diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..5f0f462 --- /dev/null +++ b/.gitignore @@ -0,0 +1,6 @@ +# build files +/build/ + +# IDE +/.vscode/ + diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..261eeb9 --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..9e88b27 --- /dev/null +++ b/Makefile @@ -0,0 +1,15 @@ +TARGET_NAME=adhashcheck + +all: prepare build-windows build-linux + +prepare: + mkdir -p ./build/ + +clean: + rm -rf ./build/ + +build-linux: + GOOS=linux GOARCH=amd64 go build -o "./build/${TARGET_NAME}" + +build-windows: + GOOS=windows GOARCH=amd64 go build -o "./build/${TARGET_NAME}.exe" \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..d776d15 --- /dev/null +++ b/README.md @@ -0,0 +1,83 @@ +# ADHashCheck + +Compare the NTLM hashes of all Active Directory accounts to find: + +* accounts with same password +* same password for normal and administrative accounts + +The tool can read the NTLM hashes from a CSV file or from the NTDS.dit and SYSTEM registry hive. + +# Warning + +If you follow this guide, you extract all NTLM hashes from your Active Directory. These hashes can be used for authentication, so if someone gets access to it, **your Active Directory is fully compromised**. You are responsible to verify the integrity of the used third-party libraries and tools. + +HvS-Consulting AG is not liably for any damage caused by the use of this tool. + +Security tools also do not like this. + +# Use it + +## Get NTLM hashes + +### Option 1: Get ntds.dit and system registriy hive from DC + +Export the system registry hive: + + reg save HKLM\SYSTEM system.hive + +Get the ntds.dit (for example with FTKImager) + +### Option 2: DCSync + +The hashes can be collected with DCSync using [impacket's](https://github.com/SecureAuthCorp/impacket) secretsdump: + + python secretsdump.py -just-dc-ntlm /[:]@ > secretsdump.txt + +### Option 3: CSV file + +Got the hashes somehow different? The tool also accepts a CSV file in the format: + + username,hash + +## Analyze + +Depending on the input files, run: + +For the ntds.dit option: + + ./adhashcheck --ntds --system --output + +For the secretsdump option: + + ./adhashcheck --secretsdump --output + +For the CSV option: + + ./adhashcheck --csv --output + + +The output directory now contains three files: + +* `reuse.csv`: Password hashes that are used more than once (including count and usernames) +* `reuse-without-hash.csv`: Like `reuse.csv`, but without NTLM hashes +* `admins.csv`: Usernames of people who have the same password for their administrative accounts + +# Known issues + +* The reuse check of administrative accounts assumes a fixed naming scheme (username -> username + "adm") - See last function in `ad.go`. + +# License + +Copyright 2021 HvS-Consulting AG + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/ad.go b/ad.go new file mode 100644 index 0000000..7b1010c --- /dev/null +++ b/ad.go @@ -0,0 +1,199 @@ +package main + +import ( + "bufio" + "log" + "os" + "sort" + "strings" + + "github.com/C-Sto/gosecretsdump/pkg/ditreader" +) + +// AD stores the users and password hashes from Active Directory +type AD struct { + hashes map[string]string + + reuse []*ReusedPassword + adminReuse []string +} + +// NewAD returns a new AD instance +func NewAD() *AD { + ad := AD{} + + ad.hashes = make(map[string]string) + + return &ad +} + +// LoadHashesFromCSV loads the password hashes from a CSV file (comma separated) +func (ad *AD) LoadHashesFromCSV(filename string) error { + file, err := os.Open(filename) + if err != nil { + return err + } + defer file.Close() + + scanner := bufio.NewScanner(file) + for scanner.Scan() { + line := scanner.Text() + + // split at ; + parts := strings.Split(line, ",") + if len(parts) != 2 { + log.Print("Ignoring line: " + line) + continue + } + + ad.hashes[parts[0]] = strings.ToLower(parts[1]) + } + + err = scanner.Err() + if err != nil { + return err + } + + return nil +} + +// LoadHashesFromSecretsdump loads the password hashes from a text file with the secretsdump output +func (ad *AD) LoadHashesFromSecretsdump(filename string) error { + file, err := os.Open(filename) + if err != nil { + return err + } + defer file.Close() + + scanner := bufio.NewScanner(file) + for scanner.Scan() { + line := scanner.Text() + + // split at : + parts := strings.Split(line, ":") + if len(parts) != 7 { + continue + } + + ad.hashes[parts[0]] = strings.ToLower(parts[3]) + } + + err = scanner.Err() + if err != nil { + return err + } + + return nil +} + +// LoadHashesFromNTDS loads the password hashes from a file +func (ad *AD) LoadHashesFromNTDS(ntdsFile string, systemFile string) error { + dr, err := ditreader.New(systemFile, ntdsFile) + if err != nil { + return err + } + + data := dr.GetOutChan() + + for d := range data { + // check dh.UAC.AccountDisable ? + line := d.HashString() + parts := strings.Split(line, ":") + if len(parts) != 7 { + log.Print("Ignoring line: " + line) + continue + } + + ad.hashes[parts[0]] = strings.ToLower(parts[3]) + } + + return nil +} + +// Analyze runs the analysis of the collected password hashs +func (ad *AD) Analyze() { + ad.findReusedPasswords() + ad.findAdminReuse() +} + +// ReusedPasswords returns the reused passwords and according users +func (ad *AD) ReusedPasswords() []*ReusedPassword { + return ad.reuse +} + +// ReusedAdminAccounts returns the users which have the same password for their admin account +func (ad *AD) ReusedAdminAccounts() []string { + return ad.adminReuse +} + +// FindReusedPasswords searches for accounts that have the same password hash +func (ad *AD) findReusedPasswords() { + // a hashtable is used to easily check, whether the hash was found already or not + store := make(map[string]*ReusedPassword) + + // search + for user, hash := range ad.hashes { + // ignore empty ntlm hash + if hash == "31d6cfe0d16ae931b73c59d7e0c089c0" { + continue + } + + // store + _, reused := store[hash] + if reused { + store[hash].Add(user) + } else { + store[hash] = NewReusedPassword(user, hash) + } + } + + // count how many passwords are used more than once (so we know how big the result list is) + numReuses := 0 + for _, reusedpassword := range store { + if reusedpassword.Count > 1 { + numReuses++ + } + } + + // filter and convert to output format (list instead of hashmap) + result := make([]*ReusedPassword, numReuses) + counter := 0 + for _, reusedpassword := range store { + if reusedpassword.Count > 1 { + result[counter] = reusedpassword + counter++ + } + } + + // sort + sort.Slice(result, func(i, j int) bool { + return result[i].Count > result[j].Count + }) + + // done + ad.reuse = result +} + +// findAdminReuse searches for similar account names in reused passwords +func (ad *AD) findAdminReuse() { + // cannot run without data + if ad.reuse == nil { + return + } + + for _, reusedpassword := range ad.reuse { + for _, user := range reusedpassword.Users { + // look for non-admin accounts + if !strings.HasSuffix(user, "adm") { + // check if corresponding adm account is also in list + admUser := strings.ToLower(user + "adm") + for _, otherUser := range reusedpassword.Users { + if admUser == strings.ToLower(otherUser) { + // store it + ad.adminReuse = append(ad.adminReuse, user) + } + } + } + } + } +} diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..18aad19 --- /dev/null +++ b/go.mod @@ -0,0 +1,5 @@ +module github.com/hvs-consulting/adhashcheck + +go 1.15 + +require github.com/C-Sto/gosecretsdump v0.3.1 diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..a16547a --- /dev/null +++ b/go.sum @@ -0,0 +1,7 @@ +github.com/C-Sto/gosecretsdump v0.3.1 h1:UVYErqrUk5R+z83aWf1lF6U0l1YYIfMm9HP6kQrcevs= +github.com/C-Sto/gosecretsdump