Wikipedia + rockyou + hashesorg2019

main
Swissky 2020-12-21 20:05:03 +01:00
parent e011bf2098
commit 2b5f5810c6
4 changed files with 270 additions and 183 deletions

View File

@ -1,27 +1,38 @@
# Nephelees # Nephelees
Néphélées (Νεφήλαι, Nephḗlai) : cloud nymphs greek - also ntds cracking tool abusing Google Colab
> Néphélées (Νεφήλαι, Nephḗlai) : cloud nymphs greek - also a NTDS cracking tool abusing Google Colab
<p align="center"> <p align="center">
<img src="https://github.com/swisskyrepo/Nephelees/raw/main/img/logo.jpg?raw=true"><br>
<a href="https://colab.research.google.com/github/swisskyrepo/Nephelees/blob/main/google_colab_hashcat.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a> <a href="https://colab.research.google.com/github/swisskyrepo/Nephelees/blob/main/google_colab_hashcat.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>
</p> </p>
## V1 - Google Colab ## Quick Start
* https://github.com/ShutdownRepo/hashonymize 0. Open the `ipynb` file by clicking on the button **Open in Colab**
* https://github.com/ShutdownRepo/google-colab-hashcat 1. Select **Runtime**, **Change runtime type**, and set **Hardware accelerator** to **GPU**.
* https://github.com/mxrch/penglab 2. Select **Runtime**" and **Run all"** !
* https://colab.research.google.com/drive/1arm1_HEMb868mk18FlLkEcqvHPB_Ibgb#scrollTo=lWPQqb3oETLd 3. On your local machine, run [hashonymize](https://github.com/ShutdownRepo/hashonymize) to anonymize your hash lists
4. Upload your anonymized hashes list on the colab `!wget http://yourip:yourport/yourfile` or with the upload button
5. Install requirements (hashcat + wordlists + rules)
6. Run hashcat commands
7. Recover the .pot file from the Google Colab `!curl --upload-file ~/.hashcat/hashcat.potfile http://yourip:yourport/` or download the file from the explorer in the left side of the panel.
8. On your local machine, run the following hashcat command with the recovered potfile to match real usernames with cracked password `hashcat --potfile-path hashcat.potfile --hash-type 1000 --username example.ntds wordlists/rockyou.txt`
:warning: For every 12hrs or so Disk, RAM, VRAM, CPU cache etc data that is on our alloted virtual machine will get **erased**.
git clone https://github.com/iphelix/pack/blob/master/README
$ python2 statsgen.py ../hashcat.potfile -o hashcat.mask
$ python2 maskgen.py hashcat.mask --targettime 3600 --optindex -q -o hashcat_1H.hcmask
```ps1
Go on : https://colab.research.google.com/github/mxrch/penglab/blob/master/penglab.ipynb
Select "Runtime", "Change runtime type", and set "Hardware accelerator" to GPU.
Change the config by setting "True" at tools you want to install.
Select "Runtime" and "Run all" !
```
* markov, keyboard walking, dico + rules , haveibeenpwn * markov, keyboard walking, dico + rules , haveibeenpwn
* reuse old pot (extract passwd to new wordlist) * reuse old pot (extract passwd to new wordlist)
## Hashcat Cheatsheet
Here are some of the most used attack modes for the `--attack-mode` option Here are some of the most used attack modes for the `--attack-mode` option
``` ```
0 Wordlist (with or without rules) 0 Wordlist (with or without rules)
@ -29,6 +40,7 @@ Here are some of the most used attack modes for the `--attack-mode` option
``` ```
Here are some of the most used hash types for the `--hash-type` option Here are some of the most used hash types for the `--hash-type` option
```ps1 ```ps1
1000 NTLM (actually its for NT hashes) 1000 NTLM (actually its for NT hashes)
3000 LM 3000 LM
@ -42,18 +54,22 @@ Here are some of the most used hash types for the `--hash-type` option
100 sha1 100 sha1
1400 sha2-256 1400 sha2-256
1700 sha2-512 1700 sha2-512
# 2 hours
-a 3 -1 ?l?d?u ?1?1?1?1?1?1?1?1
``` ```
## V2 - UI Hashcat masks for custom cracking
* https://github.com/Coalfire-Research/npk ```powershell
* https://github.com/s3inlc/hashtopolis/releases/tag/v0.12.0
```
## References & Ideas ## References & Ideas
Most of the credits are due to @mxrch and @ShutdownRepo.
