v0.3.0

Reworks the credential output formats and brings the secretsdump-compatible pwdump/hashcat output to byte-for-byte parity.

Breaking: the John the Ripper format and the no-op --raw flag are removed, and the hashcat/pwdump output filenames change. See Removed / Changed below.

Added

• --hashcat-username selects the username field in hashcat output lines: sam (sAMAccountName, the default), upn, rid, or sid.
• Structured output (NDJSON/JSON/CSV) now captures the previous-password and service Kerberos key sets from supplementalCredentials -- the KERB_STORED_CREDENTIAL_NEW OldCredentials / OlderCredentials / ServiceCredentials arrays -- under kerberosOld / kerberosOlder / kerberosService, alongside the current kerberos keys. These were previously dropped, yet every computer account (and any password-changed user) carries them. The hashcat and pwdump outputs are unchanged: they still emit only the current key set, matching secretsdump.
• Every credentialed object now includes supplementalCredentialsRaw: the complete decoded supplementalCredentials structure verbatim -- every package (including the legacy Primary:Kerberos and the Packages list), the default salt and iteration count, and all four key arrays, with byte values hex-encoded and nothing curated away.

Changed

• Reworked the hashcat output into per-class username:hash files for hashcat --username (ntlm_<type>_current.txt, ntlm_<type>_history.txt, lm_<type>_current.txt, lm_<type>_history.txt), split by object class, hash type, and age. LM hashes are emitted as their two 8-byte halves (mode 3000). Kerberos keys are no longer written to the hashcat output -- they are pass-the-key material, not hashcat-crackable hashes.
• The pwdump format now emits secretsdump's "newer pwdump" file set, byte-for-byte compatible with impacket-secretsdump -outputfile: hashes.ntds (username:rid:lm:nt::: with inline username_historyN lines), hashes.ntds.kerberos (username:<etype>:<key>, lowercase etypes, no RC4), and hashes.ntds.cleartext (username:CLEARTEXT:<password>).

Removed

• The John the Ripper output format (--format john); use hashcat or pwdump.
• The --raw flag, which never had any effect. The completeness it implied is now always on via supplementalCredentialsRaw (see Added).

Fixed

• The pwdump hashes.ntds.kerberos file omitted the dec-cbc-crc (DES-CBC-CRC) and rc4_hmac Kerberos keys on Windows Server 2008 databases, which store five KeyTypes in supplementalCredentials (2016+ store three). The writer now keys on the numeric Kerberos KeyType, mirroring impacket's KERBEROS_TYPE table exactly (including the 0xFFFFFF74 RC4 marker and the dec-cbc-crc spelling), so hashes.ntds.kerberos is byte-identical to secretsdump across Server 2008-2022.
• Password history (ntPwdHistory / lmPwdHistory) was silently dropped for every account, so hashes.ntds was missing all _history lines. dissect returns the blob wrapped in a one-element list (which failed an isinstance(bytes) check), and the AES PEK layer was PKCS7-unpadded, stripping the trailing block secretsdump keeps. History is now decrypted faithfully and hashes.ntds is byte-identical to secretsdump -history across the RC4 and AES eras (Windows Server 2008-2022). The AES padding block is kept for exact parity (secretsdump emits it as a history entry); because it is not a real password, NTDSWolf logs a stderr WARNING naming each account whose history decrypts to more hashes than its SecretLength declares.
• Removed the redundant --exclude-deleted flag; --include-deleted is now a single switch (deleted objects are excluded by default).

Install

uv tool install git+https://github.com/StrongWind1/NTDSWolf@v0.3.0

Full changelog: https://github.com/StrongWind1/NTDSWolf/blob/main/CHANGELOG.md · Docs: https://strongwind1.github.io/NTDSWolf/