I use mimikatz to extract NTLM hashes for security audit. The output of mimikatz is along the following lines:
RID : 000001f4 (500)
User : Administrator
RID : 000001f5 (501)
User : Guest
RID : 000001f7 (503)
User : DefaultAccount
RID : 000001f8 (504)
User : WDAGUtilityAccount
Hash NTLM: 6373ee9aae046ab1319d89b1cfd36306
RID : 000003e9 (1001)
User : admin
Hash NTLM: f1320e0960da374b88e40cffbec44885
I want to grap the "User" and "Hash NTLM", i.e.,
User : admin
Hash NTLM: f1320e0960da374b88e40cffbec44885
To do this I use the following regular expression:
[regex]$regex = '(?m)(User\s:\s\w+\r\n\s*Hash NTLM:\s\w+)'
Now, if I use the regular expression directly on the mimikatz output:
$ntlm = Invoke-Expression -Command "mimikatz.exe ""lsadump::sam /sam:C:\sam /system:C:\system"" exit"
[regex]$regex = '(?m)(User\s:\s\w+\r\n\s*Hash NTLM:\s\w+)'
$regex.Matches($ntlm).value
nothing is returned.
However, if I first store the output to a file and then reads it using -Raw, then it works fine:
$ntlm = Invoke-Expression -Command "mimikatz.exe ""lsadump::sam /sam:C:\sam /system:C:\system"" exit"
$ntlm | Out-File -FilePath "C:\Users\nlykkei\Desktop\mimikatz.txt"
$Text = Get-Content "C:\Users\nlykkei\Desktop\mimikatz.txt" -Raw
$regex.Matches($Text).value
In this case, the following lines are returned:
User : WDAGUtilityAccount
Hash NTLM: 6373ee9aae046ab1319d89b1cfd36306
User : admin
Hash NTLM: f1320e0960da374b88e40cffbec44885
How can I do a proper match without storing the output to a file? I know of \r\n, but they don't seem to work.