This repository is mostly a rework of their scripts.
* https://github.com/mxrch/penglab
* https://github.com/ShutdownRepo/hashonymize
* https://github.com/ShutdownRepo/google-colab-hashcat
* https://github.com/carlmon/Hashcat-Azure * https://github.com/carlmon/Hashcat-Azure
* https://durdle.com/2017/04/23/using-hashcat-to-crack-hashes-on-azure/ * https://durdle.com/2017/04/23/using-hashcat-to-crack-hashes-on-azure/
* https://www.trillsecurity.com/tutorials/automating-hashtopolis-with-terraform-part-i/ * https://www.trillsecurity.com/tutorials/automating-hashtopolis-with-terraform-part-i/

View File

@ -21,14 +21,17 @@
}, },
"source": [ "source": [
"# Nephelees - NTDS cracking on Google Colab\r\n", "# Nephelees - NTDS cracking on Google Colab\r\n",
"1. Select \"Runtime\", \"Change runtime type\", and set \"Hardware accelerator\" to GPU. \r\n", "\r\n",
"2. Select \"Runtime\" and \"Run all\" !\r\n", "0. Open the `ipynb` file by clicking on the button **Open in Colab**\r\n",
"1. on your local machine, run [hashonymize](https://github.com/ShutdownRepo/hashonymize) to anonymize your hash lists\r\n", "1. Select **Runtime**, **Change runtime type**, and set **Hardware accelerator** to **GPU**. \r\n",
"2. upload your anon hashes list on the colab `!wget http://yourip:yourport/yourfile` or with the upload button\r\n", "2. Select **Runtime**\" and **Run all\"** !\r\n",
"3. install requirements\r\n", "3. On your local machine, run [hashonymize](https://github.com/ShutdownRepo/hashonymize) to anonymize your hash lists\r\n",
"4. run a hashcat command like this to start cracking `!hashcat --status --hash-type 1000 --attack-mode 0 --username DOMAIN.LOCAL.ntds wordlists/rockyou.txt`\r\n", "4. Upload your anonymized hashes list on the colab `!wget http://yourip:yourport/yourfile` or with the upload button\r\n",
"5. recover the .pot file from the Google Colab `!curl --upload-file ~/.hashcat/hashcat.potfile http://yourip:yourport/`\r\n", "5. Install requirements (hashcat + wordlists + rules)\r\n",
"6. on your local machine, run the following hashcat command with the recovered potfile to match real usernames with cracked password `hashcat --potfile-path hashcat.potfile --hash-type 1000 --username DOMAIN.LOCAL.ntds wordlists/rockyou.txt`\r\n", "6. Run hashcat commands\r\n",
"7. Recover the .pot file from the Google Colab `!curl --upload-file ~/.hashcat/hashcat.potfile http://yourip:yourport/` or download the file from the explorer in the left side of the panel.\r\n",
"8. On your local machine, run the following hashcat command with the recovered potfile to match real usernames with cracked password `hashcat --potfile-path hashcat.potfile --hash-type 1000 --username example.ntds wordlists/rockyou.txt`\r\n",
"\r\n",
"\r\n", "\r\n",
"**/!\\** For every 12hrs or so Disk, RAM, VRAM, CPU cache etc data that is on our alloted virtual machine will get erased. " "**/!\\** For every 12hrs or so Disk, RAM, VRAM, CPU cache etc data that is on our alloted virtual machine will get erased. "
] ]
@ -74,11 +77,7 @@
{ {
"cell_type": "code", "cell_type": "code",
"metadata": { "metadata": {
"id": "_M4BMeXCNCA8", "id": "_M4BMeXCNCA8"
"colab": {
"base_uri": "https://localhost:8080/"
},
"outputId": "f08a6696-17ca-4415-f572-402e96fb7717"
}, },
"source": [ "source": [
"# Download wordlists\r\n", "# Download wordlists\r\n",
@ -90,92 +89,31 @@
"!printf \"[+] Downloading the Rockyou wordlist...\\n\"\r\n", "!printf \"[+] Downloading the Rockyou wordlist...\\n\"\r\n",
"!cd $wordlists_dir && wget https://download.weakpass.com/wordlists/90/rockyou.txt.gz\r\n", "!cd $wordlists_dir && wget https://download.weakpass.com/wordlists/90/rockyou.txt.gz\r\n",
