Created
September 24, 2019 19:11
-
-
Save seajaysec/e086f18ca229431ce69184358a0427e9 to your computer and use it in GitHub Desktop.
parses pypykatz's json output for plaintext and hashed creds
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# prereqs: jq, all the dumps in current working dir | |
# create csv file, add headers | |
echo "source,type,domain,username,result" >out.csv | |
# function: remove first and last lines: | |
sedfl() { | |
sed '1d;$d' | |
} | |
# function: join every 3 lines: | |
join3l() { | |
sed 'N;N;s/\n/ /g' | |
} | |
# function: remove blanks: | |
noblanks() { | |
tr -d ' ' | |
} | |
# function: remove double quotes: | |
noquotes() { | |
tr -d '"' | |
} | |
# function: all cleanup | |
cleanup() { | |
sedfl | join3l | noblanks | noquotes | sort -u | |
} | |
# functions: add source and type: | |
fnCRED() { | |
sed -e "s/^/$filename,credman,/" >>out.csv | |
} | |
fnNTLM() { | |
sed -e "s/^/$filename,nthash,/" >>out.csv | |
} | |
fnSSP() { | |
sed -e "s/^/$filename,ssp,/" >>out.csv | |
} | |
fnKRB() { | |
sed -e "s/^/$filename,kerberos,/" >>out.csv | |
} | |
### loop | |
for filename in *.json; do | |
echo Processing: $filename | |
keyname=$(echo $filename | sed 's/json/dmp/g') | |
jq -r --arg kn "$keyname" '.[$kn] | map(.[].credman_creds[]|.domainname,.username,.password)' ./$filename | cleanup | fnCRED | |
jq -r --arg kn "$keyname" '.[$kn] | map(.[].msv_creds[]|.domainname,.username,.NThash)' ./$filename | cleanup | fnNTLM | |
jq -r --arg kn "$keyname" '.[$kn] | map(.[].ssp_creds[]|.domainname,.username,.password)' ./$filename | cleanup | fnSSP | |
jq -r --arg kn "$keyname" '.[$kn] | map(.[].kerberos_creds[]|.domainname,.username,.password)' ./$filename | cleanup | fnKRB | |
done | |
echo 'csv output complete' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment