ESEDBxtract - Grimhacker A script to extract password hashes from a domain controller using the NTDS.dit file and SYSTEM hive. libesedb's esedbxport is used (as a subprocess) to extract the datatable and link_table from an ntds.dit file. A modified version of dshashes.py (based on dsusers.py of ntdsxtract) is then used to extract the password and password history hashes from these tables. Requires: Python libesedb https://code.google.com/p/libesedb/ PyCrypto Example usage: The following command will create a file called hashes.pwdump containing the password hashes. python esedbxtract.py -n ntds.dit -s system Other options: If the datatable and/or link table have already been extracted they can be specified instead of the ntds.dit file using the following flags: -d DATATABLE -l LINKTABLE If password history hashes are required add: -P If password hashes are NOT required add: -p To exclude hashes for disabled accounts add: -e To change the default output filenames add: -o PASSWORD_HASHES_FILENAME -O PASSWORD_HISTORY_HASHES_FILENAME If for whatever reason esedbexport is not in your PATH, add: --esedbexport ESEDBEXPORT WARNING: It can take a very long time for esedbexport to extract the tables depending on the size of the Active Directory. Be prepared to go for a coffee (or maybe lunch) while waiting for this tool to finish running. Tested on: Kali Linux 32bit Python2.7 Fedora 20 64bit (3.14x kernel) Python 2.7 Attribution: esedbexport from libesedb (available at https://code.google.com/p/libesedb/) is used to export the tables. dshashes.py by Tim Tomes (LaNMaSteR53) (available at https://code.google.com/p/ptscripts/source/browse/trunk/dshashes.py) has been refactored into a class and is used to extract hashes from the tables. ntdsxtract by Csaba Barta (available at http://ntdsxtract.com/) is used by dshashes.py to extract hashes. License: Copyright (C) 2014 Oliver Morton This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>.