Wikipedia + rockyou + hashesorg2019
parent
e011bf2098
commit
2b5f5810c6
52
README.md
52
README.md
|
@ -1,27 +1,38 @@
|
|||
# Nephelees
|
||||
Néphélées (Νεφήλαι, Nephḗlai) : cloud nymphs greek - also ntds cracking tool abusing Google Colab
|
||||
|
||||
> Néphélées (Νεφήλαι, Nephḗlai) : cloud nymphs greek - also a NTDS cracking tool abusing Google Colab
|
||||
|
||||
<p align="center">
|
||||
<img src="https://github.com/swisskyrepo/Nephelees/raw/main/img/logo.jpg?raw=true"><br>
|
||||
<a href="https://colab.research.google.com/github/swisskyrepo/Nephelees/blob/main/google_colab_hashcat.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>
|
||||
</p>
|
||||
|
||||
## V1 - Google Colab
|
||||
## Quick Start
|
||||
|
||||
* https://github.com/ShutdownRepo/hashonymize
|
||||
* https://github.com/ShutdownRepo/google-colab-hashcat
|
||||
* https://github.com/mxrch/penglab
|
||||
* https://colab.research.google.com/drive/1arm1_HEMb868mk18FlLkEcqvHPB_Ibgb#scrollTo=lWPQqb3oETLd
|
||||
0. Open the `ipynb` file by clicking on the button **Open in Colab**
|
||||
1. Select **Runtime**, **Change runtime type**, and set **Hardware accelerator** to **GPU**.
|
||||
2. Select **Runtime**" and **Run all"** !
|
||||
3. On your local machine, run [hashonymize](https://github.com/ShutdownRepo/hashonymize) to anonymize your hash lists
|
||||
4. Upload your anonymized hashes list on the colab `!wget http://yourip:yourport/yourfile` or with the upload button
|
||||
5. Install requirements (hashcat + wordlists + rules)
|
||||
6. Run hashcat commands
|
||||
7. Recover the .pot file from the Google Colab `!curl --upload-file ~/.hashcat/hashcat.potfile http://yourip:yourport/` or download the file from the explorer in the left side of the panel.
|
||||
8. On your local machine, run the following hashcat command with the recovered potfile to match real usernames with cracked password `hashcat --potfile-path hashcat.potfile --hash-type 1000 --username example.ntds wordlists/rockyou.txt`
|
||||
|
||||
:warning: For every 12hrs or so Disk, RAM, VRAM, CPU cache etc data that is on our alloted virtual machine will get **erased**.
|
||||
|
||||
|
||||
git clone https://github.com/iphelix/pack/blob/master/README
|
||||
$ python2 statsgen.py ../hashcat.potfile -o hashcat.mask
|
||||
$ python2 maskgen.py hashcat.mask --targettime 3600 --optindex -q -o hashcat_1H.hcmask
|
||||
|
||||
```ps1
|
||||
Go on : https://colab.research.google.com/github/mxrch/penglab/blob/master/penglab.ipynb
|
||||
Select "Runtime", "Change runtime type", and set "Hardware accelerator" to GPU.
|
||||
Change the config by setting "True" at tools you want to install.
|
||||
Select "Runtime" and "Run all" !
|
||||
```
|
||||
|
||||
* markov, keyboard walking, dico + rules , haveibeenpwn
|
||||
* reuse old pot (extract passwd to new wordlist)
|
||||
|
||||
|
||||
## Hashcat Cheatsheet
|
||||
|
||||
Here are some of the most used attack modes for the `--attack-mode` option
|
||||
```
|
||||
0 Wordlist (with or without rules)
|
||||
|
@ -29,6 +40,7 @@ Here are some of the most used attack modes for the `--attack-mode` option
|
|||
```
|
||||
|
||||
Here are some of the most used hash types for the `--hash-type` option
|
||||
|
||||
```ps1
|
||||
1000 NTLM (actually its for NT hashes)
|
||||
3000 LM
|
||||
|
@ -42,18 +54,22 @@ Here are some of the most used hash types for the `--hash-type` option
|
|||
100 sha1
|
||||
1400 sha2-256
|
||||
1700 sha2-512
|
||||
|
||||
# 2 hours
|
||||
-a 3 -1 ?l?d?u ?1?1?1?1?1?1?1?1
|
||||
```
|
||||
|
||||
## V2 - UI
|
||||
Hashcat masks for custom cracking
|
||||
|
||||
* https://github.com/Coalfire-Research/npk
|
||||
* https://github.com/s3inlc/hashtopolis/releases/tag/v0.12.0
|
||||
```powershell
|
||||
|
||||
```
|
||||
|
||||
## References & Ideas
|
||||
|
||||
Most of the credits are due to @mxrch and @ShutdownRepo.
