forked from breakid/parseltongue
-
Notifications
You must be signed in to change notification settings - Fork 1
/
parseltongue.py
867 lines (637 loc) · 30.3 KB
/
parseltongue.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
#!/usr/bin/env python
#
# Copyright (C) 2019 Dan Breakiron
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from optparse import OptionParser
import sys
import os
import re
from datetime import datetime
from datetime import timedelta
import csv
from pprint import pprint
#==============================================================================
#******** CONFIGURABLE CONSTANTS ********
#==============================================================================
# CHANGE THESE TO CONTROL WHICH ATTRIBUTES ARE PARSED
# adspath is required and must appear at the end of the list
COMPUTER_ATTRIBS = ['dnshostname', 'operatingsystem', 'operatingsystemversion', 'operatingsystemservicepack', 'lastlogon', 'lastlogontimestamp', 'useraccountcontrol', 'description', 'memberof', 'primarygroupid', 'location', 'objectsid', 'adspath']
USER_ATTRIBS = ['samaccountname', 'name', 'userprinciplename', 'lastlogon', 'lastlogontimestamp', 'pwdlastset', 'admincount', 'useraccountcontrol', 'memberof', 'description', 'objectsid', 'primarygroupid', 'adspath']
GROUP_ATTRIBS = ['samaccountname', 'name', 'userprinciplename', 'objectsid', 'primarygroupid', 'description', 'memberof', 'adspath']
OU_ATTRIBS = ['name', 'managedby', 'description', 'gplink', 'adspath']
GPO_ATTRIBS = ['displayname', 'name', 'adspath']
#==============================================================================
#******** CONSTANTS ********
#==============================================================================
DSQUERY_COMPUTERS = 'dsquery * -filter "(objectclass=computer)" -attr %s -limit 0 -l' % ' '.join(COMPUTER_ATTRIBS)
DSQUERY_USERS = 'dsquery * -filter "(&(objectclass=user)(!(objectclass=computer)))" -attr %s -limit 0 -l' % ' '.join(USER_ATTRIBS)
DSQUERY_GROUPS = 'dsquery * -filter "(objectclass=group)" -attr %s -limit 0 -l' % ' '.join(GROUP_ATTRIBS)
DSQUERY_GPOS = 'dsquery * -filter "(objectclass=grouppolicycontainer)" -attr %s -limit 0 -l' % ' '.join(GPO_ATTRIBS)
DSQUERY_OUS = 'dsquery * -filter "(objectclass=organizationalunit)" -attr %s -limit 0 -l' % ' '.join(OU_ATTRIBS)
KV_PATT = re.compile('^(?P<key>.*?): (?P<value>.*)$')
#==============================================================================
#******** UTILITIES ********
#==============================================================================
def log(msg):
print(msg)
# TODO: Write to log file
def convert_uac(uac):
"""
Converts a numeric Active Directory userAccountControl value to a human-readable string
Args:
uac: A numeric Active Directory userAccountControl value
Returns:
A human-readable string representation of the given userAccountControl value
"""
if uac.strip() == '':
return ''
# Source: https://jackstromberg.com/2013/01/useraccountcontrol-attributeflag-values/
UAC_FLAGS = {
'0x0001': "SCRIPT",
'0x0002': "ACCOUNTDISABLE",
'0x0008': "HOMEDIR_REQUIRED",
'0x0010': "LOCKOUT",
'0x0020': "PASSWD_NOTREQD",
'0x0040': "PASSWD_CANT_CHANGE",
'0x0080': "ENCRYPTED_TEXT_PWD_ALLOWED",
