Go Count Hashes

A common goal for Pentesters, Redteamers, Ransomware groups, those that exist in adversarial simulation or just the cyber crime space is to obtain an organisation's NTDS.dit file, where all the juicy details live, the NTDS.dit file contains usernames, hashes and a whole bunch of other things in it's database, Adversarially we just want the means to inherit credentials and identities.

This script isn't specific to NTLM hashes; it's just my use-case. The same principle can be applied to other contexts, counting hashes, deriving conclusions and/or focus points for cracking.

Traditionally we get the NTDS.dit file, parse it with Impacket's secretsdump.py, run Hashcat through all the hashes, and get ourselves some more access or compromise en-masse... depending on how weak the passwords are and how capable the cracking rig is. Most of us use Hashcat. The problem with Hashcat is that it doesn't give you the 'frequency of hash seen' in the list, and we're probably not going to get a post-cracking summary. I love Hashcat, I'm not throwing shade, but what I'm alluding to is that the 'frequency of hash seen' has value. It tells the security team that there's a password problem in the organisation. That password problem might be IT performing org-wide password resets in a way that isn't very considered, it might be that RBAC looks less useful because users are using the same password across multiple accounts varying in different access and importance, or it might be that the Joiners, Movers, Leavers process is broken and there are old accounts that need removing...but for attackers or offsec practitioners, the biggest concern is, how much access can I get from this lot?

I wrote a little Go script** that will take a list of flat hashes (hashes.txt), count the duplicates, and present you with the results. This will help you if you're up against the clock as an offsec person, and if you're purple/blue, it will highlight that the problem is there without even touching Hashcat (if you're sensitive to cracking those hashes for...$reasons)

You'll need Go; I'm using version go1.20.2 linux/amd64.

If you have this Go file in the same folder as your hashes.txt, it will automatically pull that file. If not, you will need to use the -p flag: 'go run hashcounter.go -p /path/to/hashes'

By default, it will list all duplicates. If you just want the top 10, 20, 40 (etc.) offenders, you can provide the -d flag: 'go run hashcounter.go -d 20' You can always run 'go run hashcounter.go -h'"

Running go run hashcounter -d 8 would show something like this:

You'll be left with the top duplicate hash offenders (or all if you don't use the -d switch) you'll have some Hash Statistics and Hash Duplicate volumes

If you're looking to do the whole thing end to end, here are some useful tips. But equally, you could get in touch. This script and focus are related to this post, but here are some nice resources to get those hashes, should you have the permission and privilege. Read this twice, then begin once your questions are answered internally - 'Extracting & Cracking the NTDS.DIT file' https://bond-o.medium.com/extracting-and-cracking-ntds-dit-2b266214f277

If you don't want to crack any of the hashes, I'd consider just extracting the hashes from the dump. You can do this with your favourite text processor; I'll use bash for the example. 'cat ntlm-extract.ntds | cut -f 4 -d ':' > hashes.txt'.

Or if you dont want to obtain the ntds.dit file, you can use this acompanying script to play along: https://github.com/yosignals/ditty

Have fun!

If you get stuck, you can always reach out.

• https://gist.github.com/yosignals/8baa95c6a9b2d1fe552d118fd7bc63d9
• https://github.com/fortra/impacket/blob/master/examples/secretsdump.py
• https://thecontractor.io/blog/bigger-organisational-benefits-of-password-cracking/
• https://bond-o.medium.com/extracting-and-cracking-ntds-dit-2b266214f277
• https://hashcat.net/hashcat/

All the code produced has been aided by ChatGPT, i'm not a programmer, I focus on the outcome, feel free to improve the code, i'm not a programmer.