"!printf \"[+] Wordlist downloaded !\\n[+] Extraction...\\n\"\r\n", "!printf \"[+] Wordlist downloaded !\\n[+] Extraction...\\n\"\r\n",
"!cd $wordlists_dir && gunzip rockyou.txt.gz\r\n", "!cd $wordlists_dir && gunzip rockyou.txt.gz && rm rockyou.txt.gz\r\n",
"!printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep rockyou)\"\r\n", "!printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep rockyou)\"\r\n",
"\r\n", "\r\n",
"!printf \"[+] Downloading the KerberoastPW wordlist...\\n\"\r\n", "!printf \"[+] Downloading the KerberoastPW wordlist...\\n\"\r\n",
"!cd $wordlists_dir && wget https://gist.github.com/edermi/f8b143b11dc020b854178d3809cf91b5/raw/b7d83af6a8bbb43013e04f78328687d19d0cf9a7/kerberoast_pws.xz\r\n", "!cd $wordlists_dir && wget https://gist.github.com/edermi/f8b143b11dc020b854178d3809cf91b5/raw/b7d83af6a8bbb43013e04f78328687d19d0cf9a7/kerberoast_pws.xz\r\n",
"!printf \"[+] Wordlist downloaded !\\n[+] Extraction...\\n\"\r\n", "!printf \"[+] Wordlist downloaded !\\n[+] Extraction...\\n\"\r\n",
"!cd $wordlists_dir && unxz kerberoast_pws.xz\r\n", "!cd $wordlists_dir && unxz kerberoast_pws.xz && rm kerberoast_pws.xz\r\n",
"!printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep kerberoast_pws)\"\r\n", "!printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep kerberoast_pws)\"\r\n",
"\r\n", "\r\n",
"!printf \"[+] Downloading the HashesOrg2019 wordlist...\\n\"\r\n", "!printf \"[+] Downloading the HashesOrg2019 wordlist...\\n\"\r\n",
"!cd $wordlists_dir && wget https://download.weakpass.com/wordlists/1851/hashesorg2019.gz\r\n", "!cd $wordlists_dir && wget https://download.weakpass.com/wordlists/1851/hashesorg2019.gz\r\n",
"!printf \"[+] Wordlist downloaded !\\n[+] Extraction...\\n\"\r\n", "!printf \"[+] Wordlist downloaded !\\n[+] Extraction...\\n\"\r\n",
"!cd $wordlists_dir && gunzip hashesorg2019.gz\r\n", "!cd $wordlists_dir && gunzip hashesorg2019.gz && rm hashesorg2019.gz\r\n",
"!printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep hashesorg2019)\"\r\n", "!printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep hashesorg2019)\"\r\n",
"\r\n", "\r\n",
"# !printf \"[+] Downloading the Have I been Pwned V7 wordlist...\\n\"\r\n", "# !printf \"[+] Downloading the Have I been Pwned V7 wordlist...\\n\"\r\n",
"# !cd $wordlists_dir && wget https://hashes.org/download.php?type=found&hashlistId=8161 -O \tHaveIbeenPwnedV7.txt\r\n", "# !cd $wordlists_dir && wget https://hashes.org/download.php?type=found&hashlistId=8161 -O \tHaveIbeenPwnedV7.txt\r\n",
"# !printf \"[+] Wordlist downloaded !\\n[+]\\n\"\r\n", "# !printf \"[+] Wordlist downloaded !\\n[+]\\n\"\r\n",
"# !printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep HaveIbeenPwnedV7)\"\r\n" "# !printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep HaveIbeenPwnedV7)\"\r\n",
"\r\n",
"# 28 GB / https://download.weakpass.com/wordlists/1863/weakpass_2.gz\r\n",
"# https://github.com/danielmiessler/SecLists/raw/5c9217fe8e930c41d128aacdc68cbce7ece96e4f/Passwords/Keyboard-Combinations.txt"
], ],
"execution_count": 20, "execution_count": null,
"outputs": [ "outputs": []
{
"output_type": "stream",
"text": [
"mkdir: cannot create directory ./wordlists: File exists\n",
"[+] Downloading the Rockyou wordlist...\n",
"--2020-12-21 15:03:51-- https://download.weakpass.com/wordlists/90/rockyou.txt.gz\n",
"Resolving download.weakpass.com (download.weakpass.com)... 104.21.234.151, 104.21.234.150, 2606:4700:3038::6815:ea97, ...\n",
"Connecting to download.weakpass.com (download.weakpass.com)|104.21.234.151|:443... connected.\n",
"HTTP request sent, awaiting response... 200 OK\n",
"Length: 53357062 (51M) [application/octet-stream]\n",
"Saving to: rockyou.txt.gz\n",
"\n",
