Created
July 12, 2015 13:29
-
-
Save crmaxx/d990700d3f888a1b0bfc to your computer and use it in GitHub Desktop.
PoC for parce mimicatz report
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env ruby | |
| class String | |
| def includes?(ary) | |
| ary.each { |el| return true if self.include?(el) } | |
| false | |
| end | |
| end | |
| PATTERN = %r{\*.(?<key>\w+)\s+:\s+(?<value>.*)} | |
| ACCEPTED = %w(msv wdigest) | |
| SECTIONS = %w(msv wdigest kerberos ssp credman) | |
| KEYS = %w(Username Domain NTLM SHA1 Password LM) | |
| credentials = [] | |
| contentsArray = IO.readlines(ARGV[0]) | |
| contentsArray.each_with_index do |line, index| | |
| if line.includes?(ACCEPTED) | |
| credential = {} | |
| sub_index = index | |
| loop do | |
| sub_index += 1 | |
| next_item = contentsArray[sub_index] | |
| if next_item.nil? || next_item.includes?(SECTIONS) | |
| credentials << credential unless credential.empty? | |
| break | |
| end | |
| next unless next_item.includes?(KEYS) | |
| rez = PATTERN.match(next_item.chomp.strip) | |
| credential[rez[:key]] = rez[:value] | |
| end | |
| end | |
| end | |
| puts credentials.count | |
| puts credentials.inspect |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment