I have a lab ntlm-extract.ntds file which has usernames and hashes in the format:
domain\username:integer:hash:hash2
For example:
somedomain.local\jcricket:5201:0020cfaecd41954fb9c9da8c61ccacd7:0020cfaecd41954fb9c9da8c61ccacd7
I'm comparing the hashes in the LINE[3]/hash2 column with hashes in the NTLM HIBP database, then I'd like to print out usernames that have matches, but the domain\username keeps losing the \ whatever I try, and I'm not sure if it's on the read or write that it loses it.
The script I have so far is:
#!/usr/bin/bash
while read line
do
IFS=':' read -ra "LINE" <<< ${line}
HASH=${LINE[3]}
HASH=${HASH^^}
printf "Checking for %s\n" $HASH
found=(grep "$HASH" "./pwned-passwords-ntlm-ordered-by-hash-v7.txt")
if [ -n $found ]; then
printf "Match on username %s\n" "${LINE[0]}"
fi
done < "ntlm-extract.ntds"
Following the recommendations the final working script ended up being:
#!/usr/bin/bash
numoflines=(wc -l ntlm-extract.ntds)
numcomp=0
while IFS= read -r line; do
IFS=: read -ra hashline <<< "${line}"
passhash="${hashline[3]}"
printf "Checking for %s\n" $passhash
printf "Line %d of %d\n" $numcomp $numoflines
numcomp=$((numcomp+1))
found=''
found=(grep -m 1 -i "$passhash" "./pwned-passwords-ntlm-ordered-by-hash-v7.txt")
wait
if [ -z "$found" ]; then
continue
else
printf "found return value is %s\n" "$found"
printf "%s\n" "${hashline[0]}" >> ./hibp-busted.txt
fi
done < "ntlm-extract.ntds"
