Add files via upload
parent
88a6eb17f1
commit
96088a98d8
|
@ -0,0 +1,218 @@
|
||||||
|
{
|
||||||
|
"nbformat": 4,
|
||||||
|
"nbformat_minor": 0,
|
||||||
|
"metadata": {
|
||||||
|
"colab": {
|
||||||
|
"name": "google-colab-hashcat.ipynb",
|
||||||
|
"provenance": [],
|
||||||
|
"collapsed_sections": [],
|
||||||
|
"include_colab_link": true
|
||||||
|
},
|
||||||
|
"kernelspec": {
|
||||||
|
"name": "python3",
|
||||||
|
"display_name": "Python 3"
|
||||||
|
},
|
||||||
|
"accelerator": "GPU"
|
||||||
|
},
|
||||||
|
"cells": [
|
||||||
|
{
|
||||||
|
"cell_type": "markdown",
|
||||||
|
"metadata": {
|
||||||
|
"id": "view-in-github",
|
||||||
|
"colab_type": "text"
|
||||||
|
},
|
||||||
|
"source": [
|
||||||
|
"<a href=\"https://colab.research.google.com/github/ShutdownRepo/google-colab-hashcat/blob/main/google_colab_hashcat.ipynb\" target=\"_parent\"><img src=\"https://colab.research.google.com/assets/colab-badge.svg\" alt=\"Open In Colab\"/></a>"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"cell_type": "markdown",
|
||||||
|
"metadata": {
|
||||||
|
"id": "2ommePNS-o92"
|
||||||
|
},
|
||||||
|
"source": [
|
||||||
|
"# Google colab hash cracking\n",
|
||||||
|
"\n",
|
||||||
|
"<p align=\"center\">\n",
|
||||||
|
" <a href=\"https://colab.research.google.com/github/ShutdownRepo/google-colab-hashcat/blob/main/google_colab_hashcat.ipynb\" target=\"_parent\"><img src=\"https://colab.research.google.com/assets/colab-badge.svg\" alt=\"Open In Colab\"/></a>\n",
|
||||||
|
" <a href=\"https://twitter.com/intent/follow?screen_name=_nwodtuhs\" title=\"Follow\"><img src=\"https://img.shields.io/twitter/follow/_nwodtuhs?label=Shutdown&style=social\"></a>\n",
|
||||||
|
"</p>\n",
|
||||||
|
"\n",
|
||||||
|
"## Workflow example 1 (simple wordlist)\n",
|
||||||
|
"\n",
|
||||||
|
"This Google colab can be used for hash cracking with wordlists and rules.\n",
|
||||||
|
"Here is an example of that can be followed to crack NT hashes.\n",
|
||||||
|
"\n",
|
||||||
|
"1. run the preparation script below\n",
|
||||||
|
"2. upload your hashes list on the colab `!wget http://yourip:yourport/yourfile`\n",
|
||||||
|
"3. run a hashcat command like this to start cracking `!hashcat --status --hash-type 1000 --attack-mode 0 --username DOMAIN.LOCAL.ntds wordlists/rockyou.txt`\n",
|
||||||
|
"\n",
|
||||||
|
"## Workflow example 2 (wordlist + rules)\n",
|
||||||
|
"\n",
|
||||||
|
"This is an example that is especially useful for internal engagements where users often use a transformation of the corp name as password (i.e. Corp2016!).\n",
|
||||||
|
"\n",
|
||||||
|
"1. create a wordlist based on some names that are currently used in the company\n",
|
||||||
|
"```\n",
|
||||||
|
"company\n",
|
||||||
|
"cpmny\n",
|
||||||
|
"corp\n",
|
||||||
|
"management\n",
|
||||||
|
"admin\n",
|
||||||
|
"```\n",
|
||||||
|
"2. upload your hashes list on the colab `!wget http://yourip:yourport/yourfile`\n",
|
||||||
|
"3. run the hashcat command `!hashcat --status --hash-type 1000 --attack-mode 0 --username --rules-file rules/d3adhob0.rule DOMAIN.LOCAL.ntds company.lst`\n",
|
||||||
|
"\n",
|
||||||
|
"## Workflow example 3 (OPSEC: crack anonymized hashes)\n",
|
||||||
|
"\n",
|
||||||
|
"1. run the preparation script below\n",
|
||||||
|
"2. on your local machine, run [hashonymize](https://github.com/ShutdownRepo/hashonymize) to anonymize your hash lists\n",
|
||||||
|
"3. upload your anon hashes list on the colab `!wget http://yourip:yourport/yourfile`\n",
|
