记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

DPAT:域密码审计工具

2016-11-29 09:15

项目主页

https://github.com/clr2of8/DPAT

简介

很多大中型企业都用域来管理公司电脑,既方便又省力,同时又有很多系统用域账户来做登录验证,其重要性非同小可。DPAT是一个Python脚本,使用oclHashcat工具生成oclHashcat.pot密码字典用于测试域账户然后生成HTML报告。

dpatsummary

使用

示例

dpat.py -n customer.ntds -c oclHashcat.pot -g "Domain Admins.txt" "Enterprise Admins.txt"

(”Domain Admins.txt”,”Enterprise Admins.txt”为可选内容)

customer.ntds文件格式如下:

domain\username:RID:lmhash:nthash:::

你可以通过在域控上执行以下命令从获得该文件。只要确保c:\temp有足够的磁盘空间用来存储。所需的空间只需比Ntds.dit文件稍大,因为将执行文件和一些注册表设置的备份。

ntdsutil "ac in ntds" "ifm" "cr fu c:\temp" q q

然后用secretsdump.py这个脚本将内容输出到所需要的格式

secretsdump.py -system registry/SYSTEM -ntds Active\ Directory/ntds.dit LOCAL -outputfile customer

上面的命令会创建一个“customer.ntds”文件,用于密码破解使用的文件。

oclHashcat文件格式如下:

nthash:password

或者

lmhashLeftOrRight:leftOrRightHalfPasswordUpcased

-g选项后面可以跟着”Domain Admins.txt”,”Enterprise Admins.txt”文件,文件可以是 PowerView PowerShell script的输出结果,例如:

Get-NetGroupMember -GroupName "Domain Admins" > "Domain Admins.txt"

或者从另一个域读取

Get-NetGroupMember -GroupName "Enterprise Admins" -Domain "some.domain.com" -DomainController 
"DC01.some.domain.com" > "Enterprise Admins.txt"

该组文件可以是用户

domain\username

使用oclHashcat猜解所有7个字符的密码使用下面的命令:

./oclHashcat64.bin -m 3000 -a 3 customer.ntds -1 ?a ?1?1?1?1?1?1?1 --increment

使用’-h’或’–help’查看DPAT所有可用的选项

usage: dpat.py [-h] -n NTDSFILE -c CRACKFILE [-o OUTPUTFILE]
 [-d REPORTDIRECTORY] [-w] [-s]
 [-g [GROUPLISTS [GROUPLISTS ...]]]

This script will perfrom a domain password audit based on an extracted NTDS
file and password cracking output such as oclHashcat.

optional arguments:
 -h, --help show this help message and exit
 -n NTDSFILE, --ntdsfile NTDSFILE
 NTDS file name (output from SecretsDump.py)
 -c CRACKFILE, --crackfile CRACKFILE
 Password Cracking output in the default form output by
 oclHashcat, such as oclHashcat.pot
 -o OUTPUTFILE, --outputfile OUTPUTFILE
 The name of the HTML report output file, defaults to
 _DomainPasswordAuditReport.html
 -d REPORTDIRECTORY, --reportdirectory REPORTDIRECTORY
 Folder containing the output HTML files, defaults to
 DPAT Report
 -w, --writedb Write the SQLite database info to disk for offline
 inspection instead of just in memory. Filename will be
 "pass_audit.db"
 -s, --sanitize Sanitize the report by partially redacting passwords
 and hashes. Prepends the report directory with
 "Sanitized - "
 -g [GROUPLISTS [GROUPLISTS ...]], --grouplists [GROUPLISTS [GROUPLISTS ...]]
 The name of one or multiple files that contain lists
 of usernames in particular groups. The group names
 will be taken from the file name itself. The username
 list must be in the same format as found in the NTDS
 file such as some.ad.domain.com\username. Example: -g
 "Domain Admins.txt" "Enterprise Admins.txt"

未经允许不得转载: » DPAT:域密码审计工具

知识来源: www.mottoin.com/92787.html

阅读:143979 | 评论:0 | 标签:工具 DPAT 内网 域密码审计 域控 审计工具

想收藏或者和大家分享这篇好文章→复制链接地址

“DPAT:域密码审计工具”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云