245 lines
13 KiB
Plaintext
245 lines
13 KiB
Plaintext
{
|
|
"nbformat": 4,
|
|
"nbformat_minor": 0,
|
|
"metadata": {
|
|
"colab": {
|
|
"name": "google_colab_hashcat.ipynb",
|
|
"provenance": [],
|
|
"collapsed_sections": []
|
|
},
|
|
"kernelspec": {
|
|
"name": "python3",
|
|
"display_name": "Python 3"
|
|
},
|
|
"accelerator": "GPU"
|
|
},
|
|
"cells": [
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {
|
|
"id": "bcgg59uiIxrv"
|
|
},
|
|
"source": [
|
|
"# Nephelees - NTDS cracking on Google Colab\r\n",
|
|
"\r\n",
|
|
"0. Open the `ipynb` file by clicking on the button **Open in Colab**\r\n",
|
|
"1. Select **Runtime**, **Change runtime type**, and set **Hardware accelerator** to **GPU**. \r\n",
|
|
"2. Select **Runtime**\" and **Run all\"** !\r\n",
|
|
"3. On your local machine, run [hashonymize](https://github.com/ShutdownRepo/hashonymize) to anonymize your hash lists\r\n",
|
|
"4. Upload your anonymized hashes list on the colab `!wget http://yourip:yourport/yourfile` or with the upload button\r\n",
|
|
"5. Install requirements (hashcat + wordlists + rules)\r\n",
|
|
"6. Run hashcat commands\r\n",
|
|
"7. Recover the .pot file from the Google Colab `!curl --upload-file ~/.hashcat/hashcat.potfile http://yourip:yourport/` or download the file from the explorer in the left side of the panel.\r\n",
|
|
"8. On your local machine, run the following hashcat command with the recovered potfile to match real usernames with cracked password `hashcat --potfile-path hashcat.potfile --hash-type 1000 --username example.ntds wordlists/rockyou.txt`\r\n",
|
|
"\r\n",
|
|
"\r\n",
|
|
"**/!\\** For every 12hrs or so Disk, RAM, VRAM, CPU cache etc data that is on our alloted virtual machine will get erased. "
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"metadata": {
|
|
"colab": {
|
|
"base_uri": "https://localhost:8080/"
|
|
},
|
|
"id": "A86GVzaW6YpT",
|
|
"outputId": "fbeb72d7-0174-4812-91fe-6e74dba550ce"
|
|
},
|
|
"source": [
|
|
"# Check GPU (Tesla P100 is the best GPU on Colab)\r\n",
|
|
"!nvidia-smi -L"
|
|
],
|
|
"execution_count": null,
|
|
"outputs": [
|
|
{
|
|
"output_type": "stream",
|
|
"text": [
|
|
"GPU 0: Tesla P100-PCIE-16GB (UUID: GPU-711e1706-fccb-c944-73a8-796eb7a9d342)\n"
|
|
],
|
|
"name": "stdout"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"metadata": {
|
|
"id": "LWWa641VMu7Y"
|
|
},
|
|
"source": [
|
|
"# Install Hashcat\r\n",
|
|
"!apt install cmake build-essential -y\r\n",
|
|
"!apt install checkinstall git -y\r\n",
|
|
"!git clone https://github.com/hashcat/hashcat.git && cd hashcat && make -j 8 && make install"
|
|
],
|
|
"execution_count": null,
|
|
"outputs": []
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"metadata": {
|
|
"id": "_M4BMeXCNCA8"
|
|
},
|
|
"source": [
|
|
"# Download wordlists\r\n",
|
|
"import os\r\n",
|
|
"wordlists_dir = \"wordlists\"\r\n",
|
|
"os.system(\"wordlists_dir={}\".format(wordlists_dir))\r\n",
|
|
"!mkdir ./$wordlists_dir\r\n",
|
|
"\r\n",
|
|
"!printf \"[+] Downloading the Rockyou wordlist...\\n\"\r\n",
|
|
"!cd $wordlists_dir && wget https://download.weakpass.com/wordlists/90/rockyou.txt.gz\r\n",
|
|
"!printf \"[+] Wordlist downloaded !\\n[+] Extraction...\\n\"\r\n",
|
|
"!cd $wordlists_dir && gunzip rockyou.txt.gz && rm rockyou.txt.gz\r\n",
|
|
"!printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep rockyou)\"\r\n",
|
|
"\r\n",
|
|
"!printf \"[+] Downloading the KerberoastPW wordlist...\\n\"\r\n",
|
|
"!cd $wordlists_dir && wget https://gist.github.com/edermi/f8b143b11dc020b854178d3809cf91b5/raw/b7d83af6a8bbb43013e04f78328687d19d0cf9a7/kerberoast_pws.xz\r\n",
|
|
"!printf \"[+] Wordlist downloaded !\\n[+] Extraction...\\n\"\r\n",
|
|
