Skip to content

Script to extract the cached credentials from SSSD, getting Active Directory credentials from Unix systems

Notifications You must be signed in to change notification settings

ricardojoserf/SSSD-creds

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 

Repository files navigation

SSSD-creds

Using this bash script it is possible to extract Active Directory accounts hashes when credential caching is enabled in SSSD.

bash analyze.sh [$path]

Without input arguments it takes the SSSD default path "/var/lib/sss/db/" but you can use a different one. If tdbdump is not installed it just lists the ldb files which contain the hashes, you can install it ("apt install tdb-tools") or exfiltrate these files:

image1

In a system with tdbdump installed the script extracts the cached accounts and hashes, dumping the results to the file "hashes.txt"

image2 image3

The hashes can then be cracked using Hashcat or John the Ripper:

john hashes.txt --format=sha512crypt

image4

Sources

I created the script after reading this presentation by Tim (Wadhwa-)Brown: Where 2 worlds collide - Bringing Mimikatz et al to UNIX

About

Script to extract the cached credentials from SSSD, getting Active Directory credentials from Unix systems

Topics

Resources

Stars

Watchers

Forks

Sponsor this project

 

Languages