2,306
edits
Changes
Jump to navigation
Jump to search
Created page with "===Cracking01 (Alias: Goku01)=== {| class="wikitable" |+Resources !Type !Description |- |OS |Kali GNU/Linux Rolling |- |CPU(s) |20 |- |Mem |62G |} ==Instalación:== *Instala..."
===Cracking01 (Alias: Goku01)===
{| class="wikitable"
|+Resources
!Type
!Description
|-
|OS
|Kali GNU/Linux Rolling
|-
|CPU(s)
|20
|-
|Mem
|62G
|}
==Instalación:==
*Instalar [https://github.com/libyal/libesedb esedbexport]: Active directory database tables extractor for Extensible Storage Engine (ESE) Database file
*[https://github.com/libyal/libesedb/releases Releases]<syntaxhighlight lang="bash">
wget https://github.com/libyal/libesedb/releases/download/20181229/libesedb-experimental-20181229.tar.gz
tar xf libesedb-experimental-20181229.tar.gz
cd libesedb-20181229/
sudo apt-get install autoconf automake autopoint libtool pkg-config
./configure
make
sudo make install
sudo ldconfig
</syntaxhighlight>
*Install [https://github.com/csababarta/ntdsxtract NTDSXtract]: Active Directory forensic framework<syntaxhighlight lang="bash">
git clone https://github.com/csababarta/ntdsxtract.git
cd ntdsxtract/
python setup.py build && python setup.py install
</syntaxhighlight>
==Procesado Naboo==
*Crear la carpeta que contendrá la información<syntaxhighlight lang="bash">
su -l cracking
tmux
cd AD/instantaneas/ADBBVA
mkdir yyyy-mm-dd && cd yyyy-mm-dd # Fecha de la obtención del AD
# Mover los archivos ntds.dit, SYSTEM y SAM a la carpeta creada
</syntaxhighlight>
*Preparar los archivos para el tratamiento<br /><syntaxhighlight lang="bash" start="0">
esedbexport ntds.dit
# salirse de tmux con ctrl+b +d
mv SAM SAM_old
mkdir -p esentul_output ImpDump_output NTDS NTDSXtract_output SAM
mv SAM_old SAM/SAM
# El viejo tiene system en vez de SYSTEM
mv SYSTEM NTDS
cd ntds.dit.export/
ls #buscar cuales son las tablas datatable y links y cambiarlo en el comando siguiente, modificar tambien el yyyy-mm-dd por el correspondiente
cd ..
</syntaxhighlight>Generar el archivo de usuarios:<syntaxhighlight lang="bash">
dsusers.py /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/ntds.dit.export/datatable.4 /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/ntds.dit.export/link_table.7 /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/NTDSXtract_output/ --passwordhashes --passwordhistory --certificates --membership --pwdformat john --syshive /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/NTDS/SYSTEM --csvoutfile dsusers-`date +%d-%m-%y-%T` --lmoutfile hashes_LM-`date +%d-%m-%y-%T` --ntoutfile hashes_NT-`date +%d-%m-%y-%T`
</syntaxhighlight>Generar el archivo de grupos:<syntaxhighlight lang="bash">
dsgroups.py /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/ntds.dit.export/datatable.4 /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/ntds.dit.export/link_table.7 /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/NTDSXtract_output/ --members --csvoutfile dsgroups-`date +%d-%m-%y-%T`
</syntaxhighlight>Generar el archivo de equipos<syntaxhighlight lang="bash">
