Skip to content

Instantly share code, notes, and snippets.

@seajaysec

seajaysec/parseitup.sh

Created September 24, 2019 19:11
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save seajaysec/e086f18ca229431ce69184358a0427e9 to your computer and use it in GitHub Desktop.
Save seajaysec/e086f18ca229431ce69184358a0427e9 to your computer and use it in GitHub Desktop.
Download ZIP
parses pypykatz's json output for plaintext and hashed creds
Raw
parseitup.sh
#!/bin/bash
# prereqs: jq, all the dumps in current working dir
# create csv file, add headers
echo "source,type,domain,username,result" >out.csv
# function: remove first and last lines:
sedfl() {
sed '1d;$d'
}
# function: join every 3 lines:
join3l() {
sed 'N;N;s/\n/ /g'
}
# function: remove blanks:
noblanks() {
tr -d ' '
}
# function: remove double quotes:
noquotes() {
tr -d '"'
}
# function: all cleanup
cleanup() {
sedfl | join3l | noblanks | noquotes | sort -u
}
# functions: add source and type:
fnCRED() {
sed -e "s/^/$filename,credman,/" >>out.csv
}
fnNTLM() {
sed -e "s/^/$filename,nthash,/" >>out.csv
}
fnSSP() {
sed -e "s/^/$filename,ssp,/" >>out.csv
}
fnKRB() {
sed -e "s/^/$filename,kerberos,/" >>out.csv
}
### loop
for filename in *.json; do
echo Processing: $filename
keyname=$(echo $filename | sed 's/json/dmp/g')
jq -r --arg kn "$keyname" '.[$kn] | map(.[].credman_creds[]|.domainname,.username,.password)' ./$filename | cleanup | fnCRED
jq -r --arg kn "$keyname" '.[$kn] | map(.[].msv_creds[]|.domainname,.username,.NThash)' ./$filename | cleanup | fnNTLM
jq -r --arg kn "$keyname" '.[$kn] | map(.[].ssp_creds[]|.domainname,.username,.password)' ./$filename | cleanup | fnSSP
jq -r --arg kn "$keyname" '.[$kn] | map(.[].kerberos_creds[]|.domainname,.username,.password)' ./$filename | cleanup | fnKRB
done
echo 'csv output complete'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment