crosscutsaw
diff --git a/‎README.md
+17-7 b/‎README.md
+17-7
diff --git a/‎TROUPEDC_192.168.2.11_2025-05-18_041052.ntds
+28 b/‎TROUPEDC_192.168.2.11_2025-05-18_041052.ntds
+28
diff --git a/‎pyproject.toml
+1-1 b/‎pyproject.toml
+1-1
diff --git a/‎revealhashed/core.py
+48-13 b/‎revealhashed/core.py
+48-13
diff --git a/‎rp1.PNG
8.69 KB b/‎rp1.PNG
8.69 KB
diff --git a/‎rp2.PNG
8.32 KB b/‎rp2.PNG
8.32 KB
diff --git a/‎rp3.PNG
61.5 KB b/‎rp3.PNG
61.5 KB
@@ -1,4 +1,5 @@
-## about revealhashed-python v0.1.1
+
+## about revealhashed-python v0.1.2
 revealhashed is a streamlined utility to correlate ntds usernames, nt hashes, and cracked passwords in one view while cutting out time-consuming manual tasks.
 
 ## how to install
@@ -8,9 +9,13 @@ from pypi:
 from github:  
 `pipx install git+https://github.com/crosscutsaw/revealhashed-python`
 
+## don't want to install?
+
+grab revealhashed binary from [releases](https://github.com/crosscutsaw/revealhashed-python/releases/latest) section.
+
 ## how to use
 ```
-revealhashed v0.1
+revealhashed v0.1.2
 
 usage: revealhashed [-h] [-r] {dump,reveal} ...
 
@@ -27,23 +32,28 @@ options:
 just execute `revealhashed -r` to remove contents of ~/.revealhashed
 
 ### revealhashed dump
-this command executes [zblurx's ntdsutil.py](https://github.com/zblurx/ntdsutil.py) then does classic revealhashed operations.
+this command executes [zblurx's ntdsutil.py](https://github.com/zblurx/ntdsutil.py) to dump ntds safely then does classic revealhashed operations.
 
 -w (wordlist) switch is needed. one or more wordlists can be supplied.    
 -e (enabled-only) switch is not needed but suggested. it's self explanatory; only shows enabled users.  
 
-for example: `revealhashed dump 'troupe.local/emreda:Aa123456'@192.168.2.11 -w wordlist1.txt wordlist2.txt -e`
+for example:  
+`revealhashed dump 'troupe.local/emreda:Aa123456'@192.168.2.11 -w wordlist1.txt wordlist2.txt -e`
 
 ### revealhashed reveal
-this command wants to get supplied with ntds file by user then does classic revealhashed operations.
+this command wants to get supplied with ntds file by user then does classic revealhashed operations.  
+_ntds file should contain usernames and hashes. it should be not ntds.dit. example ntds dump can be obtained from repo_
 
--ntds switch is needed.  
+-ntds or -nxc switch is needed. -ntds switch is for a file you own with hashes. -nxc switch is for scanning ~/.nxc/logs/ntds then selecting .ntds file.
 -w (wordlist) switch is needed. one or more wordlists can be supplied.  
 -e (enabled-only) switch is not needed but suggested. it's self explanatory; only shows enabled users.  
 
-for example: `revealhashed reveal -ntds TROUPEDC_192.168.2.11_2025-05-12_123035.ntds -w wordlist1.txt -e`
+for example:  
+`revealhashed reveal -ntds TROUPEDC_192.168.2.11_2025-05-12_123035.ntds -w wordlist1.txt -e`
 
 ## example outputs
 ![](https://raw.githubusercontent.com/crosscutsaw/revealhashed-python/main/rp1.PNG)
 
 ![](https://raw.githubusercontent.com/crosscutsaw/revealhashed-python/main/rp2.PNG)
+
+![](https://raw.githubusercontent.com/crosscutsaw/revealhashed-python/main/rp3.PNG)
@@ -0,0 +1,28 @@