dscomputers.py /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/ntds.dit.export/datatable.4 /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/NTDSXtract_output/ --passwordhashes --passwordhistory --certificates --membership --pwdformat john --syshive /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/NTDS/SYSTEM --csvoutfile dscomputers-`date +%d-%m-%y-%T` --lmoutfile hashes_LM_dscomputers-`date +%d-%m-%y-%T` --ntoutfile hashes_NT_dscomputers-`date +%d-%m-%y-%T`
</syntaxhighlight>Generar el historico<syntaxhighlight lang="bash">
dstimeline.py /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/ntds.dit.export/datatable.4 /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/NTDSXtract_output/ --csv --outfile dstimeline-`date +%d-%m-%y-%T`
</syntaxhighlight>Eliminar los objetos eliminados<syntaxhighlight lang="bash">
dsdeletedobjects.py /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/ntds.dit.export/datatable.4 /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/NTDSXtract_output/ --useIsDeleted --output dsdeletedobjects-`date +%d-%m-%y-%T`
</syntaxhighlight>
*Crackeado con John The Ripper<syntaxhighlight lang="bash">
john --fork=10 --session=06F --format=NT hashes_NT-08-03-18-16\:29\:02
</syntaxhighlight>
*Consulta de una contraseña<syntaxhighlight lang="bash">
# checkear un valor concreto
cd NTDSXtract_output/
ls
john --show --format=NT hashes_NT-08-03-18-15\:53\:14 > salida
grep -i xe69906 salida
</syntaxhighlight>
===Tarjeto===
{| class="wikitable"
|+Resources
!Type
!Description
|-
|OS
|Ubuntu 16.04.6 LTS
|-
|CPU(s)
|8
|-
|Mem
|31G
|-
|GPU
|Tesla K40c (Nvidia)
|}
*Crackeado de hashes Kerberos 5 TGS-rep con diccionario y reglas en hashcat<br /><syntaxhighlight lang="bash">
hashcat -m 13100 -a 0 ficherohashes diccionario -r ficheroreglas -o salida --session=nombresesion -w 4 -D 1,2 -O
</syntaxhighlight>
==Script extacción AD cracking01.rra.lan:/home/cracking/bin/adextract: symbolic link to /home/cracking/ntds_extract/adextract.sh==
<syntaxhighlight lang="bash">
#!/bin/bash
WORKING_DIR="/home/cracking/AD/instantaneas/ADBBVA"
function usage() {
cat << EndOfMessage
Usage: adextract.sh -d yyyy-mm-dd -f /path/to/downloaded/files/
-d date of ntds.dit download
-p full path to the folder containing ntds.dit, SYSTEM and SAM files
EndOfMessage
}
while getopts ":h:d:p:" opt; do
case ${opt} in
h ) usage ;;
d ) date=${OPTARG} ;;
p ) path=${OPTARG} ;;
\? ) echo "Invalid option: $OPTARG" 1>&2 ;;
: ) echo "Invalid option: $OPTARG requires an argument" 1>&2 ;;
esac
done
shift $((OPTIND -1)) # Inside loop?
function check_arguments() {
# Check if date parameter is not empty
if [[ -z "${date}" ]]; then
usage
exit
fi
# Check if date was supplied
if [[ -z "${date}" ]]; then
usage
exit
elif [[ ! ${date} =~ ^[0-9]{4}-(0[1-9]|1[0-2])-(0[1-9]|[1-2][0-9]|3[0-1])$ ]]; then
echo "Wrong date format, use: YYYY-MM-DD" 1>&2
fi
# Check if supplied directory exists # TODO: Check it contains ntds.dit, SYSTEM or system and SAM are inside the directory
if [[ ! -d "${path}" ]]; then
echo "Path not found: ${path}" 1>&2
