From 65ed6604e40cf094ea5a7f10697d08123d4d3e9f Mon Sep 17 00:00:00 2001 From: Justin Bollinger Date: Fri, 26 Jan 2018 13:14:00 -0500 Subject: [PATCH] Initial Commit --- .gitmodules | 12 ++ config.ini | 11 ++ hashcat-utils | 1 + hate_crack.py | 424 ++++++++++++++++++++++++++++++++++++++++++ masks/pathwell.hcmask | 100 ++++++++++ pack | 1 + princeprocessor | 1 + readme.md | 160 ++++++++++++++++ wordlist_optimizer.py | 70 +++++++ 9 files changed, 780 insertions(+) create mode 100644 .gitmodules create mode 100644 config.ini create mode 160000 hashcat-utils create mode 100755 hate_crack.py create mode 100644 masks/pathwell.hcmask create mode 160000 pack create mode 160000 princeprocessor create mode 100644 readme.md create mode 100755 wordlist_optimizer.py diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..e4e6a57 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,12 @@ +[submodule "PACK"] + path = PACK + url = https://github.com/iphelix/pack.git +[submodule "hashcat-utils"] + path = hashcat-utils + url = https://github.com/hashcat/hashcat-utils.git +[submodule "princeprocessor"] + path = princeprocessor + url = https://github.com/hashcat/princeprocessor.git +[submodule "pack"] + path = pack + url = https://github.com/iphelix/pack.git diff --git a/config.ini b/config.ini new file mode 100644 index 0000000..9528bfd --- /dev/null +++ b/config.ini @@ -0,0 +1,11 @@ +[Default Paths] +hcatPath=/Passwords/hashcat +hcatBin=hashcat +hcatTuning=--force +hcatWordlists=/Passwords/wordlists +hcatOptimizedWordlists=/Passwords/optimized_wordlists + +# Change extension to .bin for Linux and .app for OSX +hcatExpanderBin=expander.app +hcatCombinatorBin=combinator.app +hcatPrinceBin=pp64.app diff --git a/hashcat-utils b/hashcat-utils new file mode 160000 index 0000000..4cdb116 --- /dev/null +++ b/hashcat-utils @@ -0,0 +1 @@ +Subproject commit 4cdb116022a45787e1be99251f45966bff8400ab diff --git a/hate_crack.py b/hate_crack.py new file mode 100755 index 0000000..25262cc --- /dev/null +++ b/hate_crack.py @@ -0,0 +1,424 @@ +#!/usr/bin/env python + +# Methodology provided by Martin Bos (pure_hate) +# Original script provided by Larry Spohn (spoonman) + +import subprocess +import sys +import os +import signal +import time +import ConfigParser +import random +import re + +hate_path = os.path.dirname(os.path.realpath(__file__)) +hcatConfig = ConfigParser.ConfigParser() +hcatConfig.readfp(open(hate_path + '/config.ini')) +hcatPath = hcatConfig.get('Default Paths', 'hcatPath') +hcatBin = hcatConfig.get('Default Paths', 'hcatBin') +hcatTuning = hcatConfig.get('Default Paths', 'hcatTuning') +hcatWordlists = hcatConfig.get('Default Paths', 'hcatWordlists') +hcatOptimizedWordlists = hcatConfig.get('Default Paths', 'hcatOptimizedWordlists') +hcatExpanderBin = hcatConfig.get('Default Paths', 'hcatExpanderBin') +hcatCombinatorBin = hcatConfig.get('Default Paths', 'hcatCombinatorBin') +hcatPrinceBin = hcatConfig.get('Default Paths', 'hcatPrinceBin') + +hcatHashCount = 0 +hcatHashCracked = 0 +hcatBruteCount = 0 +hcatDictionaryCount = 0 +hcatMaskCount = 0 +hcatFingerprintCount = 0 +hcatCombinationCount = 0 +hcatHybridCount = 0 +hcatExtraCount = 0 +hcatRecycleCount = 0 +hcatProcess = 0 + +# Help +def usage(): + print "usage: python hate_crack.py " + print "\nThe is attained by running \"%s/%s --help\"\n" % (hcatPath, hcatBin) + print "Example Hashes: http://hashcat.net/wiki/doku.php?id=example_hashes\n" + +def ascii_art(): + print r""" + + ___ ___ __ _________ __ + / | \_____ _/ |_ ____ \_ ___ \____________ ____ | | __ +/ ~ \__ \\ __\/ __ \ / \ \/\_ __ \__ \ _/ ___\| |/ / +\ Y // __ \| | \ ___/ \ \____| | \// __ \\ \___| < + \___|_ /(____ /__| \___ >____\______ /|__| (____ /\___ >__|_ \ + \/ \/ \/_____/ \/ \/ \/ \/ + Public Release + Version 1.00 + """ + +# Counts the number of lines in a file +def lineCount(file): + try: + outFile = open(file) + except: + return 0 + + count = 0 + for line in outFile: + count = count + 1 + return count + +# Brute Force Attack +def hcatBruteForce(hcatHashType, hcatHashFile, hcatMinLen, hcatMaxLen): + global hcatBruteCount + global hcatProcess + hcatProcess = subprocess.Popen("%s/%s -m %s %s --remove -o %s.out --increment --increment-min=%s --increment-max=%s -a 3 ?a?a?a?a?a?a?a?a?a?a?a?a?a?a %s --potfile-path=%s/hashcat.pot" % (hcatPath, hcatBin, hcatHashType, hcatHashFile, hcatHashFile, hcatMinLen, hcatMaxLen, hcatTuning, hate_path), shell=True).wait() + hcatBruteCount = lineCount(hcatHashFile + ".out") + +# Dictionary Attack +def hcatDictionary(hcatHashType, hcatHashFile): + global hcatDictionaryCount + global hcatProcess + hcatProcess = subprocess.Popen("%s/%s -m %s %s --remove -o %s.out %s/* -r %s/rules/best64.rule %s --potfile-path=%s/hashcat.pot" % (hcatPath, hcatBin, hcatHashType, hcatHashFile, hcatHashFile, hcatOptimizedWordlists, hcatPath, hcatTuning, hate_path), shell=True).wait() + hcatProcess = subprocess.Popen("%s/%s -m %s %s --remove -o %s.out %s/rockyou.txt -r %s/rules/d3ad0ne.rule %s --potfile-path=%s/hashcat.pot" % (hcatPath, hcatBin, hcatHashType, hcatHashFile, hcatHashFile, hcatWordlists, hcatPath, hcatTuning, hate_path), shell=True).wait() + hcatProcess = subprocess.Popen("%s/%s -m %s %s --remove -o %s.out %s/rockyou.txt -r %s/rules/T0XlC.rule %s --potfile-path=%s/hashcat.pot" % (hcatPath, hcatBin, hcatHashType, hcatHashFile, hcatHashFile, hcatWordlists, hcatPath, hcatTuning, hate_path), shell=True).wait() + hcatDictionaryCount = lineCount(hcatHashFile + ".out") - hcatBruteCount + +# Quick Dictionary Attack (Optional Chained Rules) +def hcatQuickDictionary(hcatHashType, hcatHashFile, hcatChains): + global hcatProcess + hcatProcess = subprocess.Popen("%s/%s -m %s %s --remove -o %s.out %s/* %s %s --potfile-path=%s/hashcat.pot" % (hcatPath, hcatBin, hcatHashType, hcatHashFile, hcatHashFile, hcatOptimizedWordlists, hcatChains, hcatTuning, hate_path), shell=True).wait() + +# Top Mask Attack +def hcatTopMask(hcatHashType, hcatHashFile, hcatTargetTime): + global hcatMaskCount + global hcatProcess + hcatProcess = subprocess.Popen("cat %s.out | cut -d : -f 2 > %s.working" % (hcatHashFile, hcatHashFile), shell=True).wait() + hcatProcess = subprocess.Popen("%s/PACK/statsgen.py %s.working -o %s.masks" % (hate_path, hcatHashFile, hcatHashFile), shell=True).wait() + hcatProcess = subprocess.Popen("%s/PACK/maskgen.py %s.masks --targettime %s --optindex -q --pps 14000000000 --minlength=7 -o %s.hcmask" % (hate_path, hcatHashFile, hcatTargetTime, hcatHashFile), shell=True).wait() + hcatProcess = subprocess.Popen("%s/%s -m %s %s --remove -o %s.out -a 3 %s.hcmask %s --potfile-path=%s/hashcat.pot" % (hcatPath, hcatBin, hcatHashType, hcatHashFile, hcatHashFile, hcatHashFile, hcatTuning, hate_path), shell=True).wait() + hcatMaskCount = lineCount(hcatHashFile + ".out") - hcatHashCracked + +# Fingerprint Attack +def hcatFingerprint(hcatHashType, hcatHashFile): + global hcatFingerprintCount + global hcatProcess + crackedBefore = lineCount(hcatHashFile + ".out") + crackedAfter = 0 + while (crackedBefore != crackedAfter): + crackedBefore = lineCount(hcatHashFile + ".out") + hcatProcess = subprocess.Popen("cat %s.out | cut -d : -f 2 > %s.working" % (hcatHashFile, hcatHashFile), shell=True).wait() + hcatProcess = subprocess.Popen("%s/hashcat-utils/bin/%s < %s.working | sort -u > %s.expanded" % (hate_path, hcatExpanderBin, hcatHashFile, hcatHashFile), shell=True).wait() + hcatProcess = subprocess.Popen("%s/%s -m %s %s --remove -o %s.out -a 1 %s.expanded %s.expanded %s --potfile-path=%s/hashcat.pot" % (hcatPath, hcatBin, hcatHashType, hcatHashFile, hcatHashFile, hcatHashFile, hcatHashFile, hcatTuning, hate_path), shell=True).wait() + crackedAfter = lineCount(hcatHashFile + ".out") + hcatFingerprintCount = lineCount(hcatHashFile + ".out") - hcatHashCracked + +# Combinator Attack +def hcatCombination(hcatHashType, hcatHashFile): + global hcatCombinationCount + global hcatProcess + hcatProcess = subprocess.Popen("%s/%s -m %s %s --remove -o %s.out -a 1 %s/rockyou.txt %s/rockyou.txt %s --potfile-path=%s/hashcat.pot" % (hcatPath, hcatBin, hcatHashType, hcatHashFile, hcatHashFile, hcatWordlists, hcatWordlists, hcatTuning, hate_path), shell=True).wait() + hcatCombinationCount = lineCount(hcatHashFile + ".out") - hcatHashCracked + +# Hybrid Attack +def hcatHybrid(hcatHashType, hcatHashFile): + global hcatHybridCount + global hcatProcess + hcatProcess = subprocess.Popen("%s/%s -m %s %s --remove -o %s.out -a 6 -1 ?s?d %s/rockyou.txt ?1?1 %s --potfile-path=%s/hashcat.pot" % (hcatPath, hcatBin, hcatHashType, hcatHashFile, hcatHashFile, hcatWordlists, hcatTuning, hate_path), shell=True).wait() + hcatProcess = subprocess.Popen("%s/%s -m %s %s --remove -o %s.out -a 6 -1 ?s?d %s/rockyou.txt ?1?1?1 %s --potfile-path=%s/hashcat.pot" % (hcatPath, hcatBin, hcatHashType, hcatHashFile, hcatHashFile, hcatWordlists, hcatTuning, hate_path), shell=True).wait() + hcatProcess = subprocess.Popen("%s/%s -m %s %s --remove -o %s.out -a 6 -1 ?s?d %s/rockyou.txt ?1?1?1?1 %s --potfile-path=%s/hashcat.pot" % (hcatPath, hcatBin, hcatHashType, hcatHashFile, hcatHashFile, hcatWordlists, hcatTuning, hate_path), shell=True).wait() + hcatProcess = subprocess.Popen("%s/%s -m %s %s --remove -o %s.out -a 7 -1 ?s?d ?1?1 %s/rockyou.txt %s --potfile-path=%s/hashcat.pot" % (hcatPath, hcatBin, hcatHashType, hcatHashFile, hcatHashFile, hcatWordlists, hcatTuning, hate_path), shell=True).wait() + hcatProcess = subprocess.Popen("%s/%s -m %s %s --remove -o %s.out -a 7 -1 ?s?d ?1?1?1 %s/rockyou.txt %s --potfile-path=%s/hashcat.pot" % (hcatPath, hcatBin, hcatHashType, hcatHashFile, hcatHashFile, hcatWordlists, hcatTuning, hate_path), shell=True).wait() + hcatProcess = subprocess.Popen("%s/%s -m %s %s --remove -o %s.out -a 7 -1 ?s?d ?1?1?1?1 %s/rockyou.txt %s --potfile-path=%s/hashcat.pot" % (hcatPath, hcatBin, hcatHashType, hcatHashFile, hcatHashFile, hcatWordlists, hcatTuning, hate_path), shell=True).wait() + hcatHybridCount = lineCount(hcatHashFile + ".out") - hcatHashCracked + +# YOLO Combination Attack +def hcatYoloCombination(hcatHashType, hcatHashFile): + global hcatProcess + while(1): + hcatLeft = random.choice(os.listdir(hcatOptimizedWordlists)) + hcatRight = random.choice(os.listdir(hcatOptimizedWordlists)) + hcatProcess = subprocess.Popen("%s/%s -m %s %s --remove -o %s.out -a 1 %s/%s %s/%s %s --potfile-path=%s/hashcat.pot" % (hcatPath, hcatBin, hcatHashType, hcatHashFile, hcatHashFile, hcatOptimizedWordlists, hcatLeft, hcatOptimizedWordlists, hcatRight, hcatTuning, hate_path), shell=True).wait() + +# Pathwell Mask Brute Force Attack +def hcatPathwellBruteForce(hcatHashType, hcatHashFile): + global hcatProcess + hcatProcess = subprocess.Popen("%s/%s -m %s %s --remove -o %s.out -a 3 %s/masks/pathwell.hcmask %s --potfile-path=%s/hashcat.pot" % (hcatPath, hcatBin, hcatHashType, hcatHashFile, hcatHashFile, hate_path, hcatTuning, hate_path), shell=True).wait() + +# PRINCE Attack +def hcatPrince(hcatHashType, hcatHashFile): + global hcatProcess + hcatHashCracked = lineCount(hcatHashFile + ".out") + hcatProcess = subprocess.Popen("%s/princeprocessor/%s --case-permute --elem-cnt-min=1 --elem-cnt-max=16 -c < %s/rockyou.txt |%s/%s -m %s %s --remove -o %s.out -r %s/princeprocessor/rules/prince_optimized.rule %s --potfile-path=%s/hashcat.pot" % (hate_path, hcatPrinceBin, hcatWordlists, hcatPath, hcatBin, hcatHashType, hcatHashFile, hcatHashFile, hate_path, hcatTuning, hate_path), shell=True).wait() + +# Extra - Good Measure +def hcatGoodMeasure(hcatHashType, hcatHashFile): + global hcatExtraCount + global hcatProcess + hcatProcess = subprocess.Popen("%s/%s -m %s %s --remove -o %s.out -r %s/rules/combinator.rule -r %s/rules/InsidePro-PasswordsPro.rule %s/rockyou.txt %s --potfile-path=%s/hashcat.pot" % (hcatPath, hcatBin, hcatHashType, hcatHashFile, hcatHashFile, hcatPath, hcatPath, hcatWordlists, hcatTuning, hate_path), shell=True).wait() + hcatExtraCount = lineCount(hcatHashFile + ".out") - hcatHashCracked + +# LanMan to NT Attack +def hcatLMtoNT(): + global hcatProcess + hcatProcess = subprocess.Popen("%s/%s --show --potfile-path=%s/hashcat.pot -m 3000 %s.lm >%s.lm.cracked" % (hcatPath, hcatBin, hate_path, hcatHashFile, hcatHashFile), shell=True).wait() + hcatProcess = subprocess.Popen("%s/%s -m 3000 %s.lm --remove -o %s.lm.cracked -1 ?u?d?s --increment -a 3 ?1?1?1?1?1?1?1 %s --potfile-path=%s/hashcat.pot" % (hcatPath, hcatBin, hcatHashFile, hcatHashFile, hcatTuning, hate_path), shell=True).wait() + hcatProcess = subprocess.Popen("cat %s.lm.cracked | cut -d : -f 2 > %s.working" % (hcatHashFile, hcatHashFile), shell=True).wait() + hcatProcess = subprocess.Popen("%s/hashcat-utils/bin/%s %s.working %s.working | sort -u > %s.combined" % (hate_path, hcatCombinatorBin, hcatHashFile, hcatHashFile, hcatHashFile), shell=True).wait() + hcatProcess = subprocess.Popen("%s/%s --show --potfile-path=%s/hashcat.pot -m 1000 %s.nt >%s.nt.out" % (hcatPath, hcatBin, hate_path, hcatHashFile, hcatHashFile), shell=True).wait() + hcatProcess = subprocess.Popen("%s/%s -m 1000 %s.nt --remove -o %s.nt.out %s.combined -r %s/rules/toggles-lm-ntlm.rule %s --potfile-path=%s/hashcat.pot" % (hcatPath, hcatBin, hcatHashFile, hcatHashFile, hcatHashFile, hate_path, hcatTuning, hate_path), shell=True).wait() + #toggle-lm-ntlm.rule by Didier Stevens https://blog.didierstevens.com/2016/07/16/tool-to-generate-hashcat-toggle-rules/ + +# Recycle Cracked Passwords +def hcatRecycle(hcatHashType, hcatHashFile, hcatNewPasswords): + global hcatProcess + if (hcatNewPasswords > 0): + hcatProcess = subprocess.Popen("cat %s.out | cut -d : -f 2 > %s.working" % (hcatHashFile, hcatHashFile), shell=True).wait() + hcatProcess = subprocess.Popen("%s/%s -m %s %s --remove -o %s.out %s.working -r %s/rules/d3ad0ne.rule %s --potfile-path=%s/hashcat.pot" % (hcatPath, hcatBin, hcatHashType, hcatHashFile, hcatHashFile, hcatHashFile, hcatPath, hcatTuning, hate_path), shell=True).wait() + +# Cleanup Temp Files +def cleanup(): + if hcatHashType == "1000": + print "\nComparing cracked hashes to original file..." + hcatCombinedHashes = open(hcatHashFileOrig + ".out", "w+") + with open(hcatHashFile + ".out", "r") as hcatCrackedFile: + for crackedLine in hcatCrackedFile: + with open(hcatHashFileOrig, "r") as hcatOrigFile: + for origLine in hcatOrigFile: + if crackedLine.split(":")[0] == origLine.split(":")[3]: + hcatCombinedHashes.write(origLine.strip() + crackedLine.split(":")[1]) + hcatCombinedHashes.close() + hcatCrackedFile.close() + hcatOrigFile.close() + print "\nCracked passwords combined with original hashes in %s." % (hcatHashFileOrig + ".out") + print '\nCleaning up temporary files...' + if os.path.exists(hcatHashFile + ".masks"): + os.remove(hcatHashFile + ".masks") + if os.path.exists(hcatHashFile + ".working"): + os.remove(hcatHashFile + ".working") + if os.path.exists(hcatHashFile + ".expanded"): + os.remove(hcatHashFile + ".expanded") + if os.path.exists(hcatHashFileOrig + ".combined"): + os.remove(hcatHashFileOrig + ".combined") + if os.path.exists(hcatHashFileOrig + ".lm"): + os.remove(hcatHashFileOrig + ".lm") + if os.path.exists(hcatHashFileOrig + ".lm.cracked"): + os.remove(hcatHashFileOrig + ".lm.cracked") + if os.path.exists(hcatHashFileOrig + ".working"): + os.remove(hcatHashFileOrig + ".working") + +# CTRL-C Function +def signal_handler(signal, frame): + global hcatHashFile + global hcatBin + global hcatProcess + + print "Killing %s..." % hcatBin + processGroup = os.getpgid(hcatProcess) + hcatProcess = subprocess.Popen("kill -%d" % (processGroup), shell=True).wait() + time.sleep(5) + +# Quick Dictionary Attack with Optional Chained Best64 Rules +def quick_crack(): + hcatChainsInput = int(raw_input("\nHow many times would you like to chain the best64.rule? (1): ") or 1) + hcatChains = "-r %s/rules/best64.rule " % hcatPath + if hcatChainsInput > 1: + for n in range (1, hcatChainsInput): + hcatChains += "-r %s/rules/best64.rule " % hcatPath + + hcatQuickDictionary(hcatHashType, hcatHashFile, hcatChains) + +# Extensive Pure_Hate Methodology +def extensive_crack(): + # Brute Force Attack + hcatBruteForce(hcatHashType, hcatHashFile, "1", "7") + + # Recycle Cracked Passwords + hcatRecycle(hcatHashType, hcatHashFile, hcatBruteCount) + + # Dictionary Attack + hcatDictionary(hcatHashType, hcatHashFile) + + # Recycle Cracked Passwords + hcatRecycle(hcatHashType, hcatHashFile, hcatDictionaryCount) + + # Top Mask Attack + hcatTargetTime = 4 * 60 * 60 # 4 Hours + hcatTopMask(hcatHashType, hcatHashFile, hcatTargetTime) + + # Recycle Cracked Passwords + hcatRecycle(hcatHashType, hcatHashFile, hcatMaskCount) + + # Fingerprint Attack + hcatFingerprint(hcatHashType, hcatHashFile) + + # Recycle Cracked Passwords + hcatRecycle(hcatHashType, hcatHashFile, hcatFingerprintCount) + + # Combination Attack + hcatCombination(hcatHashType, hcatHashFile) + + # Recycle Cracked Passwords + hcatRecycle(hcatHashType, hcatHashFile, hcatCombinationCount) + + # Hybrid Attack + hcatHybrid(hcatHashType, hcatHashFile) + + # Recycle Cracked Passwords + hcatRecycle(hcatHashType, hcatHashFile, hcatHybridCount) + + # Extra - Just For Good Measure + hcatGoodMeasure(hcatHashType, hcatHashFile) + + # Recycle Cracked Passwords + hcatRecycle(hcatHashType, hcatHashFile, hcatExtraCount) + +# Brute Force +def brute_force_crack(): + hcatMinLen = int(raw_input("\nEnter the minimum password length to brute force (1): ") or 1) + hcatMaxLen = int(raw_input("\nEnter the maximum password length to brute force (7): ") or 7) + hcatBruteForce(hcatHashType, hcatHashFile, hcatMinLen, hcatMaxLen) + +# Top Mask +def top_mask_crack(): + hcatTargetTime = int(raw_input("\nEnter a target time for completion in hours (4): ") or 4) + hcatTargetTime = hcatTargetTime * 60 * 60 + hcatTopMask(hcatHashType, hcatHashFile, hcatTargetTime) + +# Fingerprint +def fingerprint_crack(): + hcatFingerprint(hcatHashType, hcatHashFile) + +# Combinator +def combinator_crack(): + hcatCombination(hcatHashType, hcatHashFile) + +# Hybrid +def hybrid_crack(): + hcatHybrid(hcatHashType, hcatHashFile) + +# Pathwell Top 100 Bruteforce Mask +def pathwell_crack(): + # Bruteforce Mask Attack + hcatPathwellBruteForce(hcatHashType, hcatHashFile) + +# PRINCE Attack +def prince_attack(): + hcatPrince(hcatHashType, hcatHashFile) + +# YOLO Combination +def yolo_combination(): + hcatYoloCombination(hcatHashType, hcatHashFile) + +# Display Cracked Hashes +def show_results(): + if os.path.isfile(hcatHashFile + ".out"): + hcatOutput = file(hcatHashFile + ".out") + print + for hash in hcatOutput: + print hash.strip() + else: + print "No hashes were cracked :(" + +# Show README +def show_readme(): + hcatReadme = file(hate_path + "/readme.md") + print hcatReadme.read() + +# Exit Program +def quit(): + cleanup() + sys.exit(0) + +# The Main Guts +def main(): + global hcatHashFile + global hcatHashType + global hcatHashFileOrig + global lmHashesFound + + hcatHashFileOrig = "" + + try: + hcatHashFile = sys.argv[1] + hcatHashType = sys.argv[2] + + except IndexError: + usage() + sys.exit() + + ascii_art() + + # Catch CTRL-C + signal.signal(signal.SIGINT, signal_handler) + + # Get Initial Input Hash Count + hcatHashCount = lineCount(hcatHashFile) + + # If LM or NT Mode Selected and pwdump Format Detected, Prompt For LM to NT Attack + if hcatHashType == "1000": + lmHashesFound = False + hcatHashFileLine = open(hcatHashFile, "r").readline() + if re.search(r"[a-z0-9]{32}:[a-z0-9]{32}:::$", hcatHashFileLine): + print "PWDUMP format detected..." + print "Parsing NT hashes..." + hcatProcess = subprocess.Popen("cat %s | cut -d : -f 4 |sort -u > %s.nt" % (hcatHashFile, hcatHashFile), shell=True).wait() + print "Parsing LM hashes..." + hcatProcess = subprocess.Popen("cat %s | cut -d : -f 3 |sort -u > %s.lm" % (hcatHashFile, hcatHashFile), shell=True).wait() + if ((lineCount(hcatHashFile + ".lm") == 1) and (hcatHashFileLine.split(":")[2] != "aad3b435b51404eeaad3b435b51404ee")) or (lineCount(hcatHashFile + ".lm") > 1): + lmHashesFound = True + lmChoice = raw_input("LM hashes identified. Would you like to brute force the LM hashes first? (Y) ") or "Y" + if (lmChoice == "y" or lmChoice == "Y"): + hcatLMtoNT() + hcatHashFileOrig = hcatHashFile + hcatHashFile = hcatHashFile + ".nt" + + # Check POT File for Already Cracked Hashes + if not os.path.isfile(hcatHashFile + ".out"): + hcatOutput = open(hcatHashFile + ".out", "w+") + hcatOutput.close() + print "Checking POT file for already cracked hashes..." + hcatProcess = subprocess.Popen("%s/%s --show --potfile-path=%s/hashcat.pot -m %s %s >%s.out" % (hcatPath, hcatBin, hate_path, hcatHashType, hcatHashFile, hcatHashFile), shell=True).wait() + hcatHashCracked = lineCount(hcatHashFile + ".out") + if hcatHashCracked > 0: + print "Found %d hashes already cracked.\nCopied hashes to %s.out" % (hcatHashCracked, hcatHashFile) + else: + print "No hashes found in POT file." + + # Display Options + while(1): + print "\n\t(1) Quick Crack" + print "\t(2) Extensive Pure_Hate Methodology Crack" + print "\t(3) Brute Force Attack" + print "\t(4) Top Mask Attack" + print "\t(5) Fingerprint Attack" + print "\t(6) Combinator Attack" + print "\t(7) Hybrid Attack" + print "\t(8) Pathwell Top 100 Mask Brute Force Crack" + print "\t(9) PRINCE Attack" + print "\t(10) YOLO Combinator Attack" + print "\n\t(97) Display Cracked Hashes" + print "\t(98) Display README" + print "\t(99) Quit" + options = {1:quick_crack, + 2:extensive_crack, + 3:brute_force_crack, + 4:top_mask_crack, + 5:fingerprint_crack, + 6:combinator_crack, + 7:hybrid_crack, + 8:pathwell_crack, + 9:prince_attack, + 10:yolo_combination, + 97:show_results, + 98:show_readme, + 99:quit + } + try: + task = input("\nSelect a task: ") + options[task]() + except: + quit() + +# Boilerplate +if __name__ == '__main__': + main() diff --git a/masks/pathwell.hcmask b/masks/pathwell.hcmask new file mode 100644 index 0000000..9edf839 --- /dev/null +++ b/masks/pathwell.hcmask @@ -0,0 +1,100 @@ +?u?l?l?l?l?l?d?d +?u?l?l?l?l?l?l?d?d +?u?l?l?l?d?d?d?d +?l?l?l?l?l?l?l?d +?u?l?l?l?l?l?l?l?d?d +?u?l?l?l?l?l?l?d +?u?l?l?l?l?l?d?d?d?d +?u?l?l?l?l?d?d?d?d +?l?l?l?l?l?l?d?d +?u?l?l?l?l?l?l?l?d +?u?l?l?l?l?d?d?d +?u?l?l?d?d?d?d?s +?l?l?l?l?l?l?l?l +?u?l?l?l?l?l?d?d?d +?l?l?l?l?l?l?l?d?d +?l?l?s?d?d?l?d?d?l +?l?l?l?l?l?l?l?l?d +?u?l?l?l?l?l?d?d?s +?u?l?l?l?l?l?l?d?d?d?d +?u?l?l?l?l?l?l?l?l?d?d +?u?l?l?l?l?l?d?s +?u?l?l?l?l?l?l?l?l?d +?u?l?l?l?l?l?d?d?d?d?s +?l?l?l?l?l?l?l?l?l +?l?l?l?l?l?l?l?l?d?d +?u?l?l?l?l?l?l?d?d?d +?l?l?l?l?l?d?d?d +?u?l?l?l?d?d?d?d?s +?u?l?l?l?l?l?l?l?d?d?d?d +?u?l?l?l?l?l?s?d?d +?u?u?u?u?u?u?d?l +?l?l?l?l?d?d?d?d +?d?d?u?l?l?l?l?l?l?l +?u?l?l?s?d?d?d?d +?u?l?l?l?l?d?d?s +?u?l?l?l?l?l?l?d?s +?d?d?u?l?l?l?l?l?l +?l?l?l?l?s?d?d?d +?l?l?l?l?l?l?l?l?l?d +?l?l?l?l?l?d?d?d?d +?l?l?l?l?l?l?l?l?l?l +?l?l?l?l?l?l?d?d?d +?u?l?l?l?l?l?l?l?l?l?d?d +?u?l?l?l?l?l?l?l?l?l?d +?d?d?d?d?d?d?u?l +?u?l?l?l?l?l?l?l?d?d?d +?u?l?l?l?l?l?l?d?d?s +?u?u?u?u?u?u?d?s +?u?u?d?l?l?l?d?d?d?u +?u?l?l?l?l?s?d?d +?u?l?l?l?l?l?s?d +?l?l?l?s?d?d?d?d +?l?l?l?l?l?l?d?d?d?d +?u?l?l?l?l?l?l?l?d?d?s +?d?d?u?l?l?l?l?l +?u?l?l?l?l?l?l?l?d?s +?u?l?l?l?l?d?d?d?s +?u?l?l?l?l?d?d?d?d?s +?u?l?l?l?s?d?d?d?d +?u?l?l?l?l?s?d?d?d +?u?l?l?l?l?l?l?d?d?d?d?s +?u?l?l?l?d?d?d?s +?l?l?l?l?s?d?d?d?d +?l?l?l?l?l?l?s?d?d +?l?l?l?l?l?l?d?d?s +?d?d?d?d?u?l?l?l +?d?d?d?d?d?d?d?d +?u?l?l?l?l?l?l?s?d +?u?l?d?d?d?d?d?d +?l?l?l?l?l?l?s?d +?u?d?l?l?l?l?l?l?l?d +?l?l?l?l?l?l?l?l?l?l?l +?l?l?l?l?l?l?l?l?l?l?d +?l?l?l?l?l?d?d?s +?l?l?l?l?d?d?d?s +?u?l?l?l?l?l?l?l?l?d?d?d?d +?u?u?u?u?u?u?u?u +?u?l?l?l?s?d?d?d +?u?l?l?l?l?l?l?s?d?d +?u?l?l?l?l?l?d?d?d?s +?l?l?l?l?l?s?d?d +?u?l?l?l?l?s?d?d?d?d +?u?l?l?l?d?d?d?d?d +?u?l?l?d?d?d?d?d?d +?u?l?l?d?d?d?d?d +?l?l?l?l?l?l?l?l?l?d?d +?l?l?l?l?l?l?l?d?d?s +?l?l?l?l?l?l?l?d?d?d +?l?l?l?l?l?l?d?s +?l?l?l?d?d?d?d?s +?u?u?u?l?l?l?d?d?d?d +?u?l?l?l?l?l?s?d?d?d +?u?l?l?l?l?l?l?l?s?d +?l?l?l?l?l?l?l?l?s?d +?l?l?l?l?l?l?l?d?d?d?d +?u?l?l?l?l?l?s?d?d?d?d +?l?l?l?l?l?l?l?d?s +?l?l?l?l?d?d?d?d?s +?d?d?d?d?u?l?l?l?l +?u?u?d?l?l?l?d?d?d?d diff --git a/pack b/pack new file mode 160000 index 0000000..5311d5c --- /dev/null +++ b/pack @@ -0,0 +1 @@ +Subproject commit 5311d5cbb10202c1cabd4e95ea396bc228b8ada8 diff --git a/princeprocessor b/princeprocessor new file mode 160000 index 0000000..f0c101d --- /dev/null +++ b/princeprocessor @@ -0,0 +1 @@ +Subproject commit f0c101d81bc29bf1483b6ca54ff08a4a5168c8fb diff --git a/readme.md b/readme.md new file mode 100644 index 0000000..301e6b3 --- /dev/null +++ b/readme.md @@ -0,0 +1,160 @@ +``` + ___ ___ __ _________ __ + / | \_____ _/ |_ ____ \_ ___ \____________ ____ | | __ +/ ~ \__ \\ __\/ __ \ / \ \/\_ __ \__ \ _/ ___\| |/ / +\ Y // __ \| | \ ___/ \ \____| | \// __ \\ \___| < + \___|_ /(____ /__| \___ >____\______ /|__| (____ /\___ >__|_ \ + \/ \/ \/_____/ \/ \/ \/ \/ +``` + +Installation +------------------------------------------------- +Get the latest hashcat binaries (https://hashcat.net/hashcat/) + +OSX Install (https://www.phillips321.co.uk/2016/07/09/hashcat-on-os-x-getting-it-going/) +```git clone https://github.com/hashcat/hashcat.git +mkdir -p hashcat/deps +git clone https://github.com/KhronosGroup/OpenCL-Headers.git hashcat/deps/OpenCL +cd hashcat/ +make +make install +``` +------------------------------------------------- +* Customize binary and wordlist paths in "config.ini" +* Make sure that at least "rockyou.txt" is within your "wordlists" path + +Usage +------------------------------------------------- +`$ ./hate_crack.py +usage: python hate_crack.py ` + +The is attained by running `hashcat --help` + +Example Hashes: http://hashcat.net/wiki/doku.php?id=example_hashes + + +``` +$ hashcat --help |grep -i ntlm + 5500 | NetNTLMv1 | Network protocols + 5500 | NetNTLMv1 + ESS | Network protocols + 5600 | NetNTLMv2 | Network protocols + 1000 | NTLM | Operating-Systems +``` + +``` +$ ./hate_crack.py 1000 + + ___ ___ __ _________ __ + / | \_____ _/ |_ ____ \_ ___ \____________ ____ | | __ +/ ~ \__ \\ __\/ __ \ / \ \/\_ __ \__ \ _/ ___\| |/ / +\ Y // __ \| | \ ___/ \ \____| | \// __ \\ \___| < + \___|_ /(____ /__| \___ >____\______ /|__| (____ /\___ >__|_ \ + \/ \/ \/_____/ \/ \/ \/ \/ + Public Release + Version 1.00 + + + (1) Quick Crack + (2) Extensive Pure_Hate Methodology Crack + (3) Brute Force Attack + (4) Top Mask Attack + (5) Fingerprint Attack + (6) Combinator Attack + (7) Hybrid Attack + (8) Pathwell Top 100 Mask Brute Force Crack + (9) PRINCE Attack + (10) YOLO Combinator Attack + + (97) Display Cracked Hashes + (98) Display README + (99) Quit + +Select a task: +``` +------------------------------------------------- +####Quick Crack +* Runs a dictionary attack using all wordlists configured in your "hcatOptimizedWordlists" path +and applies the "best64.rule", with the option of chaining the "best64.rule". +####Extensive Pure_Hate Methodology Crack +* Runs several attack methods provided by Martin Bos (formerly known as pure_hate) +####Brute Force Attack (7 characters) +####Dictionary Attack + * All wordlists in "hcatOptimizedWordlists" with "best64.rule" + * wordlists/rockyou.txt with "d3ad0ne.rule" + * wordlists/rockyou.txt with "T0XlC.rule" +####Top Mask Attack (Target Time = 4 Hours) +####Fingerprint Attack +####Combinator Attack +####Hybrid Attack + +Extra - Just For Good Measure +------------------------------------------------- + Runs a dictionary attack using wordlists/rockyou.txt with chained "combinator.rule" and "InsidePro-PasswordsPro.rule" rules + +------------------------------------------------- +####Brute Force Attack + +Brute forces all characters with the choice of a minimum and maximum password length. + +------------------------------------------------- +####Top Mask Attack + +Runs a top mask attack using passwords already cracked for the current session. +Presents the user a choice of target cracking time to spend (default 4 