+Administrator:500:aad3b435b51404eeaad3b435b51404ee:2c1c756a7e80cb00b03ac7db8802c947::: (status=Enabled)
+Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: (status=Disabled)
+krbtgt:502:aad3b435b51404eeaad3b435b51404ee:ee292567175d1131bd099acfd0251d5f::: (status=Disabled)
+DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: (status=Disabled)
+emretest:1601:aad3b435b51404eeaad3b435b51404ee:47bf8039a8506cd67c524a03ff84ba4e::: (status=Enabled)
+troupe.local\abuzer.komurcu:1626:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: (status=Disabled)
+troupe.local\erdal.komurcu:1627:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: (status=Disabled)
+troupe.local\ersoy.ulubey:1628:aad3b435b51404eeaad3b435b51404ee:3c7408268811f6310eca314943a94564::: (status=Disabled)
+troupe.local\hakantasiyan:1629:aad3b435b51404eeaad3b435b51404ee:7b357db710907a0ab26b51be1da0b4a9::: (status=Enabled)
+troupe.local\azerbulbul:1630:aad3b435b51404eeaad3b435b51404ee:7b357db710907a0ab26b51be1da0b4a9::: (status=Disabled)
+troupe.local\devrancaglar:1631:aad3b435b51404eeaad3b435b51404ee:bc89cfa104790d312e2542eea4207aee::: (status=Disabled)
+troupe.local\muslumgurses:1632:aad3b435b51404eeaad3b435b51404ee:7b357db710907a0ab26b51be1da0b4a9::: (status=Disabled)
+troupe.local\selahattinozdemir:1633:aad3b435b51404eeaad3b435b51404ee:a9090a292c94f91aba40e4f47790bac3::: (status=Enabled)
+troupe.local\1_nopassword:1634:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: (status=Enabled)
+troupe.local\2_nopassword_disable:1635:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: (status=Disabled)
+troupe.local\3_password_disabled:1636:aad3b435b51404eeaad3b435b51404ee:2ef7256e0f88f6653220c88801bdcbb5::: (status=Disabled)
+troupe.local\longnametestA1B2C3D4:1637:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: (status=Disabled)
+gpptest:1638:aad3b435b51404eeaad3b435b51404ee:7c53cfa5ea7d0f9b3b968aa0fb51a3f5::: (status=Enabled)
+troupe.local\emreda:1644:aad3b435b51404eeaad3b435b51404ee:47bf8039a8506cd67c524a03ff84ba4e::: (status=Enabled)
+emreea:1647:aad3b435b51404eeaad3b435b51404ee:1674049edd3d39cead200b0fee90982a::: (status=Enabled)
+bbtest:1650:aad3b435b51404eeaad3b435b51404ee:67587a19e4c2b479f1fa85b95b544229::: (status=Enabled)
+cctest:1651:aad3b435b51404eeaad3b435b51404ee:a2af76c474f274222bec25b340f857a8::: (status=Enabled)
+dummy:1652:aad3b435b51404eeaad3b435b51404ee:ef8d80b784540a0ec71a1fc853985619::: (status=Enabled)
+TROUPEDC$:1000:aad3b435b51404eeaad3b435b51404ee:4791603d21ff3acdf373120bfc8ef66c::: (status=Enabled)
+EMRE-SBKCVF1D1N$:1640:aad3b435b51404eeaad3b435b51404ee:0e3c52a413f0b1338ca1634c86fe9d0a::: (status=Enabled)
+TESTULAN$:1642:aad3b435b51404eeaad3b435b51404ee:f216e2977b48aa936316e1ac06748894::: (status=Enabled)
+PENTEST$:1643:aad3b435b51404eeaad3b435b51404ee:4391854c7e1e24e278c91f26a6e7d03c::: (status=Enabled)
+PENTEST3$:1649:aad3b435b51404eeaad3b435b51404ee:9cae71d6709eaa45d6ec77c22d9d035a::: (status=Enabled)
@@ -1,6 +1,6 @@
 [project]
 name = "revealhashed"
-version = "0.1.1"
+version = "0.1.2"
 description = "Dump or analyze existing NTDS data, crack NT hashes with hashcat and match them to their corresponding user accounts."