exit
if [[ ! -f "${path}/ntds.dit" ]]; then
echo "File not found ${path/ntds.dit}"
exit
fi
if [[ ! -f "${path}/SAM" ]]; then
echo "File not found ${path/SAM}"
exit
fi
if [[ ! -f "${path}/SYSTEM" ]] || [[ ! -f "${path}/system" ]]; then
echo "File not found ${path/SYSTEM} or ${path/system}"
exit
fi
fi
}
function get_tables() {
DATATABLE_PATH=$( find ${ESEDBEXPORT_OUTPUT_DIR} -name datatable* )
LINKTABLE_PATH=$( find ${ESEDBEXPORT_OUTPUT_DIR} -name link_table* )
}
DATE_DIR="${WORKING_DIR}/${date}"
ESEDBEXPORT_OUTPUT_DIR="${WORKING_DIR}/${date}/ntds.dit.export"
NTDSXTRACT_OUTPUT_DIR="${WORKING_DIR}/${date}/NTDSXtract_output/"
SYSTEM_PATH="${WORKING_DIR}/${date}/NTDS/SYSTEM"
# SAM_PATH="${WORKING_DIR}/${date}/SAM/SAM"
# NTDSXtract Output Filenames
DSUSERS_FILENAME="dsusers"
DSGROUPS_FILENAME="dsgroups"
HASHES_LM_FILENAME="hashes_LM"
HASHES_NT_FILENAME="hashes_NT"
DSTIMELINE_FILENAME="dstimeline"
DSCOMPUTERS_FILENAME="dscomputers"
HASHES_LM_DSCOMPUTERS_FILENAME="hashes_LM_dscomputers"
HASHES_NT_DSCOMPUTERS_FILENAME="hashes_NT_dscomputers"
DSDELETEDOBJECTS_FILENAME="dsdeletedobjects"
function dsusers() {
# pwdformat options: ophc, john, ocl
dsusers.py "${DATATABLE_PATH}" "${LINKTABLE_PATH}" "${NTDSXTRACT_OUTPUT_DIR}" \
--certificates --membership --pwdformat john --syshive ${SYSTEM_PATH} --passwordhashes --passwordhistory \
--csvoutfile ${DSUSERS_FILENAME} --lmoutfile ${HASHES_LM_FILENAME} \
--ntoutfile ${HASHES_NT_FILENAME}
}
function dsgroups() {
dsgroups.py "${DATATABLE_PATH}" "${LINKTABLE_PATH}" "${NTDSXTRACT_OUTPUT_DIR}" --members --csvoutfile ${DSGROUPS_FILENAME}
}
function dscomputers() {
dscomputers.py "${DATATABLE_PATH}" "${NTDSXTRACT_OUTPUT_DIR}" --passwordhashes --passwordhistory --certificates \
--membership --pwdformat john --syshive ${SYSTEM_PATH} \ --csvoutfile ${DSCOMPUTERS_FILENAME} \
--lmoutfile ${HASHES_LM_DSCOMPUTERS_FILENAME} --ntoutfile ${HASHES_NT_DSCOMPUTERS_FILENAME}
}
function dstimeline() {
dstimeline.py "${DATATABLE_PATH}" "${NTDSXTRACT_OUTPUT_DIR}"--csv --outfile ${DSTIMELINE_FILENAME}
}
function dsdeletedobjects() {
dsdeletedobjects.py "${DATATABLE_PATH}" "${NTDSXTRACT_OUTPUT_DIR}"--useIsDeleted --output ${DSDELETEDOBJECTS_FILENAME}
}
function generate_john_input_path() {
if [[ ! -f "${WORKING_DIR}/.john_input_path" ]]; then
mv "${WORKING_DIR}/.john_input_path" "${WORKING_DIR}/.john_input_path.old"
fi
echo "${NTDSXTRACT_OUTPUT_DIR}${HASHES_NT_FILENAME}" > "${WORKING_DIR}/.john_input_path"
}
function get_john_input_path() {
READ=$( cat "${NTDSXTRACT_OUTPUT_DIR}/.john_input_path" )
# Check if supplied file exists
if [[ ! -f "${READ}" ]]; then
echo "File not found: ${path}" 1>&2
exit
fi
JOHN_INPUT_PATH=$(READ)
}
function create_directories() {
mkdir -p ${DATE_DIR}
mkdir -p "${DATE_DIR}/esentul_output" "${DATE_DIR}/ImpDump_output" "${DATE_DIR}/NTDS" "${DATE_DIR}/NTDSXtract_output" "${DATE_DIR}/SAM"
}
function copy_files() {
cp "${path}/ntds.dit" "${DATE_DIR}"
cp "${path}/SAM" "${DATE_DIR}/SAM/"
cp "${path}/SYSTEM" "${DATE_DIR}/NTDS/" || cp "${path}/system" "${DATE_DIR}/NTDS/"
