ADCSync: dump NTLM hashes from user accounts in an Active Directory environment
ADCSync uses the ESC1 exploit to dump NTLM hashes from user accounts in an Active Directory environment. The tool will first grab every user and domain in the Bloodhound dump file passed in. Then it will use Certipy to make a request for each user and store their PFX file in the certificate directory. Finally, it will use Certipy to authenticate with the certificate and retrieve the NT hash for each user. This process is quite slow and can take a while to complete but offers an alternative way to dump NTLM hashes.
git clone https://github.com/JPG0mez/adcsync.git
pip3 install -r requirements.txt
To use this tool we need the following things:
- Valid Domain Credentials
- A user list from a bloodhound dump that will be passed in.
- A template vulnerable to ESC1 (Found with Certipy find)