|
||||
This repository is mostly a rework of their scripts.
|
||||
|
||||
* https://github.com/mxrch/penglab
|
||||
* https://github.com/ShutdownRepo/hashonymize
|
||||
* https://github.com/ShutdownRepo/google-colab-hashcat
|
||||
* https://github.com/carlmon/Hashcat-Azure
|
||||
* https://durdle.com/2017/04/23/using-hashcat-to-crack-hashes-on-azure/
|
||||
* https://www.trillsecurity.com/tutorials/automating-hashtopolis-with-terraform-part-i/
|
||||
|
|
|
@ -21,14 +21,17 @@
|
|||
},
|
||||
"source": [
|
||||
"# Nephelees - NTDS cracking on Google Colab\r\n",
|
||||
"1. Select \"Runtime\", \"Change runtime type\", and set \"Hardware accelerator\" to GPU. \r\n",
|
||||
"2. Select \"Runtime\" and \"Run all\" !\r\n",
|
||||
"1. on your local machine, run [hashonymize](https://github.com/ShutdownRepo/hashonymize) to anonymize your hash lists\r\n",
|
||||
"2. upload your anon hashes list on the colab `!wget http://yourip:yourport/yourfile` or with the upload button\r\n",
|
||||
"3. install requirements\r\n",
|
||||
"4. run a hashcat command like this to start cracking `!hashcat --status --hash-type 1000 --attack-mode 0 --username DOMAIN.LOCAL.ntds wordlists/rockyou.txt`\r\n",
|
||||
"5. recover the .pot file from the Google Colab `!curl --upload-file ~/.hashcat/hashcat.potfile http://yourip:yourport/`\r\n",
|
||||
"6. on your local machine, run the following hashcat command with the recovered potfile to match real usernames with cracked password `hashcat --potfile-path hashcat.potfile --hash-type 1000 --username DOMAIN.LOCAL.ntds wordlists/rockyou.txt`\r\n",
|
||||
"\r\n",
|
||||
"0. Open the `ipynb` file by clicking on the button **Open in Colab**\r\n",
|
||||
"1. Select **Runtime**, **Change runtime type**, and set **Hardware accelerator** to **GPU**. \r\n",
|
||||
"2. Select **Runtime**\" and **Run all\"** !\r\n",
|
||||
"3. On your local machine, run [hashonymize](https://github.com/ShutdownRepo/hashonymize) to anonymize your hash lists\r\n",
|
||||
"4. Upload your anonymized hashes list on the colab `!wget http://yourip:yourport/yourfile` or with the upload button\r\n",
|
||||
"5. Install requirements (hashcat + wordlists + rules)\r\n",
|
||||
"6. Run hashcat commands\r\n",
|
||||
"7. Recover the .pot file from the Google Colab `!curl --upload-file ~/.hashcat/hashcat.potfile http://yourip:yourport/` or download the file from the explorer in the left side of the panel.\r\n",
|
||||
"8. On your local machine, run the following hashcat command with the recovered potfile to match real usernames with cracked password `hashcat --potfile-path hashcat.potfile --hash-type 1000 --username example.ntds wordlists/rockyou.txt`\r\n",
|
||||
"\r\n",
|
||||
"\r\n",
|
||||
"**/!\\** For every 12hrs or so Disk, RAM, VRAM, CPU cache etc data that is on our alloted virtual machine will get erased. "
|
||||
]
|
||||
|
@ -74,11 +77,7 @@
|
|||
{
|
||||
"cell_type": "code",
|
||||
"metadata": {
|
||||
"id": "_M4BMeXCNCA8",
|
||||
"colab": {
|
||||
"base_uri": "https://localhost:8080/"
|
||||
},
|
||||
"outputId": "f08a6696-17ca-4415-f572-402e96fb7717"
|
||||
"id": "_M4BMeXCNCA8"
|
||||
},
|
||||
"source": [
|
||||
"# Download wordlists\r\n",
|
||||
|
@ -90,92 +89,31 @@
|
|||
"!printf \"[+] Downloading the Rockyou wordlist...\\n\"\r\n",
|
||||
"!cd $wordlists_dir && wget https://download.weakpass.com/wordlists/90/rockyou.txt.gz\r\n",
|
||||
"!printf \"[+] Wordlist downloaded !\\n[+] Extraction...\\n\"\r\n",
|
||||
"!cd $wordlists_dir && gunzip rockyou.txt.gz\r\n",
|
||||
"!cd $wordlists_dir && gunzip rockyou.txt.gz && rm rockyou.txt.gz\r\n",
|
||||
"!printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep rockyou)\"\r\n",
|
||||
"\r\n",
|
||||
"!printf \"[+] Downloading the KerberoastPW wordlist...\\n\"\r\n",
|
||||
"!cd $wordlists_dir && wget https://gist.github.com/edermi/f8b143b11dc020b854178d3809cf91b5/raw/b7d83af6a8bbb43013e04f78328687d19d0cf9a7/kerberoast_pws.xz\r\n",
|
||||
"!printf \"[+] Wordlist downloaded !\\n[+] Extraction...\\n\"\r\n",
|
||||
"!cd $wordlists_dir && unxz kerberoast_pws.xz\r\n",
|
||||
"!cd $wordlists_dir && unxz kerberoast_pws.xz && rm kerberoast_pws.xz\r\n",
|
||||
"!printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep kerberoast_pws)\"\r\n",
|
||||
"\r\n",
|
||||
"!printf \"[+] Downloading the HashesOrg2019 wordlist...\\n\"\r\n",
|
||||
"!cd $wordlists_dir && wget https://download.weakpass.com/wordlists/1851/hashesorg2019.gz\r\n",
|
||||
"!printf \"[+] Wordlist downloaded !\\n[+] Extraction...\\n\"\r\n",
|
||||
"!cd $wordlists_dir && gunzip hashesorg2019.gz\r\n",
|
||||
"!cd $wordlists_dir && gunzip hashesorg2019.gz && rm hashesorg2019.gz\r\n",
|
||||
"!printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep hashesorg2019)\"\r\n",
|
||||
"\r\n",
|
||||
"# !printf \"[+] Downloading the Have I been Pwned V7 wordlist...\\n\"\r\n",
|
||||
"# !cd $wordlists_dir && wget https://hashes.org/download.php?type=found&hashlistId=8161 -O \tHaveIbeenPwnedV7.txt\r\n",
|
||||
"# !printf \"[+] Wordlist downloaded !\\n[+]\\n\"\r\n",
|
||||
"# !printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep HaveIbeenPwnedV7)\"\r\n"
|
||||
"# !printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep HaveIbeenPwnedV7)\"\r\n",
|
||||
"\r\n",
|
||||
"# 28 GB / https://download.weakpass.com/wordlists/1863/weakpass_2.gz\r\n",
|
||||
"# https://github.com/danielmiessler/SecLists/raw/5c9217fe8e930c41d128aacdc68cbce7ece96e4f/Passwords/Keyboard-Combinations.txt"
|
||||
],
|
||||
"execution_count": 20,
|
||||
"outputs": [
|
||||
{
|
||||
"output_type": "stream",
|
||||
"text": [
|
||||
"mkdir: cannot create directory ‘./wordlists’: File exists\n",
|
||||
"[+] Downloading the Rockyou wordlist...\n",
|
||||
"--2020-12-21 15:03:51-- https://download.weakpass.com/wordlists/90/rockyou.txt.gz\n",
|
||||
"Resolving download.weakpass.com (download.weakpass.com)... 104.21.234.151, 104.21.234.150, 2606:4700:3038::6815:ea97, ...\n",
|
||||
"Connecting to download.weakpass.com (download.weakpass.com)|104.21.234.151|:443... connected.\n",
|
||||
"HTTP request sent, awaiting response... 200 OK\n",
|
||||
"Length: 53357062 (51M) [application/octet-stream]\n",
|
||||
"Saving to: ‘rockyou.txt.gz’\n",
|
||||
"\n",
|
||||
"rockyou.txt.gz 100%[===================>] 50.88M 11.8MB/s in 5.3s \n",
|
||||
"\n",
|
||||
"2020-12-21 15:03:56 (9.59 MB/s) - ‘rockyou.txt.gz’ saved [53357062/53357062]\n",
|
||||
"\n",
|
||||
"[+] Wordlist downloaded !\n",
|
||||
"[+] Extraction...\n",
|
||||
"gzip: rockyou.txt already exists; do you wish to overwrite (y or n)? ^C\n",
|
||||
"[+] Finished !\n",
|
||||
"[+] Location : /content/wordlists/rockyou.txt\n",
|
||||