}
function export_tables() {
cd ${DATE_DIR}
esedbexport ntds.dit
}
check_arguments
create_directories
copy_files
export_tables
get_tables
dsusers &
dsgroups &
dscomputers &
dsdeletedobjects &
wait
generate_john_input_path
sudo /usr/sbin/runjohn.sh
</syntaxhighlight>
==Script runjohn.sh cracking01.rra.lan:/usr/sbin/runjohn.sh==
<syntaxhighlight lang="bash">
#!/bin/bash
THREADS=20
WORKING_DIR="/home/cracking/AD/instantaneas/ADBBVA"
READ_FILE="${WORKING_DIR}/.john_input_path"
READ_CURRENT_FILE="${WORKING_DIR}/.john_input_path.old"
FILE=$( cat ${READ_FILE} )
DATE=$( echo ${FILE} | grep -Eo '[[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}' )
function is_running_as_root() {
if [[ "$EUID" -ne 0 ]]
then echo "Please run with sudo"
exit
fi
}
function check_input() {
if [[ ! -f "${FILE}" ]]; then
echo "File not found: ${FILE}"
exit
fi
}
function kill_old() {
if [[ -f ${READ_CURRENT_FILE} ]]; then
CURRENT_PROCESSES_PIDS=$(ps aux | grep "john --fork=10 --session="| grep -v grep | awk '{ print $2 }')
echo ${CURRENT_PROCESSES_PIDS} | xargs -n 1 "echo sudo kill -9"
echo ${CURRENT_PROCESSES_PIDS} | xargs -n 1 sudo kill -9
# rm READ_CURRENT_FILE
fi
}
function run_john() {
cd "$WORKING_DIR/john/sessions/"
john --fork=${THREADS} --session=${DATE} --format=NT ${FILE}
}
is_running_as_root
kill_old
run_john
</syntaxhighlight><comments />
{| class="wikitable"
|+Resources
!Type
!Description
|-
|OS
|Kali GNU/Linux Rolling
|-
|CPU(s)
|20
|-
|Mem
|62G
|}
==Instalación:==
*Instalar [https://github.com/libyal/libesedb esedbexport]: Active directory database tables extractor for Extensible Storage Engine (ESE) Database file
*[https://github.com/libyal/libesedb/releases Releases]<syntaxhighlight lang="bash">
wget https://github.com/libyal/libesedb/releases/download/20181229/libesedb-experimental-20181229.tar.gz
tar xf libesedb-experimental-20181229.tar.gz
cd libesedb-20181229/
sudo apt-get install autoconf automake autopoint libtool pkg-config
./configure
make
sudo make install
sudo ldconfig
</syntaxhighlight>
*Install [https://github.com/csababarta/ntdsxtract NTDSXtract]: Active Directory forensic framework<syntaxhighlight lang="bash">
git clone https://github.com/csababarta/ntdsxtract.git
cd ntdsxtract/
python setup.py build && python setup.py install
</syntaxhighlight>
==Procesado Naboo==
*Crear la carpeta que contendrá la información<syntaxhighlight lang="bash">
su -l cracking
tmux
cd AD/instantaneas/ADBBVA
mkdir yyyy-mm-dd && cd yyyy-mm-dd # Fecha de la obtención del AD
# Mover los archivos ntds.dit, SYSTEM y SAM a la carpeta creada
</syntaxhighlight>
*Preparar los archivos para el tratamiento<br /><syntaxhighlight lang="bash" start="0">
esedbexport ntds.dit
# salirse de tmux con ctrl+b +d
mv SAM SAM_old
mkdir -p esentul_output ImpDump_output NTDS NTDSXtract_output SAM
mv SAM_old SAM/SAM
# El viejo tiene system en vez de SYSTEM
mv SYSTEM NTDS
cd ntds.dit.export/
ls #buscar cuales son las tablas datatable y links y cambiarlo en el comando siguiente, modificar tambien el yyyy-mm-dd por el correspondiente
cd ..
