Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Password cracking in the cloud

This document is under construction, but is intended to get you up and running quickly with cracking hashes in the cloud using the Paperspace service.

Resources used for this article:

Setting up a cracking box using Paperspace

Get your Linux VM up and running

From Paperspace, choose the Ubuntu server option that has:

  • 8 CPU
  • 30 GB RAM
  • 50 GB HD
  • Quadro P6000 card

Note that when you spin this up it's SSHable from anywhere in the world so you might want to lock it down with an ACL. I also elected to pay the extra buck a month for a static IP.

Run this script to get the core updates and tools installed:

sudo dpkg --remove-architecture i386   
sudo apt-get update
sudo apt-get upgrade -y
sudo apt install ocl-icd-libopencl1 git build-essential -y
sudo git clone https://github.com/hashcat/hashcat /opt/hashcat
cd /opt/hashcat
sudo git submodule update --init
sudo make
sudo git clone https://github.com/hashcat/hashcat-utils /opt/hashcat-utils
cd /opt/hashcat-utils/src
sudo make
sudo cp *.bin ../bin
cd /tmp
# For the next command go to the NVidia site and ensure you're downloading the latest Linux drivers
sudo wget http://us.download.nvidia.com/XFree86/Linux-x86_64/384.69/NVIDIA-Linux-x86_64-384.69.run
sudo chmod +x ./NVIDIA-Linux-x86_64-384.69.run
sudo ./NVIDIA-Linux-x86_64-384.69.run
  • Accept the agreement
  • At the error about "nvidia-installer was forced to guess" error hit OK.
  • At the error about "unable to find suitable" hit OK.
  • At the "Would you like "nvidia-xconfig utility to..." hit YES
  • At the "Your x configuration file has been successfully updated" hit OK

Then check out your Hashcat benchmarks:

sudo hashcat -b to see all benchmarks

sudo hashcat -b -m 1000 to see just, for example, NTLM hash crack rate.

Install hate_crack

sudo git clone https://github.com/trustedsec/hate_crack.git /opt/hatecrack

Get some wordlists

sudo mkdir /opt/wordlists
cd /opt/wordlists
# Get the popular wordlists from Daniel Miessler
sudo git clone https://github.com/danielmiessler/SecLists.git /opt/wordlists/
cd /opt/wordlists
# Get the "human only" list of passwords from Crackstation.net
sudo wget https://crackstation.net/files/crackstation-human-only.txt.gz
sudo gunzip crackstation-human-only.txt.gz
sudo rm crackstation-human-only.txt.gz
sudo mv crackstation-human-only.txt /opt/wordlists/Passwords

Note: I've had issues getting Crackstation wordlists to import correctly (see later in this article), so during my last crack box build in June, 2020, I skip these.

# Get the base password list from Crackstation.net
sudo wget https://crackstation.net/files/crackstation.txt.gz
sudo gunzip crackstation.txt.gz
sudo rm crackstation.txt.gz
sudo mv crackstation.txt /opt/wordlists/Passwords

Note: in Dec of 2019 I built a cracking box from scratch, and found the crackstation lists would not parse properly when fed through the wordlist_optimizer.py (a little further down this tutorial). If you find that the case, just delete those two text files before running the wordlist optimizer

# Get rockyou.txt ready to rock
cd /opt/wordlists/Passwords/Leaked-Databases
sudo tar xvzf rockyou.txt.tar.gz
sudo mv rockyou.txt ..
rm rock*.gz

# Get latest Pwned Passwords list from hashes.org
Go to the "leaks" area, search for "pwned" and you should find various versions of the Pwned Passwords database to download in plain text
# Get the breachcompliation database
Download it via Magnet/Torrent here: https://gist.github.com/scottlinux/9a3b11257ac575e4f71de811322ce6b3

Note: in June, 2020 I had issues getting this file, and if you look at the gist you'll see others are as well. I didn't spend too much time troubleshooting. Just moved on.

# Consolidate all downloaded wordlists into one "master" text file
cd /opt/wordlists
sudo ls -rt -d -1 $PWD/Passwords/*.txt > $PWD/Passwords/wordlists.txt

Note: on my last build of a cracking box, the running of wordlist_optimizer.py (a little further down this tutorial) would yield an out of memory error. I got around this by running the optimizer once with all wordlists except the breachcompliation database, then once again with just the breachcompliation database.