'0x0100': "TEMP_DUPLICATE_ACCOUNT",
'0x0200': "NORMAL_ACCOUNT",
'0x0202': "Disabled Account",
'0x0220': "Enabled, Password Not Required",
'0x0222': "Disabled, Password Not Required",
'0x0800': "INTERDOMAIN_TRUST_ACCOUNT",
'0x1000': "WORKSTATION_TRUST_ACCOUNT",
'0x2000': "SERVER_TRUST_ACCOUNT",
'0x10000': "DONT_EXPIRE_PASSWORD",
'0x10200': "Enabled, Password Doesn't Expire",
'0x10202': "Disabled, Password Doesn't Expire",
'0x10222': "Disabled, Password Doesn't Expire & Not Required",
'0x20000': "MNS_LOGON_ACCOUNT",
'0x40000': "SMARTCARD_REQUIRED",
'0x40200': "Enabled, Smartcard Required",
'0x40202': "Disabled, Smartcard Required",
'0x40222': "Disabled, Smartcard Required, Password Not Required",
'0x50202': "Disabled, Smartcard Required, Password Doesn't Expire",
'0x50222': "Disabled, Smartcard Required, Password Doesn't Expire & Not Required",
'0x80000': "TRUSTED_FOR_DELEGATION",
'0x82000': "Domain controller",
'0x100000': "NOT_DELEGATED",
'0x200000': "USE_DES_KEY_ONLY",
'0x400000': "DONT_REQ_PREAUTH",
'0x800000': "PASSWORD_EXPIRED",
'0x1000000': "TRUSTED_TO_AUTH_FOR_DELEGATION",
'0x04000000': "PARTIAL_SECRETS_ACCOUNT"
}
flags = []
for flag in UAC_FLAGS:
# Perform a bitwise XOR to determine if the flag is part of the UAC value
if int(uac) ^ int(flag, 16) == 0:
flags.append(UAC_FLAGS[flag])
return '\n'.join(sorted(flags))
def convert_nt_time(nt_time):
"""
Converts Windows NT time value to a human-readable datetime value
Args:
nt_time: A Windows NT time value
Returns:
A human-readable datetime value
"""
if nt_time.strip() == '':
return ''
try:
nt_time = int(nt_time)
if nt_time == 0:
return None
epoch_start = datetime(year=1601, month=1, day=1)
seconds_since_epoch = nt_time / 10 ** 7
timestamp = epoch_start + timedelta(seconds=seconds_since_epoch)
except ValueError:
timestamp = datetime.strptime(nt_time.split(".")[0], "%Y%m%d%H%M%S")
return timestamp.strftime('%Y-%m-%d %H:%M:%S')
def enhance_object(obj, creds=None, dns_data=None, gpo_data=None):
"""
Performs various conversions and enhancements of AD object data.
- Picks the more recent of lastLogon and lastLogonTimestamp, and converts it to a human-readable timestamp
- Converts pwdLastSet to a human-readable timestamp
- If DNS data was provided, adds IP entries to computer objects
Args:
obj: A dictionary containing attributes of an Active Directory object
dns_data (optional): A dictionary containing a hostname-to-IP mapping derived from dnscmd /zoneprint
Returns:
An enhanced Active Directory object (dictionary)
"""
GPO_NAME_PATT = re.compile('\{[0-9A-Fa-f\-]{36}\}')
# Attempt to derive name from various fields
name = ''
if 'samaccountname' in obj.keys():
name = obj['samaccountname']
if name == '' and 'name' in obj.keys():
name = obj['name']
if name == '' and 'dnshostname' in obj.keys():
name = obj['dnshostname'].split('.')[0]
if name == '':
log('[-] ERROR: Object contains no name field')
#pprint(obj)
# Add credential fields
if creds is not None:
if name in creds:
tmp_creds = creds[name]
del tmp_creds['username']
obj.update(tmp_creds)
elif name + '$' in creds:
# Add credential fields for computer accounts
tmp_creds = creds[name + '$']
del tmp_creds['username']
obj.update(tmp_creds)
