I now do password cracking in the cloud using a suped up AWS rig. More details here.
This document is under construction, but is intended to get you up and running quickly with cracking hashes in the cloud using the Paperspace service.
Resources used for this article:
From Paperspace, choose the Ubuntu server option that has:
- 8 CPU
- 30 GB RAM
- 50 GB HD
- Quadro P6000 card
Note that when you spin this up it's SSHable from anywhere in the world so you might want to lock it down with an ACL. I also elected to pay the extra buck a month for a static IP.
Run this script to get the core updates and tools installed:
sudo dpkg --remove-architecture i386
sudo apt-get update
sudo apt-get upgrade -y
sudo apt install ocl-icd-libopencl1 git build-essential -y
sudo git clone https://github.com/hashcat/hashcat /opt/hashcat
cd /opt/hashcat
sudo git submodule update --init
sudo make
sudo git clone https://github.com/hashcat/hashcat-utils /opt/hashcat-utils
cd /opt/hashcat-utils/src
sudo make
sudo cp *.bin ../bin
cd /tmp
# For the next command go to the NVidia site and ensure you're downloading the latest Linux drivers
sudo wget http://us.download.nvidia.com/XFree86/Linux-x86_64/384.69/NVIDIA-Linux-x86_64-384.69.run
sudo chmod +x ./NVIDIA-Linux-x86_64-384.69.run
sudo ./NVIDIA-Linux-x86_64-384.69.run
- Accept the agreement
- At the error about "nvidia-installer was forced to guess" error hit OK.
- At the error about "unable to find suitable" hit OK.
- At the "Would you like "nvidia-xconfig utility to..." hit YES
- At the "Your x configuration file has been successfully updated" hit OK
Then check out your Hashcat benchmarks:
sudo hashcat -b
to see all benchmarks
sudo hashcat -b -m 1000
to see just, for example, NTLM hash crack rate.
sudo git clone https://github.com/trustedsec/hate_crack.git /opt/hatecrack
sudo mkdir /opt/wordlists
cd /opt/wordlists
# Get the popular wordlists from Daniel Miessler
sudo git clone https://github.com/danielmiessler/SecLists.git /opt/wordlists/
cd /opt/wordlists
# Get the "human only" list of passwords from Crackstation.net
sudo wget https://crackstation.net/files/crackstation-human-only.txt.gz
sudo gunzip crackstation-human-only.txt.gz
sudo rm crackstation-human-only.txt.gz
sudo mv crackstation-human-only.txt /opt/wordlists/Passwords
Note: I've had issues getting Crackstation wordlists to import correctly (see later in this article), so during my last crack box build in June, 2020, I skip these.
# Get the base password list from Crackstation.net
sudo wget https://crackstation.net/files/crackstation.txt.gz
sudo gunzip crackstation.txt.gz
sudo rm crackstation.txt.gz
sudo mv crackstation.txt /opt/wordlists/Passwords
Note: in Dec of 2019 I built a cracking box from scratch, and found the crackstation lists would not parse properly when fed through the wordlist_optimizer.py (a little further down this tutorial). If you find that the case, just delete those two text files before running the wordlist optimizer
# Get rockyou.txt ready to rock
cd /opt/wordlists/Passwords/Leaked-Databases
sudo tar xvzf rockyou.txt.tar.gz
sudo mv rockyou.txt ..
rm rock*.gz
# Get latest Pwned Passwords list from hashes.org
Go to the "leaks" area, search for "pwned" and you should find various versions of the Pwned Passwords database to download in plain text
# Get the breachcompliation database
Download it via Magnet/Torrent here: https://gist.github.com/scottlinux/9a3b11257ac575e4f71de811322ce6b3
Note: in June, 2020 I had issues getting this file, and if you look at the gist you'll see others are as well. I didn't spend too much time troubleshooting. Just moved on.
# Consolidate all downloaded wordlists into one "master" text file
cd /opt/wordlists
sudo ls -rt -d -1 $PWD/Passwords/*.txt > $PWD/Passwords/wordlists.txt
Note: on my last build of a cracking box, the running of wordlist_optimizer.py (a little further down this tutorial) would yield an out of memory error. I got around this by running the optimizer once with all wordlists except the breachcompliation database, then once again with just the breachcompliation database.
