-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcheck_hashes.py
executable file
·106 lines (90 loc) · 3.58 KB
/
check_hashes.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
#!/usr/bin/env python3
#Purpose: To check for and reveal AD user accounts that share passwords using a hashdump from a Domain Controller
#Script requires a command line argument of a file containing usernames/hashes in the format of user:sid:LMHASH:NTLMHASH:::
# ./check_hashes.py <hash_dump>
import argparse
import re
parser = argparse.ArgumentParser(description="Check user hashes against each other to find users that share passwords")
parser.add_argument('pwdump', help="Hashes in the pwdump format")
parser.add_argument("--prefix",'--pre', help="Optional filter based on prefix", required=False)
parser.add_argument("--suffix",'--post', help="Optional filter based on suffix ", required=False)
parser.add_argument("--regex", help="Optional regex filter", required=False)
parser.add_argument("--file", help="Optional file containing a list of admin users to use as a filter", required=False)
args = parser.parse_args()
pwdump = args.pwdump
prefix = args.prefix
suffix = args.suffix
regex = args.regex
admin_file = args.file
admin_users = []
if admin_file:
with open(admin_file) as i:
for line in i:
admin_users.append(line.rstrip())
if prefix:
prefix_pattern = re.compile(r'^((.*\\)?'+prefix+r'[^:]+):',re.IGNORECASE)
with open(pwdump) as pdump:
for line in pdump:
_username = prefix_pattern.match(line.rstrip())
if _username:
username = _username.group(1)
admin_users.append(username.rstrip())
if suffix:
suffix_pattern = re.compile(r'^([^:]+'+suffix+r'):',re.IGNORECASE)
with open(pwdump) as pdump:
for line in pdump:
_username = suffix_pattern.match(line.rstrip())
if _username:
username = _username.group(1)
admin_users.append(username.rstrip())
if regex:
regex_pattern = re.compile(r'^('+regex.strip("'")+'):',re.IGNORECASE)
with open(pwdump) as pdump:
for line in pdump:
_username = regex_pattern.match(line.rstrip())
if _username:
username = _username.group(1)
admin_users.append(username.rstrip())
if admin_file:
_admin_users = []
with open(admin_file) as a:
for line in a:
_admin_users.append(line.rstrip())
with open(pwdump) as pdump:
for line in pdump:
adminuser_pattern = re.compile(r'^((.*\\)?(' + '|'.join(_admin_users) + r')):', re.IGNORECASE)
_username = adminuser_pattern.match(line.rstrip())
if _username:
username = _username.group(1)
admin_users.append(username.rstrip())
hashes = {}
with open(pwdump) as infile:
for line in infile:
ntlmhash = line.split(':')[3]
lmhash = line.split(':')[2]
user = line.split(':')[0]
try:
hashes[ntlmhash].append(user)
except KeyError:
hashes[ntlmhash] = [user]
largest_group = 0
for hash in hashes:
if hash != '31d6cfe0d16ae931b73c59d7e0c089c0':
if len(hashes[hash]) > largest_group:
largest_group = len(hashes[hash])
print()
if len(admin_users) == 0:
for x in range(2,largest_group+1):
for hash in hashes:
if len(hashes[hash]) == x:
for user in hashes[hash]:
print(user)
print()
else:
for x in range(2,largest_group+1):
for hash in hashes:
if len(hashes[hash]) == x:
if any(user in admin_users for user in hashes[hash]):
for user in hashes[hash]:
print(user)
print()