</syntaxhighlight>Generar el archivo de usuarios:<syntaxhighlight lang="bash">
dsusers.py /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/ntds.dit.export/datatable.4 /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/ntds.dit.export/link_table.7 /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/NTDSXtract_output/ --passwordhashes --passwordhistory --certificates --membership --pwdformat john --syshive /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/NTDS/SYSTEM --csvoutfile dsusers-`date +%d-%m-%y-%T` --lmoutfile hashes_LM-`date +%d-%m-%y-%T` --ntoutfile hashes_NT-`date +%d-%m-%y-%T`
</syntaxhighlight>Generar el archivo de grupos:<syntaxhighlight lang="bash">
dsgroups.py /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/ntds.dit.export/datatable.4 /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/ntds.dit.export/link_table.7 /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/NTDSXtract_output/ --members --csvoutfile dsgroups-`date +%d-%m-%y-%T`
</syntaxhighlight>Generar el archivo de equipos<syntaxhighlight lang="bash">
dscomputers.py /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/ntds.dit.export/datatable.4 /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/NTDSXtract_output/ --passwordhashes --passwordhistory --certificates --membership --pwdformat john --syshive /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/NTDS/SYSTEM --csvoutfile dscomputers-`date +%d-%m-%y-%T` --lmoutfile hashes_LM_dscomputers-`date +%d-%m-%y-%T` --ntoutfile hashes_NT_dscomputers-`date +%d-%m-%y-%T`
</syntaxhighlight>Generar el historico<syntaxhighlight lang="bash">
dstimeline.py /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/ntds.dit.export/datatable.4 /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/NTDSXtract_output/ --csv --outfile dstimeline-`date +%d-%m-%y-%T`
</syntaxhighlight>Eliminar los objetos eliminados<syntaxhighlight lang="bash">
dsdeletedobjects.py /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/ntds.dit.export/datatable.4 /home/cracking/AD/instantaneas/ADBBVA/yyyy-mm-dd/NTDSXtract_output/ --useIsDeleted --output dsdeletedobjects-`date +%d-%m-%y-%T`
</syntaxhighlight>
*Crackeado con John The Ripper<syntaxhighlight lang="bash">
john --fork=10 --session=06F --format=NT hashes_NT-08-03-18-16\:29\:02
</syntaxhighlight>
*Consulta de una contraseña<syntaxhighlight lang="bash">
# checkear un valor concreto
cd NTDSXtract_output/
ls
john --show --format=NT hashes_NT-08-03-18-15\:53\:14 > salida
grep -i xe69906 salida
</syntaxhighlight>
===Tarjeto===
{| class="wikitable"
|+Resources
!Type
!Description
|-
|OS
|Ubuntu 16.04.6 LTS
|-
|CPU(s)
|8
|-
|Mem
|31G
|-
|GPU
|Tesla K40c (Nvidia)
|}
*Crackeado de hashes Kerberos 5 TGS-rep con diccionario y reglas en hashcat<br /><syntaxhighlight lang="bash">
hashcat -m 13100 -a 0 ficherohashes diccionario -r ficheroreglas -o salida --session=nombresesion -w 4 -D 1,2 -O
</syntaxhighlight>
==Script extacción AD cracking01.rra.lan:/home/cracking/bin/adextract: symbolic link to /home/cracking/ntds_extract/adextract.sh==
<syntaxhighlight lang="bash">
#!/bin/bash
WORKING_DIR="/home/cracking/AD/instantaneas/ADBBVA"
function usage() {
cat << EndOfMessage
Usage: adextract.sh -d yyyy-mm-dd -f /path/to/downloaded/files/
-d date of ntds.dit download
-p full path to the folder containing ntds.dit, SYSTEM and SAM files
EndOfMessage
}
while getopts ":h:d:p:" opt; do
case ${opt} in
h ) usage ;;
d ) date=${OPTARG} ;;
p ) path=${OPTARG} ;;
\? ) echo "Invalid option: $OPTARG" 1>&2 ;;
: ) echo "Invalid option: $OPTARG requires an argument" 1>&2 ;;
esac
done
shift $((OPTIND -1)) # Inside loop?