"rockyou.txt.gz 100%[===================>] 50.88M 11.8MB/s in 5.3s \n",
"\n",
"2020-12-21 15:03:56 (9.59 MB/s) - rockyou.txt.gz saved [53357062/53357062]\n",
"\n",
"[+] Wordlist downloaded !\n",
"[+] Extraction...\n",
"gzip: rockyou.txt already exists; do you wish to overwrite (y or n)? ^C\n",
"[+] Finished !\n",
"[+] Location : /content/wordlists/rockyou.txt\n",
"rockyou.txt.gz[+] Downloading the KerberoastPW wordlist...\n",
"--2020-12-21 15:05:19-- https://gist.github.com/edermi/f8b143b11dc020b854178d3809cf91b5/raw/b7d83af6a8bbb43013e04f78328687d19d0cf9a7/kerberoast_pws.xz\n",
"Resolving gist.github.com (gist.github.com)... 192.30.255.113\n",
"Connecting to gist.github.com (gist.github.com)|192.30.255.113|:443... connected.\n",
"HTTP request sent, awaiting response... 301 Moved Permanently\n",
"Location: https://gist.githubusercontent.com/edermi/f8b143b11dc020b854178d3809cf91b5/raw/b7d83af6a8bbb43013e04f78328687d19d0cf9a7/kerberoast_pws.xz [following]\n",
"--2020-12-21 15:05:19-- https://gist.githubusercontent.com/edermi/f8b143b11dc020b854178d3809cf91b5/raw/b7d83af6a8bbb43013e04f78328687d19d0cf9a7/kerberoast_pws.xz\n",
"Resolving gist.githubusercontent.com (gist.githubusercontent.com)... 151.101.0.133, 151.101.64.133, 151.101.128.133, ...\n",
"Connecting to gist.githubusercontent.com (gist.githubusercontent.com)|151.101.0.133|:443... connected.\n",
"HTTP request sent, awaiting response... 200 OK\n",
"Length: 98784072 (94M) [application/octet-stream]\n",
"Saving to: kerberoast_pws.xz.1\n",
"\n",
"kerberoast_pws.xz.1 100%[===================>] 94.21M 185MB/s in 0.5s \n",
"\n",
"2020-12-21 15:05:21 (185 MB/s) - kerberoast_pws.xz.1 saved [98784072/98784072]\n",
"\n",
"[+] Wordlist downloaded !\n",
"[+] Extraction...\n",
"unxz: kerberoast_pws: File exists\n",
"[+] Finished !\n",
"[+] Location : /content/wordlists/kerberoast_pws\n",
"kerberoast_pws.xz\n",
"kerberoast_pws.xz.1[+] Downloading the HashesOrg2019 wordlist...\n",
"--2020-12-21 15:05:21-- https://download.weakpass.com/wordlists/1851/hashesorg2019.gz\n",
"Resolving download.weakpass.com (download.weakpass.com)... 104.21.234.150, 104.21.234.151, 2606:4700:3038::6815:ea97, ...\n",
"Connecting to download.weakpass.com (download.weakpass.com)|104.21.234.150|:443... connected.\n",
"HTTP request sent, awaiting response... 200 OK\n",
"Length: 4468104490 (4.2G) [application/octet-stream]\n",
"Saving to: hashesorg2019.gz\n",
"\n",
"hashesorg2019.gz 100%[===================>] 4.16G 11.7MB/s in 6m 0s \n",
"\n",
"2020-12-21 15:11:21 (11.9 MB/s) - hashesorg2019.gz saved [4468104490/4468104490]\n",
"\n",
"[+] Wordlist downloaded !\n",
"[+] Extraction...\n",
"[+] Finished !\n",
"[+] Location : /content/wordlists/hashesorg2019"
],
"name": "stdout"
}
]
}, },
{ {
"cell_type": "code", "cell_type": "code",
@ -219,99 +157,89 @@
{ {
"cell_type": "code", "cell_type": "code",
"metadata": { "metadata": {
"id": "xYgvNWGbKXSp", "id": "xYgvNWGbKXSp"
"colab": {
"base_uri": "https://localhost:8080/"
},
"outputId": "cfbf1c6b-7d90-4108-fefa-e7566ad718b1"
}, },
"source": [ "source": [
"# 3. Crack your hashes\n", "# 3. Crack your hashes\n",
"\n", "\n",
"# Quick cracking - rockyou wordlist - around 10 minutes\n", "# Quick cracking - rockyou wordlist - around 10 minutes\n",
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --username\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --username\n",
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --rules-file /content/hashcat/rules/hob064.rule --username\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --rules-file /content/hashcat/rules/hob064.rule --username\n",