v0.3.1/go.mod h1:OT1LMtYzFEvBWtDfd+KaJzZ9KVwH9yLx0c27yd3W+uI= +golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3 h1:5B6i6EAiSYyejWfvc5Rc9BbI3rzIsrrXfAQBWnYfn+w= +golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= diff --git a/main.go b/main.go new file mode 100644 index 0000000..79a7481 --- /dev/null +++ b/main.go @@ -0,0 +1,114 @@ +package main + +import ( + "bufio" + "flag" + "fmt" + "log" + "os" + "path" + "strings" +) + +func main() { + // parameters + var csvFile, secretsdumpFile, ntdsFile, systemFile, outDir string + flag.StringVar(&csvFile, "csv", "", "CSV file with hashes (comma separated username and hash)") + flag.StringVar(&secretsdumpFile, "secretsdump", "", "Direct output of impacket's secretsdump") + flag.StringVar(&ntdsFile, "ntds", "", "ntds.dit file") + flag.StringVar(&systemFile, "system", "", "system registry hive") + flag.StringVar(&outDir, "output", "", "output directory") + + flag.Parse() + + // load hashes + ad := NewAD() + + if csvFile != "" { + err := ad.LoadHashesFromCSV(csvFile) + if err != nil { + log.Fatal(err) + } + } else if secretsdumpFile != "" { + err := ad.LoadHashesFromSecretsdump(secretsdumpFile) + if err != nil { + log.Fatal(err) + } + } else if ntdsFile != "" && systemFile != "" { + err := ad.LoadHashesFromNTDS(ntdsFile, systemFile) + if err != nil { + log.Fatal(err) + } + } else { + log.Fatal("No input files") + } + + // analyze + ad.Analyze() + + // print output + if outDir != "" { + // create output directory + if _, err := os.Stat(outDir); os.IsNotExist(err) { + err := os.Mkdir(outDir, 0700) + if err != nil { + log.Fatal(err) + } + } + + // reused passwords + file, err := os.Create(path.Join(outDir, "reuse.csv")) + if err != nil { + log.Fatal(err) + } + defer file.Close() + + w := bufio.NewWriter(file) + for _, r := range ad.ReusedPasswords() { + line := fmt.Sprintf("%s,%d,%s", r.Hash, r.Count, strings.Join(r.Users, ";")) + fmt.Fprintln(w, line) + } + w.Flush() + + // reused passwords without hash + file, err = os.Create(path.Join(outDir, "reuse-without-hash.csv")) + if err != nil { + log.Fatal(err) + } + defer file.Close() + + w = bufio.NewWriter(file) + for _, r := range ad.ReusedPasswords() { + line := fmt.Sprintf("%d,%s", r.Count, strings.Join(r.Users, ";")) + fmt.Fprintln(w, line) + } + w.Flush() + + // admin accounts + file, err = os.Create(path.Join(outDir, "admins.csv")) + if err != nil { + log.Fatal(err) + } + defer file.Close() + + w = bufio.NewWriter(file) + for _, user := range ad.ReusedAdminAccounts() { + fmt.Fprintln(w, user) + } + w.Flush() + + } else { + fmt.Println("Reused passwords:") + for _, r := range ad.ReusedPasswords() { + if r.Count > 1 { + fmt.Println(r) + } + } + + fmt.Println() + fmt.Println("Same password for admin account:") + for _, r := range ad.ReusedAdminAccounts() { + fmt.Println(r) + } + } +} diff --git a/reusedPassword.go b/reusedPassword.go new file mode 100644 index 0000000..966c65f --- /dev/null +++ b/reusedPassword.go @@ -0,0 +1,35 @@ +package main + +import ( + "fmt" + "strings" +) + +// ReusedPassword is a password that is used by more than one user +type ReusedPassword struct { + Hash string + Count int + Users []string +} + +// NewReusedPassword creates a new ReusedPassword +func NewReusedPassword(user string, hash string) *ReusedPassword { + pw := ReusedPassword{} + + pw.Hash = hash + pw.Count = 1 + pw.Users = make([]string, 1) + pw.Users[0] = user + + return &pw +} + +// Add adds a new user to the reused password +func (reusedpassword *ReusedPassword) Add(user string) { + reusedpassword.Count++ + reusedpassword.Users = append(reusedpassword.Users, user) +} + +func (reusedpassword *ReusedPassword) String() string { + return fmt.Sprintf("%dx %s (%s)", reusedpassword.Count, reusedpassword.Hash, strings.Join(reusedpassword.Users, ",")) +}