Post Exploitationldapdpapicredentialsdomaindecryptionsmb

Hekatomb

Hekatomb connects to an LDAP directory to retrieve all computers and users' information, downloads DPAPI blobs from all users on all computers, and decrypts them using Domain backup keys. It automates extraction of domain controller private keys through RPC to collect and decrypt users' DPAPI secrets from Windows credential manager.

Description

Hekatomb is a Python script designed for advanced post-exploitation in Active Directory environments. It requires Domain Admin rights to extract credentials comprehensively from all domain computers. The tool targets DPAPI blobs stored by users, which contain sensitive data like passwords saved in Windows Credential Manager.

Use cases include red team engagements where attackers have domain admin access and need to harvest credentials at scale without manually targeting individual machines. It streamlines the process of identifying and decrypting secrets across the entire domain, aiding in lateral movement and privilege escalation.

The script outputs decrypted credentials, with options for CSV export or MD5 hashes instead of plaintext for safer handling. Its ASCII art tagline emphasizes that even Domain Admin rights alone are insufficient—Hekatomb enables hacking 'them all'.

How It Works

Hekatomb authenticates to the target domain controller via SMB (optionally SMBv2) using provided credentials, NTLM hashes, or Domain backup keys. It queries LDAP for all domain computers and users, resolves hostnames via specified DNS if needed. For each computer, it extracts users' DPAPI blobs over SMB/RPC, then uses the domain controller's private key (backup keys or RPC-extracted) to decrypt them, revealing credentials from Windows Credential Manager. Debug modes provide verbose logging of LDAP, SMB, and decryption processes.

Installation

bash

sudo apt install hekatomb

Flags

-h, --helpshow this help message and exit

-hashes LMHASH:NTHASHNTLM hashes, format is LMHASH:NTHASH

-pvk PVKDomain backup keys file

-dns DNSDNS server IP address to resolve computers hostname

-port [port]Port to connect to SMB Server

-smb2Force the use of SMBv2 protocol

-just-user JUST_USERTest only specified username

-just-computer JUST_COMPUTERTest only specified computer

-md5Print md5 hash instead of clear passwords

-csvExport results to CSV file

-debugTurn DEBUG output ON

-debugmaxTurn DEBUG output TO MAAAAXXXX

Examples

Display the full help message and usage information for hekatomb

hekatomb -h

Run hekatomb against a domain controller using specified credentials to extract and decrypt all DPAPI blobs from domain computers

hekatomb [[domain/]username[:password]@]<targetName or address of DC>

Authenticate using NTLM hashes instead of password to target DC

hekatomb -hashes LMHASH:NTHASH target

Use a provided Domain backup keys file for DPAPI decryption against target DC

hekatomb -pvk backupkeys.pvk target

Specify DNS server for hostname resolution and force SMBv2 protocol when targeting DC

hekatomb -dns 10.0.0.1 -smb2 target

Test and extract DPAPI blobs only for the specified username on domain computers

hekatomb -just-user testuser target

Export decrypted results to CSV file and print MD5 hashes instead of cleartext passwords

hekatomb -csv -md5 target

Run with maximum debug verbosity to log all LDAP, SMB, and decryption details

hekatomb -debugmax target

Updated 2026-04-16kali.org ↗