"rockyou.txt.gz[+] Downloading the KerberoastPW wordlist...\n",
|
||||
"--2020-12-21 15:05:19-- https://gist.github.com/edermi/f8b143b11dc020b854178d3809cf91b5/raw/b7d83af6a8bbb43013e04f78328687d19d0cf9a7/kerberoast_pws.xz\n",
|
||||
"Resolving gist.github.com (gist.github.com)... 192.30.255.113\n",
|
||||
"Connecting to gist.github.com (gist.github.com)|192.30.255.113|:443... connected.\n",
|
||||
"HTTP request sent, awaiting response... 301 Moved Permanently\n",
|
||||
"Location: https://gist.githubusercontent.com/edermi/f8b143b11dc020b854178d3809cf91b5/raw/b7d83af6a8bbb43013e04f78328687d19d0cf9a7/kerberoast_pws.xz [following]\n",
|
||||
"--2020-12-21 15:05:19-- https://gist.githubusercontent.com/edermi/f8b143b11dc020b854178d3809cf91b5/raw/b7d83af6a8bbb43013e04f78328687d19d0cf9a7/kerberoast_pws.xz\n",
|
||||
"Resolving gist.githubusercontent.com (gist.githubusercontent.com)... 151.101.0.133, 151.101.64.133, 151.101.128.133, ...\n",
|
||||
"Connecting to gist.githubusercontent.com (gist.githubusercontent.com)|151.101.0.133|:443... connected.\n",
|
||||
"HTTP request sent, awaiting response... 200 OK\n",
|
||||
"Length: 98784072 (94M) [application/octet-stream]\n",
|
||||
"Saving to: ‘kerberoast_pws.xz.1’\n",
|
||||
"\n",
|
||||
"kerberoast_pws.xz.1 100%[===================>] 94.21M 185MB/s in 0.5s \n",
|
||||
"\n",
|
||||
"2020-12-21 15:05:21 (185 MB/s) - ‘kerberoast_pws.xz.1’ saved [98784072/98784072]\n",
|
||||
"\n",
|
||||
"[+] Wordlist downloaded !\n",
|
||||
"[+] Extraction...\n",
|
||||
"unxz: kerberoast_pws: File exists\n",
|
||||
"[+] Finished !\n",
|
||||
"[+] Location : /content/wordlists/kerberoast_pws\n",
|
||||
"kerberoast_pws.xz\n",
|
||||
"kerberoast_pws.xz.1[+] Downloading the HashesOrg2019 wordlist...\n",
|
||||
"--2020-12-21 15:05:21-- https://download.weakpass.com/wordlists/1851/hashesorg2019.gz\n",
|
||||
"Resolving download.weakpass.com (download.weakpass.com)... 104.21.234.150, 104.21.234.151, 2606:4700:3038::6815:ea97, ...\n",
|
||||
"Connecting to download.weakpass.com (download.weakpass.com)|104.21.234.150|:443... connected.\n",
|
||||
"HTTP request sent, awaiting response... 200 OK\n",
|
||||
"Length: 4468104490 (4.2G) [application/octet-stream]\n",
|
||||
"Saving to: ‘hashesorg2019.gz’\n",
|
||||
"\n",
|
||||
"hashesorg2019.gz 100%[===================>] 4.16G 11.7MB/s in 6m 0s \n",
|
||||
"\n",
|
||||
"2020-12-21 15:11:21 (11.9 MB/s) - ‘hashesorg2019.gz’ saved [4468104490/4468104490]\n",
|
||||
"\n",
|
||||
"[+] Wordlist downloaded !\n",
|
||||
"[+] Extraction...\n",
|
||||
"[+] Finished !\n",
|
||||
"[+] Location : /content/wordlists/hashesorg2019"
|
||||
],
|
||||
"name": "stdout"
|
||||
}
|
||||
]
|
||||
"execution_count": null,
|
||||
"outputs": []
|
||||
},
|
||||
{
|
||||
"cell_type": "code",
|
||||
|
@ -219,99 +157,89 @@
|
|||
{
|
||||
"cell_type": "code",
|
||||
"metadata": {
|
||||
"id": "xYgvNWGbKXSp",
|
||||
"colab": {
|
||||
"base_uri": "https://localhost:8080/"
|
||||
},
|
||||
"outputId": "cfbf1c6b-7d90-4108-fefa-e7566ad718b1"
|
||||
"id": "xYgvNWGbKXSp"
|
||||
},
|
||||
"source": [
|
||||
"# 3. Crack your hashes\n",
|
||||
"\n",
|
||||
"# Quick cracking - rockyou wordlist - around 10 minutes\n",
|
||||
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --username\n",
|
||||
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --rules-file /content/hashcat/rules/hob064.rule --username\n",