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --rules-file /content/hashcat/rules/d3adhob0.rule --username\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --rules-file /content/hashcat/rules/d3adhob0.rule --username\n",
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --rules-file /content/hashcat/rules/dive.rule --username\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --rules-file /content/hashcat/rules/dive.rule --username\n",
"\n", "\n",
"# Medium cracking - kerberoast wordlist - around 30 minutes\n", "# Medium cracking - kerberoast wordlist - around 30 minutes\n",
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --username\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --username\n",
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --rules-file /content/hashcat/rules/hob064.rule --username\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --rules-file /content/hashcat/rules/hob064.rule --username\n",
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --rules-file /content/hashcat/rules/d3adhob0.rule --username\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --rules-file /content/hashcat/rules/d3adhob0.rule --username\n",
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --rules-file /content/hashcat/rules/dive.rule --username\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --rules-file /content/hashcat/rules/dive.rule --username\n",
"\n", "\n",
"# Insane cracking - hashesorg2019 wordlist - several days ?\n", "# Insane cracking - hashesorg2019 wordlist - 2min + 8 min + 3h + 6h\n",
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --username\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --username\n",
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --rules-file /content/hashcat/rules/hob064.rule --username\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --rules-file /content/hashcat/rules/hob064.rule --username\n",
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --rules-file /content/hashcat/rules/d3adhob0.rule --username\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --rules-file /content/hashcat/rules/d3adhob0.rule --username\n",
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --rules-file /content/hashcat/rules/dive.rule --username\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --rules-file /content/hashcat/rules/dive.rule --username"
"\n",
"# ----- around 3 hours on a p100 ------\n",
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 -1 ?l?d?u ?1?1?1?1?1?1?1?1\n",
"# ----- more than 3 days on a P100 --------\n",
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 ?a?a?a?a?a?a?a?a \n",
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 ?a?a?a?a?a?a?a?a?a"
], ],
"execution_count": null, "execution_count": null,
"outputs": [ "outputs": []
{ },
"output_type": "stream", {
"text": [ "cell_type": "code",
"hashcat (v6.1.1-120-g15bf8b730) starting...\n", "metadata": {
"\n", "id": "RCjfsWx6MwtT"
"\u001b[31mnvmlDeviceGetFanSpeed(): Not Supported\u001b[0m\n", },
"\n", "source": [
"CUDA API (CUDA 10.1)\n", "# 4. More cracking materials\r\n",
"====================\n", "import os\r\n",
"* Device #1: Tesla P100-PCIE-16GB, 16017/16280 MB, 56MCU\n", "pack_dir = \"pack\"\r\n",
"\n", "os.system(\"pack_dir={}\".format(pack_dir))\r\n",
"OpenCL API (OpenCL 1.2 CUDA 10.1.152) - Platform #1 [NVIDIA Corporation]\n", "!mkdir ./$pack_dir\r\n",
"========================================================================\n", "\r\n",
"* Device #2: Tesla P100-PCIE-16GB, skipped\n", "!cd $pack_dir && wget https://raw.githubusercontent.com/iphelix/pack/master/statsgen.py\r\n",
"\n", "!cd $pack_dir && wget https://raw.githubusercontent.com/iphelix/pack/master/maskgen.py\r\n",
"Minimum password length supported by kernel: 0\n", "!python2 $pack_dir/statsgen.py cracked.pot -o $pack_dir/hashcat.mask\r\n",