function check_arguments() {
# Check if date parameter is not empty
if [[ -z "${date}" ]]; then
usage
exit
fi
# Check if date was supplied
if [[ -z "${date}" ]]; then
usage
exit
elif [[ ! ${date} =~ ^[0-9]{4}-(0[1-9]|1[0-2])-(0[1-9]|[1-2][0-9]|3[0-1])$ ]]; then
echo "Wrong date format, use: YYYY-MM-DD" 1>&2
fi
# Check if supplied directory exists # TODO: Check it contains ntds.dit, SYSTEM or system and SAM are inside the directory
if [[ ! -d "${path}" ]]; then
echo "Path not found: ${path}" 1>&2
exit
if [[ ! -f "${path}/ntds.dit" ]]; then
echo "File not found ${path/ntds.dit}"
exit
fi
if [[ ! -f "${path}/SAM" ]]; then
echo "File not found ${path/SAM}"
exit
fi
if [[ ! -f "${path}/SYSTEM" ]] || [[ ! -f "${path}/system" ]]; then
echo "File not found ${path/SYSTEM} or ${path/system}"
exit
fi
fi
}
function get_tables() {
DATATABLE_PATH=$( find ${ESEDBEXPORT_OUTPUT_DIR} -name datatable* )
LINKTABLE_PATH=$( find ${ESEDBEXPORT_OUTPUT_DIR} -name link_table* )
}
DATE_DIR="${WORKING_DIR}/${date}"
ESEDBEXPORT_OUTPUT_DIR="${WORKING_DIR}/${date}/ntds.dit.export"
NTDSXTRACT_OUTPUT_DIR="${WORKING_DIR}/${date}/NTDSXtract_output/"
SYSTEM_PATH="${WORKING_DIR}/${date}/NTDS/SYSTEM"
# SAM_PATH="${WORKING_DIR}/${date}/SAM/SAM"
# NTDSXtract Output Filenames
DSUSERS_FILENAME="dsusers"
DSGROUPS_FILENAME="dsgroups"
HASHES_LM_FILENAME="hashes_LM"
HASHES_NT_FILENAME="hashes_NT"
DSTIMELINE_FILENAME="dstimeline"
DSCOMPUTERS_FILENAME="dscomputers"
HASHES_LM_DSCOMPUTERS_FILENAME="hashes_LM_dscomputers"
HASHES_NT_DSCOMPUTERS_FILENAME="hashes_NT_dscomputers"
DSDELETEDOBJECTS_FILENAME="dsdeletedobjects"
function dsusers() {
# pwdformat options: ophc, john, ocl
dsusers.py "${DATATABLE_PATH}" "${LINKTABLE_PATH}" "${NTDSXTRACT_OUTPUT_DIR}" \
--certificates --membership --pwdformat john --syshive ${SYSTEM_PATH} --passwordhashes --passwordhistory \
--csvoutfile ${DSUSERS_FILENAME} --lmoutfile ${HASHES_LM_FILENAME} \
--ntoutfile ${HASHES_NT_FILENAME}
}
function dsgroups() {
dsgroups.py "${DATATABLE_PATH}" "${LINKTABLE_PATH}" "${NTDSXTRACT_OUTPUT_DIR}" --members --csvoutfile ${DSGROUPS_FILENAME}
}
function dscomputers() {
dscomputers.py "${DATATABLE_PATH}" "${NTDSXTRACT_OUTPUT_DIR}" --passwordhashes --passwordhistory --certificates \
--membership --pwdformat john --syshive ${SYSTEM_PATH} \ --csvoutfile ${DSCOMPUTERS_FILENAME} \
--lmoutfile ${HASHES_LM_DSCOMPUTERS_FILENAME} --ntoutfile ${HASHES_NT_DSCOMPUTERS_FILENAME}
}
function dstimeline() {