|
||||
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --rules-file /content/hashcat/rules/d3adhob0.rule --username\n",
|
||||
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --rules-file /content/hashcat/rules/dive.rule --username\n",
|
||||
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --username\n",
|
||||
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --rules-file /content/hashcat/rules/hob064.rule --username\n",
|
||||
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --rules-file /content/hashcat/rules/d3adhob0.rule --username\n",
|
||||
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --rules-file /content/hashcat/rules/dive.rule --username\n",
|
||||
"\n",
|
||||
"# Medium cracking - kerberoast wordlist - around 30 minutes\n",
|
||||
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --username\n",
|
||||
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --rules-file /content/hashcat/rules/hob064.rule --username\n",
|
||||
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --rules-file /content/hashcat/rules/d3adhob0.rule --username\n",
|
||||
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --rules-file /content/hashcat/rules/dive.rule --username\n",
|
||||
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --username\n",
|
||||
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --rules-file /content/hashcat/rules/hob064.rule --username\n",
|
||||
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --rules-file /content/hashcat/rules/d3adhob0.rule --username\n",
|
||||
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --rules-file /content/hashcat/rules/dive.rule --username\n",
|
||||
"\n",
|
||||
"# Insane cracking - hashesorg2019 wordlist - several days ?\n",
|
||||
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --username\n",
|
||||
"# Insane cracking - hashesorg2019 wordlist - 2min + 8 min + 3h + 6h\n",
|
||||
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --username\n",
|
||||
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --rules-file /content/hashcat/rules/hob064.rule --username\n",
|
||||
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --rules-file /content/hashcat/rules/d3adhob0.rule --username\n",
|
||||
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --rules-file /content/hashcat/rules/dive.rule --username\n",
|
||||
"\n",
|
||||
"# ----- around 3 hours on a p100 ------\n",
|
||||
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 -1 ?l?d?u ?1?1?1?1?1?1?1?1\n",
|
||||
"# ----- more than 3 days on a P100 --------\n",
|
||||
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 ?a?a?a?a?a?a?a?a \n",
|
||||
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 ?a?a?a?a?a?a?a?a?a"
|
||||
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --rules-file /content/hashcat/rules/d3adhob0.rule --username\n",
|
||||
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --rules-file /content/hashcat/rules/dive.rule --username"
|
||||
],
|
||||
"execution_count": null,
|
||||
"outputs": [
|
||||
"outputs": []
|
||||
},
|
||||
{
|
||||
"output_type": "stream",
|
||||
"text": [
|
||||
"hashcat (v6.1.1-120-g15bf8b730) starting...\n",
|
||||
"\n",
|
||||
"\u001b[31mnvmlDeviceGetFanSpeed(): Not Supported\u001b[0m\n",
|
||||
"\n",
|
||||
"CUDA API (CUDA 10.1)\n",
