -ntds test/ntds.dit -system test/system`
## Comparison
Using a large-ish .dit file (approx 1gb)Impacket secretsdump.py
```bash
time ./secretsdump.py local -system ~/go/src/github.com/c-sto/gosecretsdump/test/big/registry/SYSTEM -ntds ~/go/src/github.com/c-sto/gosecretsdump/test/big/Active\ Directory/ntds.dit./secretsdump.py -system registry/SYSTEM -ntds local 1197.36s user 12.01s system 98% cpu 20:23.78 total
```gosecretsdump
```bash
time go run main.go -system ~/go/src/github.com/c-sto/gosecretsdump/test/big/registry/SYSTEM -ntds ~/go/src/github.com/c-sto/gosecretsdump/test/big/Active\ Directory/ntds.ditgo run main.go -system -ntds 26.28s user 3.78s system 114% cpu 26.178 total
```## Lib
So you want to use this in your cool Go implant? that should be easy. The pattern for all the 'dumping' functions is as follows:
**note**
It's likely that the api will undergo changes. I'll try to keep to semver, but please understand that I don't really have any idea what I'm doing.```go
//Create the reader flavour of your choice
dr, err = samreader.New("C:\\pentest\\system.hive", "C:\\pentest\\sam.hive")
if err != nil {
return err
}//Get the output channel
dataChan := dr.GetOutChan()//start dumping
go dr.Dump()//read from the output channel (the channel will be closed once dumping is complete)
wg := sync.WaitGroup{}
wg.Add(1)
go func(){
defer wg.Done() //This probably won't actually work, I can never remember if defer works on inline funcs
for dh := range dataChan{
fmt.Println("%+v\n", dh)
}
}()
//do other things while you wait
wg.Wait()
```