HTTPS SSH
ESEDBxtract
 - Grimhacker

    A script to extract password hashes from a domain controller using the
     NTDS.dit file and SYSTEM hive.

    libesedb's esedbxport is used (as a subprocess) to extract the datatable and
     link_table from an ntds.dit file.
    A modified version of dshashes.py (based on dsusers.py of ntdsxtract) is then
     used to extract the password and password history hashes from these tables.

Requires:
    Python
    libesedb https://code.google.com/p/libesedb/
    PyCrypto

Example usage:
    The following command will create a file called hashes.pwdump containing the
     password hashes.
    python esedbxtract.py -n ntds.dit -s system

Other options:

    If the datatable and/or link table have already been extracted they can be
     specified instead of the ntds.dit file using the following flags:
        -d DATATABLE
        -l LINKTABLE

    If password history hashes are required add:
        -P

    If password hashes are NOT required add:
        -p

    To exclude hashes for disabled accounts add:
        -e

    To change the default output filenames add:
        -o PASSWORD_HASHES_FILENAME
        -O PASSWORD_HISTORY_HASHES_FILENAME

    If for whatever reason esedbexport is not in your PATH, add:
        --esedbexport ESEDBEXPORT

WARNING:
    It can take a very long time for esedbexport to extract the tables depending
     on the size of the Active Directory.
    Be prepared to go for a coffee (or maybe lunch) while waiting for this tool
     to finish running.

Tested on:
    Kali Linux 32bit Python2.7
    Fedora 20 64bit (3.14x kernel) Python 2.7

Attribution:
    esedbexport from libesedb (available at https://code.google.com/p/libesedb/)
     is used to export the tables.
    dshashes.py by Tim Tomes (LaNMaSteR53) (available at
     https://code.google.com/p/ptscripts/source/browse/trunk/dshashes.py)
     has been refactored into a class and is used to extract hashes from the tables.
    ntdsxtract by Csaba Barta (available at http://ntdsxtract.com/) is used by
     dshashes.py to extract hashes.

License:
    Copyright (C) 2014  Oliver Morton

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.