"!cd $wordlists_dir && unxz kerberoast_pws.xz && rm kerberoast_pws.xz\r\n",
|
|
"!printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep kerberoast_pws)\"\r\n",
|
|
"\r\n",
|
|
"!printf \"[+] Downloading the HashesOrg2019 wordlist...\\n\"\r\n",
|
|
"!cd $wordlists_dir && wget https://download.weakpass.com/wordlists/1851/hashesorg2019.gz\r\n",
|
|
"!printf \"[+] Wordlist downloaded !\\n[+] Extraction...\\n\"\r\n",
|
|
"!cd $wordlists_dir && gunzip hashesorg2019.gz && rm hashesorg2019.gz\r\n",
|
|
"!printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep hashesorg2019)\"\r\n",
|
|
"\r\n",
|
|
"# !printf \"[+] Downloading the Have I been Pwned V7 wordlist...\\n\"\r\n",
|
|
"# !cd $wordlists_dir && wget https://hashes.org/download.php?type=found&hashlistId=8161 -O \tHaveIbeenPwnedV7.txt\r\n",
|
|
"# !printf \"[+] Wordlist downloaded !\\n[+]\\n\"\r\n",
|
|
"# !printf \"[+] Finished !\\n[+] Location : $(pwd)/$wordlists_dir/$(ls wordlists | grep HaveIbeenPwnedV7)\"\r\n",
|
|
"\r\n",
|
|
"# 28 GB / https://download.weakpass.com/wordlists/1863/weakpass_2.gz\r\n",
|
|
"# https://github.com/danielmiessler/SecLists/raw/5c9217fe8e930c41d128aacdc68cbce7ece96e4f/Passwords/Keyboard-Combinations.txt"
|
|
],
|
|
"execution_count": null,
|
|
"outputs": []
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"metadata": {
|
|
"id": "d1cxo70DQDxs"
|
|
},
|
|
"source": [
|
|
"# Download rules\r\n",
|
|
"import os\r\n",
|
|
"rules_dir = \"/content/hashcat/rules\"\r\n",
|
|
"os.system(\"rules_dir={}\".format(rules_dir))\r\n",
|
|
"!mkdir ./$rules_dir\r\n",
|
|
"\r\n",
|
|
"!printf \"[+] Downloading the hob064 ruleset...\\n\"\r\n",
|
|
"!cd $rules_dir && wget https://raw.githubusercontent.com/praetorian-inc/Hob0Rules/master/hob064.rule\r\n",
|
|
"!printf \"[+] Rules downloaded !\\n\"\r\n",
|
|
"!printf \"[+] Location : $(ls $rules_dir | grep hob064)\"\r\n",
|
|
"\r\n",
|
|
"!printf \"[+] Downloading the d3adhob0 ruleset...\\n\"\r\n",
|
|
"!cd $rules_dir && wget https://raw.githubusercontent.com/praetorian-inc/Hob0Rules/master/d3adhob0.rule\r\n",
|
|
"!printf \"[+] Rules downloaded !\\n\"\r\n",
|
|
"!printf \"[+] Location : $(ls $rules_dir | grep d3adhob0)\""
|
|
],
|
|
"execution_count": null,
|
|
"outputs": []
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"metadata": {
|
|
"id": "vNuhf2r4JxdD"
|
|
},
|
|
"source": [
|
|
"# 2. Download your hashfile from your machine\n",
|
|
"# for OPSEC reasons, please don't paste your hashes on a pastebin\n",
|
|
"# use ngrok (https://ngrok.com/) + updog (https://github.com/sc0tfree/updog) instead if you don't have a public IP address\n",
|
|
"!wget https://YOURLISTENERIP:YOURPORT/YOURFILE"
|
|
],
|
|
"execution_count": null,
|
|
"outputs": []
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"metadata": {
|
|
"id": "xYgvNWGbKXSp"
|
|
},
|
|
"source": [
|
|
"# 3. Crack your hashes\n",
|
|
"\n",
|
|
"# Quick cracking - rockyou wordlist - around 10 minutes\n",
|
|
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --username\n",
|
|
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --rules-file /content/hashcat/rules/hob064.rule --username\n",
|
|
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --rules-file /content/hashcat/rules/d3adhob0.rule --username\n",
|
|
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/rockyou.txt --rules-file /content/hashcat/rules/dive.rule --username\n",
|
|
"\n",
|
|
"# Medium cracking - kerberoast wordlist - around 30 minutes\n",
|
|
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --username\n",
|
|
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --rules-file /content/hashcat/rules/hob064.rule --username\n",
|
|
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --rules-file /content/hashcat/rules/d3adhob0.rule --username\n",