if 'lastlogon' in obj.keys() and 'lastlogontimestamp' in obj.keys():
obj['lastlogon'] = convert_nt_time(max(obj['lastlogon'], obj['lastlogontimestamp']))
del obj['lastlogontimestamp']
elif 'lastlogontimestamp' in obj.keys():
obj['lastlogon'] = convert_nt_time(obj['lastlogontimestamp'])
del obj['lastlogontimestamp']
elif 'lastlogon' in obj.keys():
obj['lastlogon'] = convert_nt_time(obj['lastlogon'])
if 'pwdlastset' in obj.keys():
obj['pwdlastset'] = convert_nt_time(obj['pwdlastset'])
if 'useraccountcontrol' in obj.keys():
obj['useraccountcontrol'] = convert_uac(obj['useraccountcontrol'])
# If DNS data was provided, add the computer's IP
if dns_data is not None:
hostname = name.upper()
if hostname in dns_data and 'ip' in dns_data[hostname]:
# Account for multiple IP addresses per host
obj['ip'] = '\n'.join(set(dns_data[hostname]['ip']))
else:
# Set a default so CSV writer doesn't get angry if its
obj['ip'] = ''
# Replace values in gplink with
if gpo_data is not None and 'gplink' in obj.keys():
gpos = []
gpo_names = GPO_NAME_PATT.findall(obj['gplink'])
for name in gpo_names:
if name in gpo_data:
gpos.append(gpo_data[name])
else:
# All GPOs should be found, but just in case, it's good to know if data is missing
gpos.append(name)
obj['gpos'] = '\n'.join(gpos)
del obj['gplink']
return obj
def merge_creds(dict1, dict2):
"""
Merges two dictionaries containing credentials so no values are overridden
Args:
dict1: One dictionary containing credentials
dict2: A seccond dictionary containing credentials
Returns:
A dictionary of dictionaries, where the primary key is the username and the assocatiated dictionary is a combination of values from dict1 and dict2; any values from dict2 not in dict1, are added as-is
"""
for user in dict1:
if user in dict2:
dict1[user].update(dict2[user])
del dict2[user]
# Merge any remaining users that weren't in dict1
dict1.update(dict2)
return dict1
def write_output(output_prefix, data_type, objects, fieldnames = ['username', 'plaintext', 'ntlm', 'aes128', 'aes256', 'comment']):
"""
Writes structured Active Directory data to a CSV file
Args:
output_prefix: The output directory and filename prefix where the CSV data will be written
objects: A generic list of dictionaries containing keys defined in 'fieldnames'
fieldnames: An ordered list of object attributes; these will be the columns names in the CSV file
"""
if len(objects) > 0:
output_filepath = '%s_%s.csv' % (output_prefix, data_type)
log('[*] Writing output to: %s' % output_filepath)
try:
with open(output_filepath, 'wb') as csvfile:
writer = csv.DictWriter(csvfile, fieldnames=fieldnames)
writer.writeheader()
writer.writerows(objects)
# If a credential file was parsed, output a bonus file formatted for password cracker ingestion
if data_type == 'creds':
with open('%s_%s.txt' % (output_prefix, 'password_cracker_ingest'), 'wb') as csvfile:
writer = csv.DictWriter(csvfile, fieldnames=['username', 'ntlm'], delimiter=':')
# Have to create new dictionary in case creds have other fields like plaintext, aes128, or aes256
for obj in objects:
writer.writerow({'username': obj['username'], 'ntlm': obj['ntlm']})
except IOError as e:
raw_input('[-] Write failed; do you have the file open?')
