hekatomb


Namehekatomb JSON
Version 1.5.2.3 PyPI version JSON
download
home_pagehttps://github.com/ProcessusT/HEKATOMB
SummaryPython library to extract and decrypt all credentials from all domain computers
upload_time2024-07-19 16:32:50
maintainerProcessus Thief
docs_urlNone
authorProcessus Thief
requires_python<4.0,>=3.7
licenseGPL-3.0-only
keywords hekatomb dpapi windows blob masterkey activedirectory credentials
VCS
bugtrack_url
requirements No requirements were recorded.
Travis-CI No Travis.
coveralls test coverage No coveralls.
            # The HEKATOMB project

<div align="center">
  <br>
  <img src="https://img.shields.io/badge/Python-3.11-informational">
  <br>
  <a href="https://twitter.com/intent/follow?screen_name=ProcessusT" title="Follow"><img src="https://img.shields.io/twitter/follow/ProcessusT?label=ProcessusT&style=social"></a>
  <br>
  <h1>
    Because Domain Admin rights are not enough.<br />
                Hack them all.<br />
                🐍
  </h1>
  <br><br>
</div>

> Hekatomb is a python script that connects to LDAP directory to retrieve all computers and users informations.<br />
> Then it will download all DPAPI blob of all users from all computers.<br />
>	Finally, it will extract domain controller private key through RPC uses it to decrypt all credentials.<br />
> <br />
> 
<br>
<div align="center">
<img src="https://github.com/ProcessusT/HEKATOMB/raw/main/.assets/hekatomb_v1.4.png" width="80%;">
</div>
<br>


## Changelog
<br />
On last version (V 1.5) :<br />
- Fix local packages importation error with pip installation<br />
- Prevent crash when no computers are reachable<br />
- Prevent null domain or null domain extension<br />
<br />
V 1.4 :<br />
- Fix LDAP search limitation to 1000 items<br />
- Add LDAP filter for computers to select only "Enabled" computers<br />
- Add function to scan SMB port with multi thread prior to get blob and master key files<br />
- Add a progress bar for files collection<br />
- Added 2 function modules to simplify code readability and maintainability<br />
<br />
V 1.3 :<br />
- Compare LDAP usernames with SMB users folders before trying to retrieve blob files to get them faster<br />
- DNSTCP option is no more used, DNS resolution is trying on UDP first and with TCP if it fails<br />
<br />
V 1.2.1 :<br />
- Use of the ldap3 library instead of Impacket for LDAP requests<br />
- Fix a bug that prevented querying trusted domains via an external domain account with administrator rights on the trusted domain controller<br />
- Add -smb2 parameter to force the use of SMBv2 protocol when it is available<br />
- LDAP and SMB communications are now more difficult to detect on the network<br />
<br />
V 1.2.1 :<br />
- Add installation with Pypi<br />
<br />
V 1.2 :<br />
- Increase the LDAP results limit of users or computers extraction (1000 previously)<br />
- Add the possibility to specify a user or a computer to target<br />
- Add the possibility to export results to a CSV file<br />
<br />
V 1.1 :<br />
- Domain controller private key extraction through RPC<br />
- Credentials classification by computers and by users<br />

<br /><br />

## What da fuck is this ?
<br />
On Windows, credentials saved in the Windows Credentials Manager are encrypted using Microsoft's Data Protection API and stored as "blob" files in user AppData folder.<br />
Outside of a domain, the user's password hash is used to encrypt these "blobs".<br />
When you are in an Active Directory environment, the Data Protection API uses the domain controller's public key to encrypt these blobs.<br />
With the extracted private key of the domain controller, it is possible to decrypt all the blobs, and therefore to recover all the secrets recorded in the Windows identification manager of all the workstations in the domain.<br />
<br />
Hekatomb automates the search for blobs and the decryption to recover all domain users' secrets ☠️
<br />
<br />

