diff --git a/Modules/Apps/GitHub/NTLM_Hash_Dumper.mkape b/Modules/Apps/GitHub/NTLM_Hash_Dumper.mkape new file mode 100644 index 000000000..99f780e61 --- /dev/null +++ b/Modules/Apps/GitHub/NTLM_Hash_Dumper.mkape @@ -0,0 +1,45 @@ +Description: NTLM Hash Dumper | NTLMv1/2 +Category: Passwords +Author: DReneau +Version: 1.0 +Id: fc897d04-9ec1-472c-97cd-f99feb39bbe9 +BinaryUrl: https://github.com/Retr0-code/hash-dumper/releases/download/v1.0.4/hash_dumper_v1.0.4_win64.zip +ExportFormat: txt +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: | + $systemFile = Get-ChildItem -Path '%sourceDirectory%' -Filter 'SYSTEM' -Recurse | Select-Object -First 1; + $samFile = Get-ChildItem -Path '%sourceDirectory%' -Filter 'SAM' -Recurse | Select-Object -First 1; + + if ($systemFile -and $samFile) { + & '%kapedirectory%\Modules\bin\hash_dumper.exe' --system $systemFile.FullName --sam $samFile.FullName; + Start-Sleep -Seconds 2; + $maxRetries = 3; + $retryCount = 0; + while ($retryCount -lt $maxRetries) { + try { + Out-File -FilePath '%destinationDirectory%\dumped_NTLM_hashes.txt' -Encoding utf8 -Append; + break; + } catch { + Start-Sleep -Seconds 2; + $retryCount++; + } + } + } else { + Write-Host 'SAM or SYSTEM files not found.' + } + ExportFormat: txt + ExportFile: dumped_NTLM_hashes.txt + +# Documentation +# https://github.com/Retr0-code/hash-dumper +# This module extracts the Windows NTLM hashes for every user account. +# Point the 'module source' to the acquired "\Windows\System32\config" folder +# Place the " hash_dumper_v1.0.4_win64.zip " archive into "Modules\bin" and extract hash_dumper.exe. +# Remember: NTLM-hash 31d6cfe0d16ae931b73c59d7e0c089c0 means "blank" +# +# Windows NTLM hash dump utility written in C language, that supports Windows and Linux. Hashes can be dumped in realtime or from already saved SAM and SYSTEM hives. +# +# Example: +# .\kape.exe --msource C:\kape\path\to\acquired\Windows\System32\config --mdest C:\kape\out --module ntlm_hash_dumper