write_output(output_prefix, data_type, objects, fieldnames)
else:
log('[*] No %s detected; skipping...' % data_type)
log(' If you think this is a mistakes, try checking that your file encoding is UTF-8')
#==============================================================================
#******** DNS PARSER ********
#==============================================================================
def parse_dnscmd(filepath):
"""
Reads and parses output from "dnscmd /zoneprint" to create a dictionary of hostnames and their associated IPs, CNAMEs, and FQDNs
Args:
filepath: The path to a file containing output from a "dnscmd /zoneprint" command
Returns:
objects: A list of dictionaries, each representing a hostname and the associated IPs, CNAMEs, and FQDNs
hostname_map: A dictionary containing a mapping of hostnames to IPs, CNAMEs, and FQDNs
"""
log('[*] Parsing DNSCMD output from: %s' % filepath)
# Regex for A records
A_REC_PATT = re.compile('^(?P<hostname>[a-zA-Z0-9\-]*?)\s.+?\s?\d*\sA\s(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$')
# Regex for CNAME records
CNAME_REC_PATT = re.compile('^(?P<alias>[a-zA-Z0-9\-]*?)\s[.+?\s]?\d*\sCNAME\s(?P<fqdn>[a-zA-Z0-9\-\.]*)$')
zone = ''
objects = []
hostname_map = {}
with open(filepath, 'r') as zone_file:
for line in zone_file.readlines():
line = line.strip()
if '; Zone:' in line:
zone = line.split(':')[1].strip().upper()
a_rec = A_REC_PATT.search(line)
if a_rec is not None:
a_rec = a_rec.groupdict()
hostname = a_rec['hostname'].upper()
ip = a_rec['ip']
# Skip FORESTDNSZONES and DOMAINDNSZONES (not sure what these are for)
if hostname.endswith('DNSZONES'):
continue
# Save the IP in a list to gracefully handle multiple IPs per hostname
if hostname in hostname_map:
hostname_map[hostname]['ip'].append(ip)
else:
hostname_map[hostname] = {
'ip': [ip],
'fqdn': ['%s.%s' % (hostname, zone)],
'cname': []
}
else:
cname = CNAME_REC_PATT.search(line)
if cname is not None:
cname = cname.groupdict()
fqdn = cname['fqdn'].strip('.').upper()
hostname = fqdn.split('.')[0]
alias = cname['alias'].upper()
# Save the CNAME and FQDN in lists to gracefully handle multiples
if hostname in hostname_map:
hostname_map[hostname]['fqdn'].append(fqdn)
hostname_map[hostname]['cname'].append(alias)
else:
#print('[-] ERROR: CNAME without A record...is this even possible?')
hostname_map[hostname] = {
'ip': [],
'fqdn': [fqdn],
'cname': [alias]
}
# TODO
# - Add other record types records (PTR, SRV, etc.)
# Populate objects in case no other options were specified
for name in hostname_map.keys():
obj = {
'hostname': name
}
# Add other fields (if applicable), use set() to ensure only unique values
if 'ip' in hostname_map[name]:
obj['ip'] = '\n'.join(set(hostname_map[name]['ip']))
if 'fqdn' in hostname_map[name]:
obj['fqdn'] = '\n'.join(set(hostname_map[name]['fqdn']))
if 'cname' in hostname_map[name]:
obj['cname'] = '\n'.join(set(hostname_map[name]['cname']))
objects.append(obj)
return objects, hostname_map
#==============================================================================
#******** CREDENTIAL PARSERS ********
#==============================================================================
def parse_hashdump(filepath):
"""
Parses output from a hashdump (in pwdump format) into a dictionary
Args:
filepath: The path to a file containing output from a pwdump hashdump
Returns:
A dictionary of dictionaries, where the primary key is the username and the assocatiated dictionary contains the username and NTLM
"""
log('[*] Parsing hashdump output from: %s' % filepath)
user_hash_map = {}
with open(filepath, 'r') as hashdump:
for line in hashdump.readlines():
if ':' in line:
(username, rid, lm_hash, nt_hash) = line.split(':')[:4]
ntlm = nt_hash.upper()
user_hash_map[username] = {'username': username, 'ntlm': ntlm}
return user_hash_map
def parse_lsadump(filepath):
"""
Parses output from Mimikatz lsadump into a dictionary