## Installation
<br>
From Pypi for Debian-based :
<br><br>

```python
pip3 install hekatomb
```


<br>
From BlackArch :
<br><br>

```python
pacman -S hekatomb
```

[![BlackArch package](https://repology.org/badge/version-for-repo/blackarch/hekatomb.svg)](https://repology.org/project/hekatomb/versions)

<br>

From github :
<br><br>

```python
git clone https://github.com/ProcessusT/HEKATOMB
cd HEKATOMB
poetry install
poetry run hekatomb
```
<br>
<br>


## Usage
<br>
Hekatomb uses Impacket syntax :
<br><br>

```python
usage: hekatomb [-h] [-hashes LMHASH:NTHASH] [-pvk PVK] [-dns DNS] [-dnstcp] [-port [port]] [-just-user JUST_USER] [-just-computer JUST_COMPUTER] [-md5] [-debug] [-debugmax] target

Script used to automate domain computers and users extraction from LDAP and extraction of domain controller private key through RPC to collect and decrypt all users' DPAPI secrets saved in Windows credential manager.

positional arguments:
  target                [[domain/]username[:password]@]<targetName or address of DC>

options:
  -h, --help            Show this help message and exit

authentication:
  -hashes LMHASH:NTHASH     NTLM hashes, format is LMHASH:NTHASH

authentication:
  -pvk PVK                  Domain backup keys file
  -dns DNS                  DNS server IP address to resolve computers hostname
  -port [port]              Port to connect to SMB Server
  -smb2                     Force the use of SMBv2 protocol
  -just-user [USERNAME]     Test only specified username
  -just-computer [COMPUTER] Test only specified computer
  -md5                      Print md5 hash insted of clear passwords

verbosity:
  -csv                  Output the results in csv
  -debug                Turn DEBUG output ON
  -debugmax             Turn DEBUG output TO MAAAAXXXX
```

<br>
<br>

## Example

<br>

```python
hekatomb -hashes :ed0052e5a66b1c8e942cc9481a50d56 DOMAIN.local/administrator@10.0.0.1 -debug 
```

<br>
<br>
    
## How to retrieve domain backup keys ?

<br />
If no domain backup keys are provided, the script will retrieve it through RPC


            