hours). + +------------------------------------------------- +####Fingerprint Attack +https://hashcat.net/wiki/doku.php?id=fingerprint_attack + +Runs a fingerprint attack using passwords already cracked for the current session. + +------------------------------------------------- +####Combinator Attack +https://hashcat.net/wiki/doku.php?id=combinator_attack + +Runs a combinator attack using the "rockyou.txt" wordlist. + +------------------------------------------------- +####Hybrid Attack +https://hashcat.net/wiki/doku.php?id=hybrid_attack + +* Runs several hybrid attacks using the "rockyou.txt" wordlists. + - Hybrid Wordlist + Mask - ?s?d wordlists/rockyou.txt ?1?1 + - Hybrid Wordlist + Mask - ?s?d wordlists/rockyou.txt ?1?1?1 + - Hybrid Wordlist + Mask - ?s?d wordlists/rockyou.txt ?1?1?1?1 + - Hybrid Mask + Wordlist - ?s?d ?1?1 wordlists/rockyou.txt + - Hybrid Mask + Wordlist - ?s?d ?1?1?1 wordlists/rockyou.txt + - Hybrid Mask + Wordlist - ?s?d ?1?1?1?1 wordlists/rockyou.txt +------------------------------------------------- +####Pathwell Top 100 Mask Brute Force Crack + +Runs a brute force attack using the top 100 masks from KoreLogic: +https://blog.korelogic.com/blog/2014/04/04/pathwell_topologies + +------------------------------------------------- +####PRINCE Attack +https://hashcat.net/events/p14-trondheim/prince-attack.pdf + +Runs a PRINCE attack using wordlists/rockyou.txt + +------------------------------------------------- +####YOLO Combinator Attack + +Runs a continuous combinator attack using random wordlists from the +optimized wordlists for the left and right sides. + +------------------------------------------------- +####Add-on Tools +wordlist_optimizer.py - parses all wordlists from ``, sorts +them by length and de-duplicates into `` + +```$ python wordlist_optimizer.py +usage: python wordlist_optimizer.py + +$ python wordlist_optimizer.py wordlists.txt ../optimized_wordlists +``` + +###Version History + +Version 1.00 + Initial public release diff --git a/wordlist_optimizer.py b/wordlist_optimizer.py new file mode 100755 index 0000000..3cd17d0 --- /dev/null +++ b/wordlist_optimizer.py @@ -0,0 +1,70 @@ +#!/usr/bin/env python + +import sys +import os +import subprocess +import shutil + +splitlen_bin = "hashcat-utils/bin/splitlen.app" +rli_bin = "hashcat-utils/bin/rli.app" + +# Help +def usage(): + print "usage: python %s " % sys.argv[0] + +def lineCount(file): + try: + outFile = open(file) + except: + return 0 + + count = 0 + for line in outFile: + count = count + 1 + return count + +# Main guts +def main(): + try: + input_list = open(sys.argv[1], "r") + destination = sys.argv[2] + + except IndexError: + usage() + sys.exit() + + # Get list of wordlists from argument + for wordlist in input_list: + print wordlist.strip() + + # Parse wordlists by password length into "optimized" + if len(os.listdir(destination)) == 0: + splitlenProcess = subprocess.Popen("%s %s < %s" % (splitlen_bin, destination, wordlist), shell=True).wait() + else: + if not os.path.isdir("/tmp/splitlen"): + os.mkdir("/tmp/splitlen") + splitlenProcess = subprocess.Popen("%s /tmp/splitlen < %s" % (splitlen_bin, wordlist), shell=True).wait() + + # Copy unique passwords into "optimized" + for file in os.listdir("/tmp/splitlen"): + if not os.path.isfile(destination + "/" + file): + shutil.copyfile(file, destination) + else: + rliProcess = subprocess.Popen("%s /tmp/splitlen/%s /tmp/splitlen.out %s/%s" % (rli_bin, file, destination, file), shell=True).wait() + if lineCount("/tmp/splitlen.out") > 0: + destination_file = open(destination + "/" + file, "a") + splitlen_file = open("/tmp/splitlen.out", "r") + destination_file.write(splitlen_file.read()) + destination_file.close() + splitlen_file.close() + + # Clean Up + if os.path.isdir("/tmp/splitlen"): + shutil.rmtree('/tmp/splitlen') + if os.path.isfile("/tmp/splitlen.out"): + os.remove("/tmp/splitlen.out") + + +# Standard boilerplate to call the main() function +if __name__ == '__main__': + main()