Args:
filepath: The path to a file containing output from Mimikatz lsadump
Returns:
A dictionary of dictionaries, where the primary key is the username and the assocatiated dictionary contains the username and NTLM
"""
log('[*] Parsing lsadump output from: %s' % filepath)
user_hash_map = {}
username = ''
with open(filepath, 'r') as lsadump:
for line in lsadump.readlines():
if 'User : ' in line:
username = KV_PATT.search(line).groupdict()['value']
elif 'NTLM : ' in line:
ntlm = KV_PATT.search(line).groupdict()['value'].upper()
user_hash_map[username] = {'username': username, 'ntlm': ntlm}
username = ''
return user_hash_map
def parse_export(filepath, domain):
"""
Parses exported Cobalt Strike credentials into a dictionary
Args:
filepath: The path to a Cobalt Strike credential export file
domain: NT domain
Returns:
A dictionary of dictionaries, where the primary key is the username and the assocatiated dictionary contains username, NTLM, and plaintext passwords
"""
log('[*] Parsing Cobalt Strike credential export from: %s' % filepath)
NTLM_PATT = re.compile('^(?P<realm>.*?)\\\\(?P<username>.*?):::(?P<ntlm>[a-fA-F0-9]{32}):::$')
PLAIN_PATT = re.compile('^(?P<realm>.*)\\\\(?P<username>.*?) (?P<plaintext>.*)$')
user_hash_map = {}
with open(filepath, 'r') as hashdump:
for line in hashdump.readlines():
line = line.strip()
data = NTLM_PATT.search(line)
if data is not None:
data = data.groupdict()
realm = data['realm']
username = data['username']
ntlm = data['ntlm']
if realm == domain:
if username in user_hash_map:
user_hash_map[username]['ntlm'] = ntlm
else:
user_hash_map[username] = {'username': username, 'ntlm': ntlm}
else:
data = PLAIN_PATT.search(line)
if data is not None:
data = data.groupdict()
realm = data['realm']
username = data['username']
plaintext = data['plaintext']
if realm == domain:
if username in user_hash_map:
user_hash_map[username]['plaintext'] = plaintext
else:
user_hash_map[username] = {'username': username, 'plaintext': plaintext}
return user_hash_map
def parse_dcsync(filepath):
"""
Parses output from Mimikatz dcsync into a dictionary
Args:
filepath: The path to a file containing output from Mimikatz dcsync
Returns:
A dictionary of dictionaries, where the primary key is the username and the assocatiated dictionary contains the username, NTLM, aes128, and aes246 hashes (if they exist)
"""
log('[*] Parsing dcsync output from: %s' % filepath)
user_hash_map = {}
obj = {}
with open(filepath, 'r') as lsadump:
for line in lsadump.readlines():
if 'SAM Username : ' in line:
obj['username'] = KV_PATT.search(line).groupdict()['value']
else:
# Ensure the username is set before parsing hashes (prevents entry getting overwritten with values from OldCredentials
if 'username' in obj:
if 'Hash NTLM: ' in line:
obj['ntlm'] = KV_PATT.search(line).groupdict()['value'].upper()
elif 'aes256_hmac (4096) :' in line:
obj['aes256'] = KV_PATT.search(line).groupdict()['value'].upper()
elif 'aes128_hmac (4096) :' in line:
obj['aes128'] = KV_PATT.search(line).groupdict()['value'].upper()
user_hash_map[obj['username']] = obj
# Entry is finish, reset object; require username to get reset before parsing more hashes so that aes256_hmac and aes128_hmac don't get overwritte by old credentials
obj = {}
return user_hash_map
def parse_logonpasswords(filepath):
"""
Parses output from Mimikatz logonpasswords into a dictionary
Args:
filepath: The path to a file containing output from Mimikatz logonpasswords
Returns:
A dictionary of dictionaries, where the primary key is the username and the assocatiated dictionary contains username, NTLM and plaintext passwords
"""
log('[*] Parsing logonpasswords output from: %s' % filepath)
user_hash_map = {}
obj = {}
with open(filepath, 'r') as lsadump:
for line in lsadump.readlines():
if 'User Name : ' in line:
username = KV_PATT.search(line).groupdict()['value']
