From 923bbb5b2249f915ce165957b0ab5dad041e9bb0 Mon Sep 17 00:00:00 2001
From: DReneau <53024966+DReneau@users.noreply.github.com>
Date: Thu, 17 Oct 2024 10:34:22 -0700
Subject: [PATCH] Added file via upload.

---
 Modules/Apps/GitHub/NTLM_Hash_Dumper.mkape | 45 ++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 Modules/Apps/GitHub/NTLM_Hash_Dumper.mkape

diff --git a/Modules/Apps/GitHub/NTLM_Hash_Dumper.mkape b/Modules/Apps/GitHub/NTLM_Hash_Dumper.mkape
new file mode 100644
index 000000000..99f780e61
--- /dev/null
+++ b/Modules/Apps/GitHub/NTLM_Hash_Dumper.mkape
@@ -0,0 +1,45 @@
+Description: NTLM Hash Dumper | NTLMv1/2
+Category: Passwords
+Author: DReneau
+Version: 1.0
+Id: fc897d04-9ec1-472c-97cd-f99feb39bbe9
+BinaryUrl: https://github.com/Retr0-code/hash-dumper/releases/download/v1.0.4/hash_dumper_v1.0.4_win64.zip
+ExportFormat: txt
+Processors:
+    -
+        Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
+        CommandLine: |
+            $systemFile = Get-ChildItem -Path '%sourceDirectory%' -Filter 'SYSTEM' -Recurse | Select-Object -First 1;
+            $samFile = Get-ChildItem -Path '%sourceDirectory%' -Filter 'SAM' -Recurse | Select-Object -First 1;
+
+            if ($systemFile -and $samFile) {
+                & '%kapedirectory%\Modules\bin\hash_dumper.exe' --system $systemFile.FullName --sam $samFile.FullName;
+                Start-Sleep -Seconds 2;
+                $maxRetries = 3;
+                $retryCount = 0;
+                while ($retryCount -lt $maxRetries) {
+                    try {
+                        Out-File -FilePath '%destinationDirectory%\dumped_NTLM_hashes.txt' -Encoding utf8 -Append;
+                        break;
+                    } catch {
+                        Start-Sleep -Seconds 2;
+                        $retryCount++;
+                    }
+                }
+            } else {
+                Write-Host 'SAM or SYSTEM files not found.'
+            }
+        ExportFormat: txt
+        ExportFile: dumped_NTLM_hashes.txt
+
+# Documentation
+# https://github.com/Retr0-code/hash-dumper
+# This module extracts the Windows NTLM hashes for every user account. 
+# Point the 'module source' to the acquired "\Windows\System32\config" folder
+# Place the " hash_dumper_v1.0.4_win64.zip " archive into "Modules\bin" and extract hash_dumper.exe.
+# Remember: NTLM-hash 31d6cfe0d16ae931b73c59d7e0c089c0 means "blank"
+#
+# Windows NTLM hash dump utility written in C language, that supports Windows and Linux. Hashes can be dumped in realtime or from already saved SAM and SYSTEM hives.
+#
+# Example:
+# .\kape.exe --msource C:\kape\path\to\acquired\Windows\System32\config --mdest C:\kape\out --module ntlm_hash_dumper