revealhashed is a streamlined utility to correlate ntds usernames, nt hashes, and cracked passwords in one view while cutting out time-consuming manual tasks.
hashcat
impacket or python3-impacket
from pypi:
pipx install revealhashed
from github:
pipx install git+https://github.com/crosscutsaw/revealhashed-python
from deb package:
wget https://github.com/crosscutsaw/revealhashed-python/releases/latest/download/revealhashed_0.1.4_all.deb; apt install ./revealhashed_0.1.4_all.deb
from whl package:
wget https://github.com/crosscutsaw/revealhashed-python/releases/latest/download/revealhashed-0.1.4-py3-none-any.whl; pipx install revealhashed-0.1.4-py3-none-any.whl
grab revealhashed binary from here.
revealhashed v0.1.4
usage: revealhashed [-h] [-r] {dump,reveal} ...
positional arguments:
{dump,reveal}
dump Dump NTDS using ntdsutil then reveal credentials with it
reveal Use your own NTDS dump then reveal credentials with it
options:
-h, --help show this help message and exit
-r, --reset Delete old files in ~/.revealhashed
just execute revealhashed -r to remove contents of ~/.revealhashed
revealhashed v0.1.4
usage: revealhashed dump [-h] [-debug] [-hashes HASHES] [-no-pass] [-k] [-aesKey AESKEY] [-dc-ip DC_IP] [-codec CODEC] -w WORDLIST WORDLIST2 [WORDLIST WORDLIST2 ...] [-e] [-nd] [-csv] target
this command executes zblurx's ntdsutil.py to dump ntds safely then does classic revealhashed operations.
-w (wordlist) switch is needed. one or more wordlists can be supplied.
-e (enabled-only) switch is suggested. it's self explanatory; only shows enabled users.
-nd (no-domain) switch hides domain names in usernames.
-csv (csv) switch is self explanatory; saves output to csv, together with txt.
for example:
revealhashed dump '<domain>/<username>:<password>'@<dc_ip> -w wordlist1.txt wordlist2.txt -e -nd -csv
revealhashed v0.1.4
usage: revealhashed reveal [-h] [-ntds NTDS] [-nxc] [-w WORDLIST WORDLIST2 [WORDLIST WORDLIST2 ...]] [-e] [-nd] [-csv]
options:
-h, --help show this help message and exit
-ntds NTDS Path to .ntds file
-nxc Scan $HOME/.nxc/logs/ntds for .ntds files
-w WORDLIST WORDLIST2 [WORDLIST WORDLIST2 ...], --wordlists WORDLIST WORDLIST2 [WORDLIST WORDLIST2 ...]
Wordlists to use with hashcat
-e, --enabled-only Only show enabled accounts
-nd, --no-domain Don't display domain in usernames
-csv Save output in CSV format
this command wants to get supplied with ntds file by user or netexec then does classic revealhashed operations.
ntds file should contain usernames and hashes. it should be not ntds.dit. example ntds dump can be obtained from repo.
-ntds or -nxc switch is needed. -ntds switch is for a file you own with hashes. -nxc switch is for scanning ~/.nxc/logs/ntds directory then selecting .ntds file.
-w (wordlist) switch is needed. one or more wordlists can be supplied.
-e (enabled-only) switch is suggested. it's self explanatory; only shows enabled users.
-nd (no-domain) switch hides domain names in usernames.
-csv (csv) switch is self explanatory; saves output to csv, together with txt.
for example:
revealhashed reveal -ntds <ntds_file>.ntds -w wordlist1.txt -e -nd -csv
revealhashed reveal -nxc -w wordlist1.txt -e -nd -csv