||||||
|
"4. run a hashcat command like this to start cracking `!hashcat --status --hash-type 1000 --attack-mode 0 --username DOMAIN.LOCAL.ntds wordlists/rockyou.txt`\n",
|
||||||
|
"5. recover the .pot file from the Google Colab `!curl --upload-file ~/.hashcat/hashcat.potfile http://yourip:yourport/`\n",
|
||||||
|
"6. on your local machine, run the following hashcat command with the recovered potfile to match real usernames with cracked password `hashcat --potfile-path hashcat.potfile --hash-type 1000 --username DOMAIN.LOCAL.ntds wordlists/rockyou.txt`\n",
|
||||||
|
"\n",
|
||||||
|
"hashcat -m 1000 --potfile-path ntds.cracked ntds.tocrack --show --username\n",
|
||||||
|
"\n",
|
||||||
|
"## Short hashcat manual\n",
|
||||||
|
"\n",
|
||||||
|
"Here are some useful options\n",
|
||||||
|
"```\n",
|
||||||
|
"--status Enable automatic update of the status screen\n",
|
||||||
|
"--attack-mode Attack-mode, see references below\n",
|
||||||
|
"--hash-type Hash-type, see references below\n",
|
||||||
|
"--username Enable ignoring of usernames in hashfile \n",
|
||||||
|
"--rules-file Multiple rules applied to each word from wordlists\n",
|
||||||
|
"--potfile-path Specific path to potfile\n",
|
||||||
|
"```\n",
|
||||||
|
"\n",
|
||||||
|
"Here are some of the most used attack modes for the `--attack-mode` option\n",
|
||||||
|
"```\n",
|
||||||
|
"0 Wordlist (with or without rules)\n",
|
||||||
|
"3 Pure bruteforce\n",
|
||||||
|
"```\n",
|
||||||
|
"\n",
|
||||||
|
"Here are some of the most used hash types for the `--hash-type` option\n",
|
||||||
|
"```\n",
|
||||||
|
"1000 NTLM (actually it's for NT hashes)\n",
|
||||||
|
"3000 LM\n",
|
||||||
|
"5500 Net-NTLMv1 (actually, it should be called NTLMv1)\n",
|
||||||
|
"5600 Net-NTLMv2 (actually, it should be called NTLMv2)\n",
|
||||||
|
"13100 Kerberoast\n",
|
||||||
|
"18200 ASREProast\n",
|
||||||
|
"22000 WPA-PBKDF2-PMKID+EAPOL\n",
|
||||||
|
"16800 WPA-PMKID-PBKDF2\n",
|
||||||
|
"0 md5\n",
|
||||||
|
"100 sha1\n",
|
||||||
|
"1400 sha2-256\n",
|
||||||
|
"1700 sha2-512\n",
|
||||||
|
"```\n",
|
||||||
|
"\n",
|
||||||
|
"# Credits\n",
|
||||||
|
"Credits go to mxrch for his original project called [penglab](https://github.com/mxrch/penglab)"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"cell_type": "markdown",
|
||||||
|
"metadata": {
|
||||||
|
"id": "NMFCTYwaKtu7"
|
||||||
|
},
|
||||||
|
"source": [
|
||||||
|
"# Your hash cracking starts here"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"cell_type": "code",
|
||||||
|
"metadata": {
|
||||||
|
"id": "7ucWO9luB4RG"
|
||||||
|
},
|
||||||
|
"source": [
|
||||||
|
"# 1. Run the preparation basis\n",
|
||||||
|
"# Edit the wordlists and rules you want\n",
|
||||||
|
"\n",
|
||||||
|
"rockyou = True\n",
|
||||||
|
"hashesorg2019 = False # huge wordlist (~12GB, ~6mins download)\n",
|
||||||
|
"quickrules = True # hob064.rule\n",
|
||||||
|
"extensiverules = True # d3adhob0.rule\n",
|
||||||
|
"\n",
|
||||||
|
"import os\n",
|
||||||
|
"\n",
|
||||||
|
"def install():\n",
|
||||||
|
" rules_dir = \"rules\"\n",
|
||||||
|
" wordlists_dir = \"wordlists\"\n",
|
||||||
|
" # Removing the default sample data\n",
|
||||||
|
" !rm -r sample_data/\n",
|
||||||
|
" # Installing hashcat\n",
|
||||||
|
" print(\"[+] Installation of hashcat...\")\n",
|
||||||
|
" !apt install cmake build-essential -y\n",
|
||||||
|
" !apt install checkinstall git -y\n",
|
||||||
|
" !git clone https://github.com/hashcat/hashcat.git && cd hashcat && make -j 8 && make install\n",