|
||||
"====================\n",
|
||||
"* Device #1: Tesla P100-PCIE-16GB, 16017/16280 MB, 56MCU\n",
|
||||
"\n",
|
||||
"OpenCL API (OpenCL 1.2 CUDA 10.1.152) - Platform #1 [NVIDIA Corporation]\n",
|
||||
"========================================================================\n",
|
||||
"* Device #2: Tesla P100-PCIE-16GB, skipped\n",
|
||||
"\n",
|
||||
"Minimum password length supported by kernel: 0\n",
|
||||
"Maximum password length supported by kernel: 27\n",
|
||||
"\n",
|
||||
"Hashes: 45 digests; 45 unique digests, 1 unique salts\n",
|
||||
"Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates\n",
|
||||
"Rules: 64\n",
|
||||
"\n",
|
||||
"Applicable optimizers applied:\n",
|
||||
"* Optimized-Kernel\n",
|
||||
"* Zero-Byte\n",
|
||||
"* Precompute-Init\n",
|
||||
"* Meet-In-The-Middle\n",
|
||||
"* Early-Skip\n",
|
||||
"* Not-Salted\n",
|
||||
"* Not-Iterated\n",
|
||||
"* Single-Salt\n",
|
||||
"* Raw-Hash\n",
|
||||
"\n",
|
||||
"Watchdog: Temperature abort trigger set to 90c\n",
|
||||
"\n",
|
||||
"INFO: Removed 27 hashes found in potfile.\n",
|
||||
"\n",
|
||||
"Host memory required for this attack: 983 MB\n",
|
||||
"\n",
|
||||
"Dictionary cache hit:\n",
|
||||
"* Filename..: /content/wordlists/hashesorg2019\n",
|
||||
"* Passwords.: 1279729109\n",
|
||||
"* Bytes.....: 13733214816\n",
|
||||
"* Keyspace..: 81902662976\n",
|
||||
"\n",
|
||||
"\u001b[33mCracking performance lower than expected?\u001b[0m\n",
|
||||
"\u001b[33m\u001b[0m\n",
|
||||
"\u001b[33m* Update your backend API runtime / driver the right way:\u001b[0m\n",
|
||||
"\u001b[33m https://hashcat.net/faq/wrongdriver\u001b[0m\n",
|
||||
"\u001b[33m\u001b[0m\n",
|
||||
"\u001b[33m* Create more work items to make use of your parallelization power:\u001b[0m\n",
|
||||
"\u001b[33m https://hashcat.net/faq/morework\u001b[0m\n",
|
||||
"\u001b[33m\u001b[0m\n",
|
||||
"[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => "
|
||||
"cell_type": "code",
|
||||
"metadata": {
|
||||
"id": "RCjfsWx6MwtT"
|
||||
},
|
||||
"source": [
|
||||
"# 4. More cracking materials\r\n",
|
||||
"import os\r\n",
|
||||
"pack_dir = \"pack\"\r\n",
|
||||
"os.system(\"pack_dir={}\".format(pack_dir))\r\n",
|
||||
"!mkdir ./$pack_dir\r\n",
|
||||
"\r\n",
|
||||
"!cd $pack_dir && wget https://raw.githubusercontent.com/iphelix/pack/master/statsgen.py\r\n",
|
||||
"!cd $pack_dir && wget https://raw.githubusercontent.com/iphelix/pack/master/maskgen.py\r\n",
|
||||
"!python2 $pack_dir/statsgen.py cracked.pot -o $pack_dir/hashcat.mask\r\n",
|
||||
"!python2 $pack_dir/maskgen.py $pack_dir/hashcat.mask --targettime 3600 --optindex -q -o $pack_dir/hashcat_1H.hcmask\r\n",
|
||||
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 3 /content/*.ntds $pack_dir/hashcat_1H.hcmask"
|
||||
],
|
||||
"name": "stdout"
|
||||
}
|
||||
]
|
||||
"execution_count": null,
|
||||
"outputs": []
|
||||
},
|
||||
{
|
||||
"cell_type": "code",
|
||||
"metadata": {
|
||||
"id": "Zs5N4JmKVNWX"
|
||||
},
|
||||
"source": [
|
||||
"# 5. Wikipedia list\r\n",
|
||||
"!apt install hydra -y\r\n",
|
||||
"!cd /content/wordlists && wget http://download.wikimedia.org/nowiki/latest/nowiki-latest-pages-articles.xml.bz2\r\n",
|
||||
