Initial code

dependencies/CommandLine.txt

@@ -0,0 +1,2 @@
+https://github.com/gsscoder/commandline
+Version: 1.9.71.2

dependencies/Esent.Interop.txt

@@ -0,0 +1,2 @@
+URL: https://managedesent.codeplex.com/
+Version: 1.9.2.0

readme.md

@@ -0,0 +1,36 @@
+dumpntds
+========
+
+# Background #
+
+The normal workflow for dumping passwords from **ntds.dit** files is to use the **esedbexport** application from the **[libesedb](https://github.com/libyal/libesedb)** project. The files generated by esedbextract are then fed into the [ntdsxtract](https://github.com/csababarta/ntdsxtract) project. ntdsxtract uses the files to parse out various different items of information, in this case we would want password hashes that could be fed into john the ripper.
+
+On large domains, the ntds.dit file can be extremely large (10 GB+), from which extracting all of the columns to a CSV file can take a long time, considering the **datatable** table contains over 1000 columns.
+
+The aim of dumpntds is to extract the minimal amount of data required (45 columns) to perform the task in hand, thus speeding up the process.
+
+dumpntds uses the [ManagedEsent](https://managedesent.codeplex.com) library to access the data stored in the ntds.dit file. The ManagedEsent library wraps the underlying Windows API calls and therefore needs to be run using .Net, rather than Mono.
+
+# Usage #
+
+Extract the ntds.dit file from the host and run using the following:
+
+    dumpntds -n path\to\ntds.dit\file
+
+Once the process has been completed it will have generated two output files in the application directory:
+
+- datatable.csv
+- linktable.csv
+
+## dsusers ##
+
+The extracted files can then be used with the **dsusers.py** script from the ntdsxtrct project:
+
+    python ./dsusers.py datatable.csv linktable.csv . --passwordhashes --syshive SYSTEM --pwdformat john --lmoutfile lm.txt --ntoutfile nt.txt
+
+## dshashes.py ##
+
+I have also included an updated version of the [dshashes](http://ptscripts.googlecode.com/svn/trunk/dshashes.py) python script, which was broken due to changes in the underlying ntds library. The dshashes script can be used as follows:
+
+    python ./dshashes.py datatable.csv linktable.csv . --passwordhashes SYSTEM
+

source/App.config

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+    <startup> 
+        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6" />
+    </startup>
+</configuration>

source/Options.cs

@@ -0,0 +1,44 @@
+using System;
+using CommandLine;
+using CommandLine.Text;
+
+namespace dumpntds
+{
+    /// <summary>
+    /// Internal class used for the command line parsing
+    /// </summary>
+    internal class Options
+    {
+        [ParserState]
+        public IParserState LastParserState { get; set; }
+
+        [Option('n', "ntds", Required = true, DefaultValue = "", HelpText = "Path to ntds.dit file")]
+        public string Ntds { get; set; }
+
+        [HelpOption]
+        public string GetUsage()
+        {
+            var help = new HelpText
+            {
+                Copyright = new CopyrightInfo("Info-Assure", 2015),
+                AdditionalNewLineAfterOption = false,
+                AddDashesToOption = true
+            };
+
+            help.AddPreOptionsLine("Usage: dumpntds -m p -n ntds.dit");
+            help.AddOptions(this);
+
+            if( this.LastParserState != null)
+            {
+                var errors = help.RenderParsingErrorsText(this, 0); // indent with two spaces
+                if (!string.IsNullOrEmpty(errors))
+                {
+                    help.AddPreOptionsLine(string.Concat(Environment.NewLine, "ERROR(S):"));
+                    help.AddPreOptionsLine(errors);
+                }
+            }
+
+            return help;
+        }
+    }
+}