ADCSync: dump NTLM hashes from user accounts in an Active Directory environment

ADCSync

ADCSync uses the ESC1 exploit to dump NTLM hashes from user accounts in an Active Directory environment. The tool will first grab every user and domain in the Bloodhound dump file passed in. Then it will use Certipy to make a request for each user and store their PFX file in the certificate directory. Finally, it will use Certipy to authenticate with the certificate and retrieve the NT hash for each user. This process is quite slow and can take a while to complete but offers an alternative way to dump NTLM hashes.

Installation

git clone https://github.com/JPG0mez/adcsync.git
cd adcsync
pip3 install -r requirements.txt

Use

To use this tool we need the following things:

1. Valid Domain Credentials
2. A user list from a bloodhound dump that will be passed in.
3. A template vulnerable to ESC1 (Found with Certipy find)

   # python3 adcsync.py --help
   
       ___    ____  ___________                 
   
      /   |  / __ \/ ____/ ___/__  ______  _____
   
     / /| | / / / / /    \__ \/ / / / __ \/ ___/
   
    / ___ |/ /_/ / /___ ___/ / /_/ / / / / /__  
   
   /_/  |_/_____/\____//____/\__, /_/ /_/\___/  
   
                            /____/              
   
   
   
   Usage: adcsync.py [OPTIONS]
   
   
   
   Options:
   
     -f, --file TEXT      Input User List JSON file from Bloodhound  [required]
   
     -o, --output TEXT    NTLM Hash Output file  [required]
   
     -ca TEXT             Certificate Authority  [required]
   
     -dc-ip TEXT          IP Address of Domain Controller  [required]
   
     -u, --user TEXT      Username  [required]
   
     -p, --password TEXT  Password  [required]
   
     -template TEXT       Template Name vulnerable to ESC1  [required]
   
     -target-ip TEXT      IP Address of the target machine  [required]
   
     --help               Show this message and exit.

    

    

Source: https://github.com/JPG0mez/