"!cd /content/wordlists && bzcat nowiki-latest-pages-articles.xml.bz2 | grep '^[a-zA-Z]' | sed 's/[-_:.,;#@+?{}()&|§!¤%`<>=\"\\/]/\\ /g' | tr ' ' '\\n' | sed 's/[0-9]//g' | sed 's/[^A-Za-z0-9]//g' | sed -e 's/./\\L\\0/g' | sed 's/[^abcdefghijklmnopqrstuvwxyzæøå]//g' | sort -u | pw-inspector -m1 -M20 > nowiki.lst\r\n",
|
||||
"!cd /content/wordlists && wc -l nowiki.lst\r\n",
|
||||
"\r\n",
|
||||
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/nowiki.lst --username\r\n",
|
||||
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/nowiki.lst --rules-file /content/hashcat/rules/hob064.rule --username\r\n",
|
||||
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/nowiki.lst --rules-file /content/hashcat/rules/d3adhob0.rule --username\r\n",
|
||||
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/nowiki.lst --rules-file /content/hashcat/rules/dive.rule --username"
|
||||
],
|
||||
"execution_count": null,
|
||||
"outputs": []
|
||||
},
|
||||
{
|
||||
"cell_type": "code",
|
||||
"metadata": {
|
||||
"id": "D5T_SbzZNjhd"
|
||||
},
|
||||
"source": [
|
||||
"# 6. Full bruteforce for 8/9 characters and compliance masks\r\n",
|
||||
"# ----- around 3 hours on a p100 ------\r\n",
|
||||
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 /content/hashcat/masks/8char-1l-1u-1d-1s-compliant.hcmask\r\n",
|
||||
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 -1 ?l?d?u ?1?1?1?1?1?1?1?1\r\n",
|
||||
"# ----- more than 3 days on a P100 --------\r\n",
|
||||
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 ?a?a?a?a?a?a?a?a \r\n",
|
||||
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 ?a?a?a?a?a?a?a?a?a"
|
||||
],
|
||||
"execution_count": null,
|
||||
"outputs": []
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,143 @@
|
|||
import argparse
|
||||
|
||||
|
||||
class Logger:
|
||||
def __init__(self, verbosity=0, quiet=False):
|
||||
self.verbosity = verbosity
|
||||
self.quiet = quiet
|
||||
|
||||
def debug(self, message):
|
||||
if self.verbosity == 2:
|
||||
print("{}[DEBUG]{} {}".format(YELLOW, END, message))
|
||||
|
||||
def verbose(self, message):
|
||||
if self.verbosity >= 1:
|
||||
print("{}[VERBOSE]{} {}".format(BLUE, END, message))
|
||||
|
||||
def info(self, message):
|
||||
if not self.quiet:
|
||||
print("{}[*]{} {}".format(BOLD_BLUE, END, message))
|
||||
|
||||
def success(self, message):
|
||||
if not self.quiet:
|
||||
print("{}[+]{} {}".format(BOLD_GREEN, END, message))
|
||||
|
||||
def warning(self, message):
|
||||
if not self.quiet:
|
||||
print("{}[-]{} {}".format(BOLD_ORANGE, END, message))
|
||||
|
||||
def error(self, message):
|
||||
if not self.quiet:
|
||||
print("{}[!]{} {}".format(BOLD_RED, END, message))
|
||||
|
||||
|
||||
def get_options():
|
||||
description = "Turn your hashcat formatted hashes files into anonymized files for offline but online cracking (" \
|
||||
"i.e. Google Colab for example) "
|
||||
epilog = ""
|
||||
|
||||
parser = argparse.ArgumentParser(
|
||||
description=description,
|
||||
epilog=epilog,
|
||||
formatter_class=argparse.RawTextHelpFormatter,
|
||||
)
|
||||
|
||||
parser.add_argument("-ntds", "--ntds", dest="ntds_path", action="store",
|
||||
help="hashcat format ntds file to crack", required=False)
|
||||
parser.add_argument("-asreproast", "--asreproast", dest="asreproast_path", action="store",
|
||||
help="hashcat format asreproast file to crack", required=False)
|
||||
parser.add_argument("-kerberoast", "--kerberoast", dest="kerberoast_path", action="store",
|
||||
help="hashcat format kerberoast file to crack", required=False)
|
||||
parser.add_argument(
|
||||
"-v",
|
||||
"--verbose",
|
||||
dest="verbosity",
|
||||
action="count",
|
||||
default=0,
|
||||
help="verbosity level (-v for verbose, -vv for debug)",
|
||||
)
|
||||
parser.add_argument(
|
||||
"-q",
|
||||
"--quiet",
|
||||
dest="quiet",
|
||||
action="store_true",
|
||||
default=False,
|
||||
help="show no information at all",
|
||||
)
|
||||
|
||||
options = parser.parse_args()
|
||||
|
||||
return options
|
||||
|
||||
|
||||
def ntds_anonymize(file_path):
|
||||
logger.info("Anonymizing ntds file {}".format(file_path))
|
||||
with open(file_path, "r") as clear_file:
|
||||
with open(file_path + "_hashanon", "w") as anone_file:
|
||||
increment = 0
|
||||
for hash in clear_file.readlines():
|
||||
username = hash.strip().split(":")[0]
|
||||
new_hash = hash.split(":")[1:]
|
||||
new_hash.insert(0, "user" + str(increment))
|
||||
logger.debug(new_hash)
|
||||
anone_file.write(":".join(new_hash))
|
||||
increment += 1
|
||||
logger.success("Done writing to file {}".format(file_path + "_hashanon"))
|
||||
|
||||
|
||||
def asreproast_anonymize(file_path):
|
||||
logger.info("Anonymizing ASREProast file {}".format(file_path))
|
||||
with open(file_path, "r") as clear_file:
|
||||
with open(file_path + "_hashanon", "w") as anone_file:
|
||||
increment = 0
|
||||
for hash in clear_file.readlines():
|
||||
new_hash = hash.split("$")[:3]
|
||||
checksum = hash.split("$")[3].split(":")[1]
|
||||
new_hash.append("user" + str(increment) + ":" + checksum)
|
||||
new_hash += hash.split("$")[4:]
|
||||
logger.debug(new_hash)
|
||||
anone_file.write("$".join(new_hash))
|
||||
increment += 1
|
||||
logger.success("Done writing to file {}".format(file_path + "_hashanon"))
|
||||
|
||||
|
||||
def kerberoast_anonymize(file_path):
|
||||
logger.info("Anonymizing Kerberoast file {}".format(file_path))
|
||||
with open(file_path, "r") as clear_file:
|
||||
with open(file_path + "_hashanon", "w") as anone_file:
|
||||
increment = 0
|
||||
for hash in clear_file.readlines():
|
||||
new_hash = hash.split("$")[:3]
|
||||
new_hash.append("*user" + str(increment) + "$domain$some/spn*")
|
||||
new_hash += hash.split("$")[6:]
|
||||
logger.debug(new_hash)
|
||||
anone_file.write("$".join(new_hash))
|
||||
increment += 1
|
||||
logger.success("Done writing to file {}".format(file_path + "_hashanon"))
|
||||
|
||||
|
||||
def main():
|
||||
if options.ntds_path:
|
||||
ntds_anonymize(options.ntds_path)
|
||||
if options.asreproast_path:
|
||||
asreproast_anonymize(options.asreproast_path)
|
||||
if options.kerberoast_path:
|
||||
kerberoast_anonymize(options.kerberoast_path)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
BOLD_GREEN = "\033[1;32m"
|
||||
BOLD_BLUE = "\033[1;34m"
|
||||
BOLD_WHITE = "\033[1;37m"
|
||||
BOLD_RED = "\033[1;31m"
|
||||
BOLD_ORANGE = "\033[1;93m"
|
||||
END = "\033[0m"
|
||||
BLUE = "\033[0;34m"
|
||||
GREEN = "\033[0;32m"
|
||||
YELLOW = "\033[0;33m"
|
||||
RED = "\033[0;31m"
|
||||
|
||||
options = get_options()
|
||||
logger = Logger(options.verbosity, options.quiet)
|
||||
|
||||
main()
|
Binary file not shown.
After Width: | Height: | Size: 5.8 KiB |
Loading…
Reference in New Issue