|
||||||
|
"\n",
|
||||||
|
" # Installing wordlists\n",
|
||||||
|
" os.system(\"wordlists_dir={}\".format(wordlists_dir))\n",
|
||||||
|
" !mkdir ./$wordlists_dir\n",
|
||||||
|
" if rockyou:\n",
|
||||||
|
" !printf \"[+] Downloading the Rockyou wordlist...\\n\"\n",
|
||||||
|
" !cd $wordlists_dir && wget https://download.weakpass.com/wordlists/90/rockyou.txt.gz\n",
|
||||||
|
" !printf \"[+] Wordlist downloaded !\\n[+] Extraction...\\n\"\n",
|
||||||
|
" !cd $wordlists_dir && gunzip rockyou.txt.gz\n",
|
||||||
|
" !printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep rockyou)\"\n",
|
||||||
|
"\n",
|
||||||
|
" if hashesorg2019:\n",
|
||||||
|
" !printf \"[+] Downloading the HashesOrg2019 wordlist...\\n\"\n",
|
||||||
|
" !cd $wordlists_dir && wget https://download.weakpass.com/wordlists/1851/hashesorg2019.gz\n",
|
||||||
|
" !printf \"[+] Wordlist downloaded !\\n[+] Extraction...\\n\"\n",
|
||||||
|
" !cd $wordlists_dir && gunzip hashesorg2019.gz\n",
|
||||||
|
" !printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep hashesorg2019)\"\n",
|
||||||
|
"\n",
|
||||||
|
" # Installing rules\n",
|
||||||
|
" os.system(\"rules_dir={}\".format(rules_dir))\n",
|
||||||
|
" !mkdir ./$rules_dir\n",
|
||||||
|
" if quickrules:\n",
|
||||||
|
" !printf \"[+] Downloading the hob064 ruleset...\\n\"\n",
|
||||||
|
" !cd $rules_dir && wget https://raw.githubusercontent.com/praetorian-inc/Hob0Rules/master/hob064.rule\n",
|
||||||
|
" !printf \"[+] Rules downloaded !\\n\"\n",
|
||||||
|
" !printf \"[+] Location : $(pwd)/$rules_dir/$(ls rules | grep hob064)\"\n",
|
||||||
|
" if extensiverules:\n",
|
||||||
|
" !printf \"[+] Downloading the d3adhob0 ruleset...\\n\"\n",
|
||||||
|
" !cd $rules_dir && wget https://raw.githubusercontent.com/praetorian-inc/Hob0Rules/master/d3adhob0.rule\n",
|
||||||
|
" !printf \"[+] Rules downloaded !\\n\"\n",
|
||||||
|
" !printf \"[+] Location : $(pwd)/$rules_dir/$(ls rules | grep d3adhob0)\"\n",
|
||||||
|
"\n",
|
||||||
|
"install()\n",
|
||||||
|
"!printf \"\\n[+] Install is over, listing rules and wordlists...\\n\"\n",
|
||||||
|
"!ls rules wordlists"
|
||||||
|
],
|
||||||
|
"execution_count": null,
|
||||||
|
"outputs": []
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"cell_type": "code",
|
||||||
|
"metadata": {
|
||||||
|
"id": "vNuhf2r4JxdD"
|
||||||
|
},
|
||||||
|
"source": [
|
||||||
|
"# 2. Download your hashfile from your machine\n",
|
||||||
|
"# for OPSEC reasons, please don't paste your hashes on a pastebin\n",
|
||||||
|
"# use ngrok (https://ngrok.com/) + updog (https://github.com/sc0tfree/updog) instead if you don't have a public IP address\n",
|
||||||
|
"!wget https://YOURLISTENERIP:YOURPORT/YOURFILE"
|
||||||
|
],
|
||||||
|
"execution_count": null,
|
||||||
|
"outputs": []
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"cell_type": "code",
|
||||||
|
"metadata": {
|
||||||
|
"id": "xYgvNWGbKXSp"
|
||||||
|
},
|
||||||
|
"source": [
|
||||||
|
"# 3. Crack your hashes\n",
|
||||||
|
"# Examples\n",
|
||||||
|
"# !hashcat --status --hash-type 1000 --attack-mode 0 --username DOMAIN.LOCAL.ntds wordlists/rockyou.txt\n",
|
||||||
|
"# !hashcat --status --hash-type 1000 --attack-mode 0 --username --rules-file rules/hob064.rule DOMAIN.LOCAL.ntds company.lst\n",
|
||||||
|
"!hashcat --benchmark"
|
||||||
|
],
|
||||||
|
"execution_count": null,
|
||||||
|
"outputs": []
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
Loading…
Reference in New Issue