**Note 2: during my last crack box build in June, 2020, I kept my wordlist pretty simple. My wordlists.txt looks like this:

/opt/wordlists/Passwords/rockyou.txt
/opt/wordlists/Passwords/pp.txt
/opt/wordlists/Passwords/uniq.txt

Open the hatecrack config.json and adjust hcatPath, hcatBin, hcatWordlists and hcatOptimizedWordlists paths. Also adjust the .app extensions to be .bin:

{
  "hcatPath": "/opt/hashcat",
  "hcatBin": "hashcat",
  "hcatTuning": "--force --remove",
  "hcatWordlists": "/opt/wordlists/Passwords/",
  "hcatOptimizedWordlists": "/opt/wordlists/optimized",
  "hcatDictionaryWordlist": ["/opt/wordlists/Passwords/rockyou.txt"],
  "hcatCombinationWordlist": ["/opt/wordlists/Passwords/rockyou.txt","/opt/wordlists/Passwords/rockyou.txt"],
  "hcatHybridlist": ["/opt/wordlists/Passwords/rockyou.txt"],
  "hcatMiddleCombinatorMasks": ["2","4"," ","-","_","+",",",".","&"],
  "hcatMiddleBaseList": "/opt/wordlists/Passwords/rockyou.txt",
  "hcatThoroughCombinatorMasks": ["0","1","2","3","4","5","6","7","8","9"," ","-","_","+",",","!","#","$","\"","%","&","'","(",")","*",",",".","/",":",";","<","=",">","?","@","[","\\","]","^","`","{","|","}","~"],
  "hcatThoroughBaseList": "/opt/wordlists/Passwords/rockyou.txt",
  "hcatGoodMeasureBaseList": "/opt/wordlists/Passwords/rockyou.txt",
  "hcatRules": ["best64.rule","d3ad0ne.rule", "T0XlC.rule", "dive.rule"],
  "hcatPrinceBaseList": "/opt/wordlists/Passwords/rockyou.txt",
  "pipalPath": "/path/to/pipal"

Open wordlist_optimizer.py and change the splitlen/rli extensions to be .bin:

splitlen_bin = "/opt/hashcat-utils/bin/splitlen.bin"
rli_bin = "/opt/hashcat-utils/bin/rli.bin"

Now create some optimized word lists:

sudo mkdir /opt/wordlists/optimized
sudo python3 /opt/hatecrack/wordlist_optimizer.py /opt/wordlists/Passwords/wordlists.txt /opt/wordlists/optimized

Note: last time I ran this I had to run it with python3.

Run hatecrack!

Here's an example where I crack a text file full of NTLM hashes:

sudo python /opt/hatecrack/hatecrack /crackme/big-bucket-of-hashes.txt 1000

Follow the rest of the hatecrack read me, and have fun!

Reassemble AD -> user password mappings

If you've followed my gist on dumping a backup of AD hashes and then cracked a list of just hashes, you may want the ability to come back in later and reconnect the relationship between hash and user. Thanks to my pal hackern0v1c3, he created a perfect tool for the job here. Oh, and if you need to take the output of a dump from something like secretsdump.py and turn it into something hash_combiner can chew on, try this:

cat secrets_dump.txt |cut -d'\' -f2 | cut -d':' -f1,4 > secrets_dump_reformated.txt

Enjoy!

Capturing/cracking WPA handshakes

First capture the handshake. Then convert the .cap to hccapx format with:

/opt/hashcat-utils/bin/cap2hccapx.bin NAME-OF-YOUR.cap NAME-OF-YOUR.hccapx

Then see this page to see all the different ways you can attack the handshake (dictionary, brute-force, etc.). One example of a dictionary attack is:

hashcat.exe -m 2500 NAME-OF-YOUR.hccapx rockyou.txt

Or if using hatecrack:

/opt/hatecrack/hate_crack.py /NAME-OF-YOUR.hccapx 2500

Monitoring your crack jobs

I found that this script is really helpful for monitoring changes to the hashcat.pot file and then triggering an action of your choice.

For example, you could save the mikedmullin script as monme.sh and then have a command like this:

monme.sh /opt/hashcat/hashcat.pot /scripts/somescript.sh

The somescript.sh would contain the commands you'd want to have run once a change to the hashcat.pot file was detected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.