Raw data

            {
    "_id": null,
    "home_page": "https://github.com/ProcessusT/HEKATOMB",
    "name": "hekatomb",
    "maintainer": "Processus Thief",
    "docs_url": null,
    "requires_python": "<4.0,>=3.7",
    "maintainer_email": "hekatomb@thiefin.fr",
    "keywords": "hekatomb, dpapi, windows, blob, masterkey, activedirectory, credentials",
    "author": "Processus Thief",
    "author_email": "hekatomb@thiefin.fr",
    "download_url": "https://files.pythonhosted.org/packages/40/85/bcb75429667ac36362bc4291746b0b3b1415e1e01183670392b657d17501/hekatomb-1.5.2.3.tar.gz",
    "platform": null,
    "description": "# The HEKATOMB project\n\n<div align=\"center\">\n  <br>\n  <img src=\"https://img.shields.io/badge/Python-3.11-informational\">\n  <br>\n  <a href=\"https://twitter.com/intent/follow?screen_name=ProcessusT\" title=\"Follow\"><img src=\"https://img.shields.io/twitter/follow/ProcessusT?label=ProcessusT&style=social\"></a>\n  <br>\n  <h1>\n    Because Domain Admin rights are not enough.<br />\n                Hack them all.<br />\n                \ud83d\udc0d\n  </h1>\n  <br><br>\n</div>\n\n> Hekatomb is a python script that connects to LDAP directory to retrieve all computers and users informations.<br />\n> Then it will download all DPAPI blob of all users from all computers.<br />\n>\tFinally, it will extract domain controller private key through RPC uses it to decrypt all credentials.<br />\n> <br />\n> \n<br>\n<div align=\"center\">\n<img src=\"https://github.com/ProcessusT/HEKATOMB/raw/main/.assets/hekatomb_v1.4.png\" width=\"80%;\">\n</div>\n<br>\n\n\n## Changelog\n<br />\nOn last version (V 1.5) :<br />\n- Fix local packages importation error with pip installation<br />\n- Prevent crash when no computers are reachable<br />\n- Prevent null domain or null domain extension<br />\n<br />\nV 1.4 :<br />\n- Fix LDAP search limitation to 1000 items<br />\n- Add LDAP filter for computers to select only \"Enabled\" computers<br />\n- Add function to scan SMB port with multi thread prior to get blob and master key files<br />\n- Add a progress bar for files collection<br />\n- Added 2 function modules to simplify code readability and maintainability<br />\n<br />\nV 1.3 :<br />\n- Compare LDAP usernames with SMB users folders before trying to retrieve blob files to get them faster<br />\n- DNSTCP option is no more used, DNS resolution is trying on UDP first and with TCP if it fails<br />\n<br />\nV 1.2.1 :<br />\n- Use of the ldap3 library instead of Impacket for LDAP requests<br />\n- Fix a bug that prevented querying trusted domains via an external domain account with administrator rights on the trusted domain controller<br />\n- Add -smb2 parameter to force the use of SMBv2 protocol when it is available<br />\n- LDAP and SMB communications are now more difficult to detect on the network<br />\n<br />\nV 1.2.1 :<br />\n- Add installation with Pypi<br />\n<br />\nV 1.2 :<br />\n- Increase the LDAP results limit of users or computers extraction (1000 previously)<br />\n- Add the possibility to specify a user or a computer to target<br />\n- Add the possibility to export results to a CSV file<br />\n<br />\nV 1.1 :<br />\n- Domain controller private key extraction through RPC<br />\n- Credentials classification by computers and by users<br />\n\n<br /><br />\n\n## What da fuck is this ?\n<br />\nOn Windows, credentials saved in the Windows Credentials Manager are encrypted using Microsoft's Data Protection API and stored as \"blob\" files in user AppData folder.<br />\nOutside of a domain, the user's password hash is used to encrypt these \"blobs\".<br />\nWhen you are in an Active Directory environment, the Data Protection API uses the domain controller's public key to encrypt these blobs.<br />\nWith the extracted private key of the domain controller, it is possible to decrypt all the blobs, and therefore to recover all the secrets recorded in the Windows identification manager of all the workstations in the domain.<br />\n<br />\nHekatomb automates the search for blobs and the decryption to recover all domain users' secrets \u2620\ufe0f\n<br />\n<br />\n\n## Installation\n<br>\nFrom Pypi for Debian-based :\n<br><br>\n\n```python\npip3 install hekatomb\n```\n\n\n<br>\nFrom BlackArch :\n<br><br>\n\n```python\npacman -S hekatomb\n```\n\n[![BlackArch package](https://repology.org/badge/version-for-repo/blackarch/hekatomb.svg)](https://repology.org/project/hekatomb/versions)\n\n<br>\n\nFrom github :\n<br><br>\n\n```python\ngit clone https://github.com/ProcessusT/HEKATOMB\ncd HEKATOMB\npoetry install\npoetry run hekatomb\n```\n<br>\n<br>\n\n\n## Usage\n<br>\nHekatomb uses Impacket syntax :\n<br><br>\n\n```python\nusage: hekatomb [-h] [-hashes LMHASH:NTHASH] [-pvk PVK] [-dns DNS] [-dnstcp] [-port [port]] [-just-user JUST_USER] [-just-computer JUST_COMPUTER] [-md5] [-debug] [-debugmax] target\n\nScript used to automate domain computers and users extraction from LDAP and extraction of domain controller private key through RPC to collect and decrypt all users' DPAPI secrets saved in Windows credential manager.