"Maximum password length supported by kernel: 27\n", "!python2 $pack_dir/maskgen.py $pack_dir/hashcat.mask --targettime 3600 --optindex -q -o $pack_dir/hashcat_1H.hcmask\r\n",
"\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 3 /content/*.ntds $pack_dir/hashcat_1H.hcmask"
"Hashes: 45 digests; 45 unique digests, 1 unique salts\n", ],
"Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates\n", "execution_count": null,
"Rules: 64\n", "outputs": []
"\n", },
"Applicable optimizers applied:\n", {
"* Optimized-Kernel\n", "cell_type": "code",
"* Zero-Byte\n", "metadata": {
"* Precompute-Init\n", "id": "Zs5N4JmKVNWX"
"* Meet-In-The-Middle\n", },
"* Early-Skip\n", "source": [
"* Not-Salted\n", "# 5. Wikipedia list\r\n",
"* Not-Iterated\n", "!apt install hydra -y\r\n",
"* Single-Salt\n", "!cd /content/wordlists && wget http://download.wikimedia.org/nowiki/latest/nowiki-latest-pages-articles.xml.bz2\r\n",
"* Raw-Hash\n", "!cd /content/wordlists && bzcat nowiki-latest-pages-articles.xml.bz2 | grep '^[a-zA-Z]' | sed 's/[-_:.,;#@+?{}()&|§!¤%`<>=\"\\/]/\\ /g' | tr ' ' '\\n' | sed 's/[0-9]//g' | sed 's/[^A-Za-z0-9]//g' | sed -e 's/./\\L\\0/g' | sed 's/[^abcdefghijklmnopqrstuvwxyzæøå]//g' | sort -u | pw-inspector -m1 -M20 > nowiki.lst\r\n",
"\n", "!cd /content/wordlists && wc -l nowiki.lst\r\n",
"Watchdog: Temperature abort trigger set to 90c\n", "\r\n",
"\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/nowiki.lst --username\r\n",
"INFO: Removed 27 hashes found in potfile.\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/nowiki.lst --rules-file /content/hashcat/rules/hob064.rule --username\r\n",
"\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/nowiki.lst --rules-file /content/hashcat/rules/d3adhob0.rule --username\r\n",
"Host memory required for this attack: 983 MB\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/nowiki.lst --rules-file /content/hashcat/rules/dive.rule --username"
"\n", ],
"Dictionary cache hit:\n", "execution_count": null,
"* Filename..: /content/wordlists/hashesorg2019\n", "outputs": []
"* Passwords.: 1279729109\n", },
"* Bytes.....: 13733214816\n", {
"* Keyspace..: 81902662976\n", "cell_type": "code",
"\n", "metadata": {
"\u001b[33mCracking performance lower than expected?\u001b[0m\n", "id": "D5T_SbzZNjhd"
"\u001b[33m\u001b[0m\n", },
"\u001b[33m* Update your backend API runtime / driver the right way:\u001b[0m\n", "source": [
"\u001b[33m https://hashcat.net/faq/wrongdriver\u001b[0m\n", "# 6. Full bruteforce for 8/9 characters and compliance masks\r\n",
"\u001b[33m\u001b[0m\n", "# ----- around 3 hours on a p100 ------\r\n",
"\u001b[33m* Create more work items to make use of your parallelization power:\u001b[0m\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 /content/hashcat/masks/8char-1l-1u-1d-1s-compliant.hcmask\r\n",
"\u001b[33m https://hashcat.net/faq/morework\u001b[0m\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 -1 ?l?d?u ?1?1?1?1?1?1?1?1\r\n",
"\u001b[33m\u001b[0m\n", "# ----- more than 3 days on a P100 --------\r\n",
"[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => " "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 ?a?a?a?a?a?a?a?a \r\n",
], "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 ?a?a?a?a?a?a?a?a?a"
"name": "stdout" ],
} "execution_count": null,
] "outputs": []
} }
] ]
} }

143
hashonymize.py Normal file
View File

@ -0,0 +1,143 @@
import argparse
class Logger:
def __init__(self, verbosity=0, quiet=False):
self.verbosity = verbosity
self.quiet = quiet
def debug(self, message):
if self.verbosity == 2:
print("{}[DEBUG]{} {}".format(YELLOW, END, message))
def verbose(self, message):
if self.verbosity >= 1:
