dissect.target.plugins.os.windows.ad.ntds

Module Contents

Classes

NtdsPlugin

Plugin to parse NTDS.dit Active Directory database and extract user credentials.

Functions

extract_user_info

Extract generic information from a User or Computer account.

Attributes

GENERIC_FIELDS
NtdsUserRecord
NtdsComputerRecord
NtdsGPORecord
NTDS_PARAMETERS_REGISTRY_PATH
NTDS_PARAMETERS_DB_VALUE
DEFAULT_LM_HASH
DEFAULT_NT_HASH

dissect.target.plugins.os.windows.ad.ntds.GENERIC_FIELDS = [('string', 'cn'), ('string', 'upn'), ('string', 'sam_name'), ('string', 'sam_type'), ('string',...

dissect.target.plugins.os.windows.ad.ntds.NtdsUserRecord

dissect.target.plugins.os.windows.ad.ntds.NtdsComputerRecord

dissect.target.plugins.os.windows.ad.ntds.NtdsGPORecord

dissect.target.plugins.os.windows.ad.ntds.NTDS_PARAMETERS_REGISTRY_PATH = 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters'

dissect.target.plugins.os.windows.ad.ntds.NTDS_PARAMETERS_DB_VALUE = 'DSA Database file'

dissect.target.plugins.os.windows.ad.ntds.DEFAULT_LM_HASH = 'aad3b435b51404eeaad3b435b51404ee'

dissect.target.plugins.os.windows.ad.ntds.DEFAULT_NT_HASH = '31d6cfe0d16ae931b73c59d7e0c089c0'

class dissect.target.plugins.os.windows.ad.ntds.NtdsPlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugin.Plugin

Plugin to parse NTDS.dit Active Directory database and extract user credentials.

This plugin extracts user password hashes, password history, Kerberos keys, and other authentication data from the NTDS.dit database found on Windows Domain Controllers.

__namespace__ = 'ad'

Defines the plugin namespace.

path

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

property ntds: dissect.database.ese.ntds.NTDS

users() → collections.abc.Iterator[NtdsUserRecord]

Extract all user accounts from the NTDS.dit database.

computers() → collections.abc.Iterator[NtdsComputerRecord]

Extract all computer accounts from the NTDS.dit database.

group_policies() → collections.abc.Iterator[NtdsGPORecord]

Extract all group policy objects (GPO) NTDS.dit database.

dissect.target.plugins.os.windows.ad.ntds.extract_user_info(user: dissect.database.ese.ntds.objects.User | dissect.database.ese.ntds.objects.Computer, target: dissect.target.target.Target) → dict[str, Any]

Extract generic information from a User or Computer account.