\n\npositional arguments:\n  target                [[domain/]username[:password]@]<targetName or address of DC>\n\noptions:\n  -h, --help            Show this help message and exit\n\nauthentication:\n  -hashes LMHASH:NTHASH     NTLM hashes, format is LMHASH:NTHASH\n\nauthentication:\n  -pvk PVK                  Domain backup keys file\n  -dns DNS                  DNS server IP address to resolve computers hostname\n  -port [port]              Port to connect to SMB Server\n  -smb2                     Force the use of SMBv2 protocol\n  -just-user [USERNAME]     Test only specified username\n  -just-computer [COMPUTER] Test only specified computer\n  -md5                      Print md5 hash insted of clear passwords\n\nverbosity:\n  -csv                  Output the results in csv\n  -debug                Turn DEBUG output ON\n  -debugmax             Turn DEBUG output TO MAAAAXXXX\n```\n\n<br>\n<br>\n\n## Example\n\n<br>\n\n```python\nhekatomb -hashes :ed0052e5a66b1c8e942cc9481a50d56 DOMAIN.local/administrator@10.0.0.1 -debug \n```\n\n<br>\n<br>\n    \n## How to retrieve domain backup keys ?\n\n<br />\nIf no domain backup keys are provided, the script will retrieve it through RPC\n\n",
    "bugtrack_url": null,
    "license": "GPL-3.0-only",
    "summary": "Python library to extract and decrypt all credentials from all domain computers",
    "version": "1.5.2.3",
    "project_urls": {
        "Bug Tracker": "https://github.com/ProcessusT/HEKATOMB/issues",
        "Documentation": "https://github.com/ProcessusT/HEKATOMB",
        "Homepage": "https://github.com/ProcessusT/HEKATOMB",
        "Repository": "https://github.com/ProcessusT/HEKATOMB"
    },
    "split_keywords": [
        "hekatomb",
        " dpapi",
        " windows",
        " blob",
        " masterkey",
        " activedirectory",
        " credentials"
    ],
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "1aefaaf083b780cf8fd30a63e17b772a43e89e7f1a826bd942a5e9b5645d546a",
                "md5": "1e487d74fd7d4ff12aea5d4f11dec611",
                "sha256": "c688bb205eed3017c8eb85f01bd5f36eee30a02e9ace8c9c6d51cfa2e47541ef"
            },
            "downloads": -1,
            "filename": "hekatomb-1.5.2.3-py3-none-any.whl",
            "has_sig": false,
            "md5_digest": "1e487d74fd7d4ff12aea5d4f11dec611",
            "packagetype": "bdist_wheel",
            "python_version": "py3",
            "requires_python": "<4.0,>=3.7",
            "size": 26578,
            "upload_time": "2024-07-19T16:32:49",
            "upload_time_iso_8601": "2024-07-19T16:32:49.337586Z",
            "url": "https://files.pythonhosted.org/packages/1a/ef/aaf083b780cf8fd30a63e17b772a43e89e7f1a826bd942a5e9b5645d546a/hekatomb-1.5.2.3-py3-none-any.whl",
            "yanked": false,
            "yanked_reason": null
        },
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "4085bcb75429667ac36362bc4291746b0b3b1415e1e01183670392b657d17501",
                "md5": "baacf0d26c84056890d9ce1ce1b4d944",
                "sha256": "3975c84e47c060814a27b8ab998fa0c125d1e2a154040309303b6018350eb49a"
            },
            "downloads": -1,
            "filename": "hekatomb-1.5.2.3.tar.gz",
            "has_sig": false,
            "md5_digest": "baacf0d26c84056890d9ce1ce1b4d944",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": "<4.0,>=3.7",
            "size": 26227,
            "upload_time": "2024-07-19T16:32:50",
            "upload_time_iso_8601": "2024-07-19T16:32:50.911548Z",
            "url": "https://files.pythonhosted.org/packages/40/85/bcb75429667ac36362bc4291746b0b3b1415e1e01183670392b657d17501/hekatomb-1.5.2.3.tar.gz",
            "yanked": false,
            "yanked_reason": null
        }
    ],
    "upload_time": "2024-07-19 16:32:50",
    "github": true,
    "gitlab": false,
    "bitbucket": false,
    "codeberg": false,
    "github_user": "ProcessusT",
    "github_project": "HEKATOMB",
    "travis_ci": false,
    "coveralls": false,
    "github_actions": false,
    "lcname": "hekatomb"
}
        
Elapsed time: 3.51531s