|
|
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/kerberoast_pws --rules-file /content/hashcat/rules/dive.rule --username\n",
|
|
"\n",
|
|
"# Insane cracking - hashesorg2019 wordlist - 2min + 8 min + 3h + 6h\n",
|
|
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --username\n",
|
|
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --rules-file /content/hashcat/rules/hob064.rule --username\n",
|
|
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --rules-file /content/hashcat/rules/d3adhob0.rule --username\n",
|
|
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/hashesorg2019 --rules-file /content/hashcat/rules/dive.rule --username"
|
|
],
|
|
"execution_count": null,
|
|
"outputs": []
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"metadata": {
|
|
"id": "RCjfsWx6MwtT"
|
|
},
|
|
"source": [
|
|
"# 4. More cracking materials\r\n",
|
|
"import os\r\n",
|
|
"pack_dir = \"pack\"\r\n",
|
|
"os.system(\"pack_dir={}\".format(pack_dir))\r\n",
|
|
"!mkdir ./$pack_dir\r\n",
|
|
"\r\n",
|
|
"!cd $pack_dir && wget https://raw.githubusercontent.com/iphelix/pack/master/statsgen.py\r\n",
|
|
"!cd $pack_dir && wget https://raw.githubusercontent.com/iphelix/pack/master/maskgen.py\r\n",
|
|
"!python2 $pack_dir/statsgen.py cracked.pot -o $pack_dir/hashcat.mask\r\n",
|
|
"!python2 $pack_dir/maskgen.py $pack_dir/hashcat.mask --targettime 3600 --optindex -q -o $pack_dir/hashcat_1H.hcmask\r\n",
|
|
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 3 /content/*.ntds $pack_dir/hashcat_1H.hcmask"
|
|
],
|
|
"execution_count": null,
|
|
"outputs": []
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"metadata": {
|
|
"id": "Zs5N4JmKVNWX"
|
|
},
|
|
"source": [
|
|
"# 5. Wikipedia list\r\n",
|
|
"!apt install hydra -y\r\n",
|
|
"!cd /content/wordlists && wget http://download.wikimedia.org/nowiki/latest/nowiki-latest-pages-articles.xml.bz2\r\n",
|
|
"!cd /content/wordlists && bzcat nowiki-latest-pages-articles.xml.bz2 | grep '^[a-zA-Z]' | sed 's/[-_:.,;#@+?{}()&|§!¤%`<>=\"\\/]/\\ /g' | tr ' ' '\\n' | sed 's/[0-9]//g' | sed 's/[^A-Za-z0-9]//g' | sed -e 's/./\\L\\0/g' | sed 's/[^abcdefghijklmnopqrstuvwxyzæøå]//g' | sort -u | pw-inspector -m1 -M20 > nowiki.lst\r\n",
|
|
"!cd /content/wordlists && wc -l nowiki.lst\r\n",
|
|
"\r\n",
|
|
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/nowiki.lst --username\r\n",
|
|
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/nowiki.lst --rules-file /content/hashcat/rules/hob064.rule --username\r\n",
|
|
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/nowiki.lst --rules-file /content/hashcat/rules/d3adhob0.rule --username\r\n",
|
|
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O -a 0 /content/*.ntds /content/wordlists/nowiki.lst --rules-file /content/hashcat/rules/dive.rule --username"
|
|
],
|
|
"execution_count": null,
|
|
"outputs": []
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"metadata": {
|
|
"id": "D5T_SbzZNjhd"
|
|
},
|
|
"source": [
|
|
"# 6. Full bruteforce for 8/9 characters and compliance masks\r\n",
|
|
"# ----- around 3 hours on a p100 ------\r\n",
|
|
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 /content/hashcat/masks/8char-1l-1u-1d-1s-compliant.hcmask\r\n",
|
|
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 -1 ?l?d?u ?1?1?1?1?1?1?1?1\r\n",
|
|
"# ----- more than 3 days on a P100 --------\r\n",
|
|
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 ?a?a?a?a?a?a?a?a \r\n",
|
|
"!hashcat -m 1000 --potfile-path /content/cracked.pot --status --status-timer 300 -w 4 -O /content/*.ntds -a 3 ?a?a?a?a?a?a?a?a?a"
|
|
],
|
|
"execution_count": null,
|
|
"outputs": []
|
|
}
|
|
]
|
|
} |