 authors = [{ name = "aslan emre aslan", email = "[email protected]" }]
 license = "MIT"
 
@@ -51,8 +51,9 @@ def parse_args():
 
     # subparser: reveal
     reveal_parser = subparsers.add_parser("reveal", help="Use your own NTDS dump then reveal credentials with it")
-    reveal_parser.add_argument("-ntds", help="Path to .ntds file", required=True)
-    reveal_parser.add_argument("-w", "--wordlists", nargs="+", metavar="WORDLIST WORDLIST2", help="Wordlists to use with hashcat", required=True)
+    reveal_parser.add_argument("-ntds", help="Path to .ntds file")
+    reveal_parser.add_argument("-nxc", action="store_true", help="Scan $HOME/.nxc/logs/ntds for .ntds files")
+    reveal_parser.add_argument("-w", "--wordlists", nargs="+", metavar="WORDLIST WORDLIST2", help="Wordlists to use with hashcat", required=False)
     reveal_parser.add_argument("-e", "--enabled-only", action="store_true", help="Only show enabled accounts")
 
     return parser
@@ -100,10 +101,10 @@ def extract_unique_hashes(ntds_path, output_path, full_output_path, write_full_o
         raise
 
 def run_hashcat(hashes_file, wordlists):
-    start = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
+    start = datetime.now().strftime("%H:%M:%S %d-%m-%Y")
     print(f"{BOLD_GREEN}[+]{RESET} Starting hashcat session at {start}")
     subprocess.run(["hashcat", "-m1000", str(hashes_file), *wordlists, "--quiet"])
-    end = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
+    end = datetime.now().strftime("%H:%M:%S %d-%m-%Y")
     print(f"{BOLD_GREEN}[+]{RESET} Ended hashcat session at {end}")
 
 def parse_potfile(potfile_path):
@@ -168,7 +169,7 @@ def reveal_credentials(individual_ntds_path, cracked_hashes, session_dir, enable
     print(f"\n{BOLD_GREEN}[+]{RESET} Output saved to {output_file}")
 
 def main():
-    print(f"\n{BOLD_BLUE}revealhashed v0.1{RESET}\n")
+    print(f"\n{BOLD_BLUE}revealhashed v0.1.2{RESET}\n")
 
     parser = parse_args()
     args = parser.parse_args()
@@ -188,16 +189,17 @@ def main():
         ntdsutil_dir = session_dir / "ntdsutil"
         ntdsutil_dir.mkdir(parents=True, exist_ok=True)
         args.outputdir = str(ntdsutil_dir)
-
-        print(f"{BOLD_GREEN}[+]{RESET} Starting NTDS dump with ntdsutil")
+        
+        start = datetime.now().strftime("%H:%M:%S %d-%m-%Y")
+        print(f"{BOLD_GREEN}[+]{RESET} Starting NTDS dump with ntdsutil at {start}")
 
         try:
             ntdsutil.run_ntdsutil(args)
         except Exception as e:
             print(f"{BOLD_RED}[!]{RESET} NTDS dump failed: {e}")
             return
-
-        print(f"{BOLD_GREEN}[+]{RESET} NTDS successfully dumped!")
+        end = datetime.now().strftime("%H:%M:%S %d-%m-%Y")
+        print(f"{BOLD_GREEN}[+]{RESET} NTDS successfully dumped at {end}")
 
         # run secretsdump in the same session folder
         system_path = ntdsutil_dir / "SYSTEM"
@@ -247,11 +249,37 @@ def main():
         reveal_credentials(ind_path, cracked, session_dir, enabled_only=args.enabled_only)
 
     elif args.command == "reveal":
-        if not args.ntds:
-            print(f"{BOLD_RED}[!]{RESET} Please provide an NTDS file with -ntds")
-            return
+        if args.nxc:
+            nxc_dir = Path.home() / ".nxc" / "logs" / "ntds"
+            ntds_files = sorted(nxc_dir.glob("*.ntds"))
+
+            if not ntds_files:
+                print(f"{BOLD_RED}[!]{RESET} No .ntds files found in {nxc_dir}")
+                sys.exit(1)
+
+            print(f"{BOLD_GREEN}[+]{RESET} Found {len(ntds_files)} .ntds files in {nxc_dir}")
+            for idx, f in enumerate(ntds_files):
+                print(f"[{idx}] {f.name}")
+
+            while True:
+                try:
+                    selection = int(input("\nSelect file by index: "))
+                    print()
+                    if 0 <= selection < len(ntds_files):
+                        ntds_path = ntds_files[selection]
+                        args.ntds = str(ntds_path)
+                        break
+                    else:
+                        print(f"\n{BOLD_RED}[!]{RESET} Invalid selection. Try again.")
+                except ValueError:
+                    print(f"\n{BOLD_RED}[!]{RESET} Please enter a valid number.")
+        else:
+            if not args.ntds:
+                print(f"{BOLD_RED}[!]{RESET} Please specify either -ntds or -nxc")
+                sys.exit(1)
+            ntds_path = Path(args.ntds)
         if not args.wordlists:
-            print(f"{BOLD_RED}[!]{RESET} No wordlists provided. Use -w to specify at least one wordlist.")
+            print(f"\n{BOLD_RED}[!]{RESET} No wordlists provided. Use -w to specify at least one wordlist.")
             return
 
         TMP_DIR.mkdir(parents=True, exist_ok=True)
@@ -273,3 +301,10 @@ def main():
 
 if __name__ == "__main__":
     main()
+
+# revealhashed v0.1.2
+# 
+# contact options
+# mail: https://blog.zurrak.com/contact.html
+# twitter: https://twitter.com/tasiyanci
+# linkedin: https://linkedin.com/in/aslanemreaslan