if username not in ['(null)', 'LOCAL SERVICE', 'DWM-1']:
obj['username'] = username
# Initialize NTLM so password cracker output doesn't get angry
obj['ntlm'] = ''
elif obj and 'NTLM : ' in line:
obj['ntlm'] = KV_PATT.search(line).groupdict()['value'].upper()
elif obj and 'Password : ' in line and not obj['username'].endswith('$'):
# Save plaintext password if it's not null or for a computer account (< 128)
# Use regex to make sure we get the entire password, even if it ends with a space
password = KV_PATT.search(line).groupdict()['value']
if password != '(null)' and len(password) < 128:
obj['plaintext'] = password
elif obj and 'credman :' in line:
# Last line of the entry, save the current object to the dictionary if the hash was populated, and reset the object for the next entry
if obj['ntlm'] != '':
# Warn user if a duplicate is detected; since the data is saved to a hash, a duplicate will overwrite the original
if obj['username'] in user_hash_map:
log('\n[*] IMPORTANT: Duplicate username (%s) detected in logonpasswords; manually verify which hash is accurate\n' % obj['username'])
user_hash_map[obj['username']] = obj
obj = {}
return user_hash_map
#=============================================================================
#******** DSQUERY PARSERS ********
#=============================================================================
def parse_objects(filepath, fieldnames, creds = None, dns_data = None, gpo_data=None):
"""
Reads output from a dsquery command and parses into a list of dictionaries, each representing an AD object; attempts to enhance the raw data
Args:
filepath: The path to a file containing output from a dsquery command
fieldnames: The list of expected object attributes; the last object in the list is used to delimit object entries; it MUST exist AND be unique
Returns:
A list of dictionaries representing Active Directory objects
"""
log('[*] Parsing dsquery output from: %s' % filepath)
objects = []
obj = {}
with open(filepath, 'r') as dsquery_file:
data = dsquery_file.read()
# Strip out extraneous data introduced by Cobalt Strike
data = data.replace('received output:\n', '').replace('received output:\r\n', '')
for line in data.split('\n'):
data = KV_PATT.search(line)
if data is not None:
data = data.groupdict()
key = data['key'].lower()
value = data['value'].strip()
# Sanity check to prevent the CSV reader from getting angry that the data contains fields not in fieldnames
if key in fieldnames:
# Gracefully handle multiples of the same key
if key in obj.keys():
obj[key] = obj[key] + '\n' + value
else:
obj[key] = value
# Save the object when the last entry is read and re-initialize the object
# IMPORTANT: The last element must be unique, otherwise objects won't be delimited properly
if key == fieldnames[-1]:
obj = enhance_object(obj, creds, dns_data, gpo_data)
objects.append(obj)
obj = {}
return objects
def main():
parser = OptionParser()
parser.add_option("-c", "--computers", dest="computer", help="Dsquery for computers")
parser.add_option("-d", "--dns", dest="dns", help="Output from dnscmd /zoneprint")
parser.add_option("--dcsync", dest="dcsync", help="File containing one or more DCsyncs")
parser.add_option("-e", "--export", dest="export", help="Cobalt Strike credentials export")
parser.add_option("-g", "--groups", dest="group", help="Dsquery for groups")
parser.add_option("--gpos", dest="gpo", help="Dsquery for GPOs")
parser.add_option("--hashdump", dest="hashdump", help="Hashdump (pwdump format)")
parser.add_option("-l", "--logonpasswords", dest="logonpasswords", help="Mimikatz logonpasswords")
parser.add_option("-m", "--lsadump", dest="lsadump", help="Mimikatz lsadump")
parser.add_option("-n", "--ntdomain", dest="nt_domain", help="NT domain")
parser.add_option("-o", "--ous", dest="ou", help="Dsquery for OUs")
parser.add_option("--output", dest="output_path", help="Output directory", default=".")
