<#This is a slightly alter version of https://github.com/DGG-IT/Match-ADHashes

1. <#
2. This is a slightly alter version of https://github.com/DGG-IT/Match-ADHashes/ for no nonsense output. All credit to them.
3.  
4. .NAME
5.     Match-ADHashes
6.  
7. .SYNOPSIS
8.     Matches AD NTLM Hashes against other list of hashes
9.  
10. .DESCRIPTION
11.     Builds a hashmap of AD NTLM hashes/usernames and iterates through a second list of hashes checking for the existence of each entry in the AD NTLM hashmap
12.         -Outputs results as object including username, hash, and frequency in database
13.         -Frequency is included in output to provide additional context on the password. A high frequency (> 5) may indicate password is commonly used and not necessarily linked to specific user's password re-use.
14.  
15. .PARAMETER ADNTHashes
16.     File Path to 'Hashcat' formatted .txt file (username:hash)
17.  
18. .PARAMETER HashDictionary
19.     File Path to 'Troy Hunt Pwned Passwords' formatted .txt file (HASH:frequencycount)
20.  
21. .PARAMETER Verbose
22.     Provide run-time of function in Verbose output
23.  
24. .EXAMPLE
25.     $results = Match-ADHashes -ADNTHashes C:\temp\adnthashes.txt -HashDictionary -C:\temp\Hashlist.txt
26.  
27. .OUTPUTS
28.     Array of HashTables with properties "User", "Frequency", "Hash"
29.     User                            Frequency Hash                            
30.     ----                            --------- ----                            
31.     {TestUser2, TestUser3}          20129     H1H1H1H1H1H1H1H1H1H1H1H1H1H1H1H1
32.     {TestUser1}                     1         H2H2H2H2H2H2H2H2H2H2H2H2H2H2H2H2
33.  
34. .NOTES
35.     If you are seeing results for User truncated as {user1, user2, user3...} consider modifying the Preference variable $FormatEnumerationLimit (set to -1 for unlimited)
36.    
37.     =INSPIRATION / SOURCES / RELATED WORK
38.         -DSInternal Project https://www.dsinternals.com
39.         -Checkpot Project https://github.com/ryhanson/checkpot/
40.  
41.     =FUTURE WORK
42.         -Performance Testing, optimization
43.         -Other Languages (golang?)
44.  
45. .LINK
46.     https://github.com/DGG-IT/Match-ADHashes/
47.  
48. #>
49.  
50. param(
51.     [Parameter(Mandatory = $true)]
52.     [System.IO.FileInfo] $ADNTHashes,
53.  
54.     [Parameter(Mandatory = $true)]
55.     [System.IO.FileInfo] $HashDictionary
56. )
57.  
58.  
59. process {
60.     $stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
61.  
62.     #Declare and fill new hashtable with ADNThashes. Converts to upper case to
63.     $htADNTHashes = @{}
64.     Import-Csv -Delimiter ":" -Path $ADNTHashes -Header "User","Hash" | % {$htADNTHashes[$_.Hash.toUpper()] += @($_.User)}
65.  
66.     #Create empty output object
67.     $mrMatchedResults = @()
68.        
69.     #Create Filestream reader
70.     $fsHashDictionary = New-Object IO.Filestream $HashDictionary,'Open','Read','Read'
71.     $frHashDictionary = New-Object System.IO.StreamReader($fsHashDictionary)
72.  
73.     #Iterate through HashDictionary checking each hash against ADNTHashes
74.     while (($lineHashDictionary = $frHashDictionary.ReadLine()) -ne $null) {
75.         if($htADNTHashes.ContainsKey($lineHashDictionary.Split(":")[0].ToUpper())) {
76.                 $user = $htADNTHashes[$lineHashDictionary.Split(":")[0].ToUpper()]
77.                 $frequency = $lineHashDictionary.Split(":")[1]
78.                 $hash = $linehashDictionary.Split(":")[0].ToUpper()
79.                 Write-Output "$user, $frequency, $hash"
80.             }            
81.         }
82.     $stopwatch.Stop()
83.     Write-Verbose "Function Match-ADHashes completed in $($stopwatch.Elapsed.TotalSeconds) Seconds"
84. }
85.    
86. end {
87. }