**Note 2: during my last crack box build in June, 2020, I kept my wordlist pretty simple. My wordlists.txt looks like this:
/opt/wordlists/Passwords/rockyou.txt
/opt/wordlists/Passwords/pp.txt
/opt/wordlists/Passwords/uniq.txt
Open the hatecrack config.json and adjust hcatPath, hcatBin, hcatWordlists and hcatOptimizedWordlists paths. Also adjust the .app extensions to be .bin:
{
"hcatPath": "/opt/hashcat",
"hcatBin": "hashcat",
"hcatTuning": "--force --remove",
"hcatWordlists": "/opt/wordlists/Passwords/",
"hcatOptimizedWordlists": "/opt/wordlists/optimized",
"hcatDictionaryWordlist": ["/opt/wordlists/Passwords/rockyou.txt"],
"hcatCombinationWordlist": ["/opt/wordlists/Passwords/rockyou.txt","/opt/wordlists/Passwords/rockyou.txt"],
"hcatHybridlist": ["/opt/wordlists/Passwords/rockyou.txt"],
"hcatMiddleCombinatorMasks": ["2","4"," ","-","_","+",",",".","&"],
"hcatMiddleBaseList": "/opt/wordlists/Passwords/rockyou.txt",
"hcatThoroughCombinatorMasks": ["0","1","2","3","4","5","6","7","8","9"," ","-","_","+",",","!","#","$","\"","%","&","'","(",")","*",",",".","/",":",";","<","=",">","?","@","[","\\","]","^","`","{","|","}","~"],
"hcatThoroughBaseList": "/opt/wordlists/Passwords/rockyou.txt",
"hcatGoodMeasureBaseList": "/opt/wordlists/Passwords/rockyou.txt",
"hcatRules": ["best64.rule","d3ad0ne.rule", "T0XlC.rule", "dive.rule"],
"hcatPrinceBaseList": "/opt/wordlists/Passwords/rockyou.txt",
"pipalPath": "/path/to/pipal"
splitlen_bin = "/opt/hashcat-utils/bin/splitlen.bin"
rli_bin = "/opt/hashcat-utils/bin/rli.bin"
sudo mkdir /opt/wordlists/optimized
sudo python3 /opt/hatecrack/wordlist_optimizer.py /opt/wordlists/Passwords/wordlists.txt /opt/wordlists/optimized
Note: last time I ran this I had to run it with python3.
Here's an example where I crack a text file full of NTLM hashes:
sudo python /opt/hatecrack/hatecrack /crackme/big-bucket-of-hashes.txt 1000
Follow the rest of the hatecrack read me, and have fun!
If you've followed my gist on dumping a backup of AD hashes and then cracked a list of just hashes, you may want the ability to come back in later and reconnect the relationship between hash and user. Thanks to my pal hackern0v1c3, he created a perfect tool for the job here. Oh, and if you need to take the output of a dump from something like secretsdump.py and turn it into something hash_combiner can chew on, try this:
cat secrets_dump.txt |cut -d'\' -f2 | cut -d':' -f1,4 > secrets_dump_reformated.txt
Enjoy!
First capture the handshake. Then convert the .cap to hccapx format with:
/opt/hashcat-utils/bin/cap2hccapx.bin NAME-OF-YOUR.cap NAME-OF-YOUR.hccapx
Then see this page to see all the different ways you can attack the handshake (dictionary, brute-force, etc.). One example of a dictionary attack is:
hashcat.exe -m 2500 NAME-OF-YOUR.hccapx rockyou.txt
Or if using hatecrack:
/opt/hatecrack/hate_crack.py /NAME-OF-YOUR.hccapx 2500
I found that this script is really helpful for monitoring changes to the hashcat.pot
file and then triggering an action of your choice.
For example, you could save the mikedmullin script as monme.sh
and then have a command like this:
monme.sh /opt/hashcat/hashcat.pot /scripts/somescript.sh
The somescript.sh
would contain the commands you'd want to have run once a change to the hashcat.pot
file was detected.
Sorry this took me foreeeeeeever to respond but nice work - I know some folks I'm going to point to your gist. Have a great weekend!