parser.add_option("-u", "--users", dest="user", help="Dsquery output containing users")
(options, args) = parser.parse_args()
# Handle option errors
if len(sys.argv) == 1:
print("""
QUICK REFERENCE:
REQUIRED:
-n <nt_domain>
OPTIONAL:
-c <computers dsquery>
-d <path to dnscmd /zoneprint output>
--dcsync <file containing one or more dcsyncs>
-e <Cobalt Strike credentials export>
-g <groups dsquery>
--gpos <GPO dsquery>
--hashdump <hashdump>
-l <file containing one or more logonpasswords>
-m <mimikatz_lsadump>
-o <OUs dsquery>
--output <path to output directory>
-u <users dsquery>
-------------------------------------------------------------------
DSQUERY COMMANDS:
COMPUTERS:
{1}
USERS:
{2}
GROUPS:
{3}
OUs:
{4}
GPOs:
{5}
-------------------------------------------------------------------
USAGE:
{0} -s
- Displays dsquery commands to run to generate expected output
{0} -o <output directory> -n <nt_domain> -d <path to dnscmd /zoneprint output>
- Generates a list of hostname / IP / CNAME mappings from dnscmd /zoneprint output
{0} -o <output directory> -n <nt_domain> --hashdump <hashdump>
- Generates a list of hostname / IP / CNAME mappings from dnscmd /zoneprint output
{0} -o <output directory> -n <nt_domain> -c <path to computers dsquery> [-d <path to dnscmd /zoneprint output>]
- Generates a table containing computer objects, optionally include IPs parsed from a dnscmd /zoneprint file
{0} -o <output directory> -n <nt_domain> -u <path to users dsquery>
- Generates a CSV file containing user objects, optionally include passwords and hashes if applicable files are included
""".format(sys.argv[0], DSQUERY_COMPUTERS, DSQUERY_USERS, DSQUERY_GROUPS, DSQUERY_OUS, DSQUERY_GPOS))
sys.exit(0)
elif options.output_path is None:
print('[-] ERROR: No output directory specified')
sys.exit(1)
elif options.nt_domain is None:
print('[-] ERROR: No NT domain specified')
sys.exit(1)
objects = None
dns_data = None
gpo_data = None
creds = {}
gpo_data = {}
outfile_path = os.path.join(options.output_path, '%s_%s' % (options.nt_domain, datetime.now().strftime('%Y-%m-%d')))
# Parse DNS data
if options.dns is not None:
(objects, dns_data) = parse_dnscmd(options.dns)
fieldnames = ['hostname', 'ip', 'fqdn', 'cname']
# Write output to CSV file
write_output(outfile_path, 'DNS', objects, fieldnames)
# Parse hashdump
if options.hashdump is not None:
creds = parse_hashdump(options.hashdump)
# Parse lsadump
if options.lsadump is not None:
creds = merge_creds(creds, parse_lsadump(options.lsadump))
# Parse Cobalt Strike credentials export
if options.export is not None:
creds = merge_creds(creds, parse_export(options.export, options.nt_domain))
# Parse dcsync
if options.dcsync is not None:
creds = merge_creds(creds, parse_dcsync(options.dcsync))
# Parse logonpasswords
if options.logonpasswords is not None:
creds = merge_creds(creds, parse_logonpasswords(options.logonpasswords))
objects = [cred_obj for (username, cred_obj) in creds.items()]
# Write output to CSV file
write_output(outfile_path, 'creds', objects)
# Parse GPO data
if options.gpo is not None:
fieldnames = GPO_ATTRIBS
objects = parse_objects(options.gpo, fieldnames)
for obj in objects:
gpo_data[obj['name']] = obj['displayname']
# Write output to CSV file
write_output(outfile_path, 'GPOs', objects, fieldnames)
# Parse OU data
if options.ou is not None:
fieldnames = OU_ATTRIBS
objects = parse_objects(options.ou, fieldnames, gpo_data=gpo_data)
if options.gpo is not None:
fieldnames.remove('gplink')
fieldnames.insert(-1, 'gpos')
# Write output to CSV file
write_output(outfile_path, 'OUs', objects, fieldnames)
# Parse group data
if options.group is not None:
fieldnames = GROUP_ATTRIBS
objects = parse_objects(options.group, fieldnames)
# Write output to CSV file
write_output(outfile_path, 'groups', objects, fieldnames)
# Parse computer data
if options.computer is not None:
fieldnames = COMPUTER_ATTRIBS
objects = parse_objects(options.computer, fieldnames, creds, dns_data)
fieldnames.insert(0, 'ip')
# Remove lastLogonTimestamp because it's merged with lastLogon
fieldnames.remove('lastlogontimestamp')
fieldnames += ['ntlm', 'aes128', 'aes256', 'comment']
# Write output to CSV file
write_output(outfile_path, 'computers', objects, fieldnames)
# Parse user data
if options.user is not None:
fieldnames = USER_ATTRIBS
objects = parse_objects(options.user, fieldnames, creds)
# Remove lastLogonTimestamp because it's merged with lastLogon
fieldnames.remove('lastlogontimestamp')
fieldnames += ['plaintext', 'ntlm', 'aes128', 'aes256', 'comment']
# Write output to CSV file
write_output(outfile_path, 'users', objects, fieldnames)
log('[+] Done!')
if __name__ == "__main__":
main()