dstimeline.py "${DATATABLE_PATH}" "${NTDSXTRACT_OUTPUT_DIR}"--csv --outfile ${DSTIMELINE_FILENAME}
}
function dsdeletedobjects() {
dsdeletedobjects.py "${DATATABLE_PATH}" "${NTDSXTRACT_OUTPUT_DIR}"--useIsDeleted --output ${DSDELETEDOBJECTS_FILENAME}
}
function generate_john_input_path() {
if [[ ! -f "${WORKING_DIR}/.john_input_path" ]]; then
mv "${WORKING_DIR}/.john_input_path" "${WORKING_DIR}/.john_input_path.old"
fi
echo "${NTDSXTRACT_OUTPUT_DIR}${HASHES_NT_FILENAME}" > "${WORKING_DIR}/.john_input_path"
}
function get_john_input_path() {
READ=$( cat "${NTDSXTRACT_OUTPUT_DIR}/.john_input_path" )
# Check if supplied file exists
if [[ ! -f "${READ}" ]]; then
echo "File not found: ${path}" 1>&2
exit
fi
JOHN_INPUT_PATH=$(READ)
}
function create_directories() {
mkdir -p ${DATE_DIR}
mkdir -p "${DATE_DIR}/esentul_output" "${DATE_DIR}/ImpDump_output" "${DATE_DIR}/NTDS" "${DATE_DIR}/NTDSXtract_output" "${DATE_DIR}/SAM"
}
function copy_files() {
cp "${path}/ntds.dit" "${DATE_DIR}"
cp "${path}/SAM" "${DATE_DIR}/SAM/"
cp "${path}/SYSTEM" "${DATE_DIR}/NTDS/" || cp "${path}/system" "${DATE_DIR}/NTDS/"
}
function export_tables() {
cd ${DATE_DIR}
esedbexport ntds.dit
}
check_arguments
create_directories
copy_files
export_tables
get_tables
dsusers &
dsgroups &
dscomputers &
dsdeletedobjects &
wait
generate_john_input_path
sudo /usr/sbin/runjohn.sh
</syntaxhighlight>
==Script runjohn.sh cracking01.rra.lan:/usr/sbin/runjohn.sh==
<syntaxhighlight lang="bash">
#!/bin/bash
THREADS=20
WORKING_DIR="/home/cracking/AD/instantaneas/ADBBVA"
READ_FILE="${WORKING_DIR}/.john_input_path"
READ_CURRENT_FILE="${WORKING_DIR}/.john_input_path.old"
FILE=$( cat ${READ_FILE} )
DATE=$( echo ${FILE} | grep -Eo '[[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}' )
function is_running_as_root() {
if [[ "$EUID" -ne 0 ]]
then echo "Please run with sudo"
exit
fi
}
function check_input() {
if [[ ! -f "${FILE}" ]]; then
echo "File not found: ${FILE}"
exit
fi
}
function kill_old() {
if [[ -f ${READ_CURRENT_FILE} ]]; then
CURRENT_PROCESSES_PIDS=$(ps aux | grep "john --fork=10 --session="| grep -v grep | awk '{ print $2 }')
echo ${CURRENT_PROCESSES_PIDS} | xargs -n 1 "echo sudo kill -9"
echo ${CURRENT_PROCESSES_PIDS} | xargs -n 1 sudo kill -9
# rm READ_CURRENT_FILE
fi
}
function run_john() {
cd "$WORKING_DIR/john/sessions/"
john --fork=${THREADS} --session=${DATE} --format=NT ${FILE}
}
is_running_as_root
kill_old
run_john
</syntaxhighlight><comments />