print("{}[VERBOSE]{} {}".format(BLUE, END, message))
def info(self, message):
if not self.quiet:
print("{}[*]{} {}".format(BOLD_BLUE, END, message))
def success(self, message):
if not self.quiet:
print("{}[+]{} {}".format(BOLD_GREEN, END, message))
def warning(self, message):
if not self.quiet:
print("{}[-]{} {}".format(BOLD_ORANGE, END, message))
def error(self, message):
if not self.quiet:
print("{}[!]{} {}".format(BOLD_RED, END, message))
def get_options():
description = "Turn your hashcat formatted hashes files into anonymized files for offline but online cracking (" \
"i.e. Google Colab for example) "
epilog = ""
parser = argparse.ArgumentParser(
description=description,
epilog=epilog,
formatter_class=argparse.RawTextHelpFormatter,
)
parser.add_argument("-ntds", "--ntds", dest="ntds_path", action="store",
help="hashcat format ntds file to crack", required=False)
parser.add_argument("-asreproast", "--asreproast", dest="asreproast_path", action="store",
help="hashcat format asreproast file to crack", required=False)
parser.add_argument("-kerberoast", "--kerberoast", dest="kerberoast_path", action="store",
help="hashcat format kerberoast file to crack", required=False)
parser.add_argument(
"-v",
"--verbose",
dest="verbosity",
action="count",
default=0,
help="verbosity level (-v for verbose, -vv for debug)",
)
parser.add_argument(
"-q",
"--quiet",
dest="quiet",
action="store_true",
default=False,
help="show no information at all",
)
options = parser.parse_args()
return options
def ntds_anonymize(file_path):
logger.info("Anonymizing ntds file {}".format(file_path))
with open(file_path, "r") as clear_file:
with open(file_path + "_hashanon", "w") as anone_file:
increment = 0
for hash in clear_file.readlines():
username = hash.strip().split(":")[0]
new_hash = hash.split(":")[1:]
new_hash.insert(0, "user" + str(increment))
logger.debug(new_hash)
anone_file.write(":".join(new_hash))
increment += 1
logger.success("Done writing to file {}".format(file_path + "_hashanon"))
def asreproast_anonymize(file_path):
logger.info("Anonymizing ASREProast file {}".format(file_path))
with open(file_path, "r") as clear_file:
with open(file_path + "_hashanon", "w") as anone_file:
increment = 0
for hash in clear_file.readlines():
new_hash = hash.split("$")[:3]
checksum = hash.split("$")[3].split(":")[1]
new_hash.append("user" + str(increment) + ":" + checksum)
new_hash += hash.split("$")[4:]
logger.debug(new_hash)
anone_file.write("$".join(new_hash))
increment += 1
logger.success("Done writing to file {}".format(file_path + "_hashanon"))
def kerberoast_anonymize(file_path):
logger.info("Anonymizing Kerberoast file {}".format(file_path))
with open(file_path, "r") as clear_file:
with open(file_path + "_hashanon", "w") as anone_file:
increment = 0
for hash in clear_file.readlines():
new_hash = hash.split("$")[:3]
new_hash.append("*user" + str(increment) + "$domain$some/spn*")
new_hash += hash.split("$")[6:]
logger.debug(new_hash)
anone_file.write("$".join(new_hash))
increment += 1
logger.success("Done writing to file {}".format(file_path + "_hashanon"))
def main():
if options.ntds_path:
ntds_anonymize(options.ntds_path)
if options.asreproast_path:
asreproast_anonymize(options.asreproast_path)
if options.kerberoast_path:
kerberoast_anonymize(options.kerberoast_path)
if __name__ == "__main__":
BOLD_GREEN = "\033[1;32m"
BOLD_BLUE = "\033[1;34m"
BOLD_WHITE = "\033[1;37m"
BOLD_RED = "\033[1;31m"
BOLD_ORANGE = "\033[1;93m"
END = "\033[0m"
BLUE = "\033[0;34m"
GREEN = "\033[0;32m"
YELLOW = "\033[0;33m"
RED = "\033[0;31m"
options = get_options()
logger = Logger(options.verbosity, options.quiet)
main()

BIN
img/logo.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 5.8 KiB