Password cracking in the cloud

Password_cracking_in_the_cloud.md

This document is under construction, but is intended to get you up and running quickly with cracking hashes in the cloud using the Paperspace service.

Resources used for this article:

• https://samiux.blogspot.com/2017/12/howto-install-hashcat-on-ubuntu-16043.html

• https://hashcat.net/wiki/doku.php?id=linux_server_howto

Setting up a cracking box using Paperspace

Get your Linux VM up and running

From Paperspace, choose the Ubuntu 20.04 server option that has as many A100 GPUs as you can afford.

-=-=- Make sure you turn off the "Auto Shutdown" feature in the paperspace console. By default, it is unable to detect SSH connections or processes running such as Hashcat.... -=-=-

Note that when you spin this up it's SSHable from anywhere in the world so you might want to lock it down with an ACL. Paperspace now has public IPs by default, but they aren't static - this is good enough for short term use.

sudo ufw allow from [IP] to any port 22 proto tcp
sudo ufw enable

Before GPU installation you must disable Nouveau drivers by running the following (which will trigger a reboot):

sudo bash -c "echo blacklist nouveau > /etc/modprobe.d/blacklist-nvidia-nouveau.conf"
sudo bash -c "echo options nouveau modeset=0 >> /etc/modprobe.d/blacklist-nvidia-nouveau.conf"
sudo update-initramfs -u
sudo reboot
## after reboot, confirm no output from the following:
lsmod | grep nouveau

Run this script to get the core updates and tools installed:

sudo apt update && sudo apt upgrade -y
sudo apt install ocl-icd-libopencl1 git build-essential -y
sudo chmod -R 777 /opt/
git clone https://github.com/hashcat/hashcat /opt/hashcat && cd /opt/hashcat
git submodule update --init
make
git clone https://github.com/hashcat/hashcat-utils /opt/hashcat-utils && cd /opt/hashcat-utils/src
make
cp *.bin ../bin
cd ~
# For the next command go to the NVidia site (https://www.nvidia.com/Download/Find.aspx)
# and ensure you're downloading the latest Linux drivers
wget https://uk.download.nvidia.com/tesla/460.106.00/NVIDIA-Linux-x86_64-460.106.00.run
chmod +x ./NVIDIA-Linux-x86_64-*
sudo ./NVIDIA-Linux-x86_64-[VER]

• This is useful for AWS: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/install-nvidia-driver.html
• At the error about "nvidia-installer was forced to guess" error hit OK.
• At "Install NVIDIA's 32-bit compatibility libraries" choose No
• At the "Your x configuration file has been successfully updated" hit OK

Then check out your Hashcat benchmarks:

/opt/hashcat/hashcat -b to see all benchmarks

/opt/hashcat/hashcat -b -m 1000 to see just, for example, NTLM hash crack rate.

Install hate_crack

git clone https://github.com/trustedsec/hate_crack.git /opt/hatecrack

Get some wordlists

# Get the popular wordlists from Daniel Miessler
git clone https://github.com/danielmiessler/SecLists.git /opt/wordlists/ && cd /opt/wordlists

# Get the OneRuleToRuleThemAll for hashcat
curl https://raw.githubusercontent.com/NotSoSecure/password_cracking_rules/master/OneRuleToRuleThemAll.rule > /opt/hashcat/rules/OneRuleToRuleThemAll.rule

# Get rockyou.txt ready to rock
cd /opt/wordlists/Passwords/Leaked-Databases
tar xvzf rockyou.txt.tar.gz
mv rockyou.txt ..

# Consolidate all downloaded wordlists into one "master" text file
sudo chmod -R 777 /opt/
cd /opt/wordlists
ls -rt -d -1 $PWD/Passwords/*.txt > $PWD/Passwords/wordlists.txt

**Note: during my last crack box build in June, 2020, I kept my wordlist pretty simple. My wordlists.txt looks like this:

/opt/wordlists/Passwords/rockyou.txt
/opt/wordlists/Passwords/pp.txt
/opt/wordlists/Passwords/uniq.txt

Open the hatecrack config.json and adjust hcatPath, hcatBin, hcatWordlists and hcatOptimizedWordlists paths. Also adjust the .app extensions to be .bin:

cp /opt/hatecrack/config.json.example /opt/hatecrack/config.json
{
  "hcatPath": "/opt/hashcat",
  "hcatBin": "hashcat",
  "hcatTuning": "--force --remove",
  "hcatWordlists": "/opt/wordlists/Passwords/",
  "hcatOptimizedWordlists": "/opt/wordlists/optimized",
  "hcatDictionaryWordlist": ["/opt/wordlists/Passwords/rockyou.txt"],
  "hcatCombinationWordlist": ["/opt/wordlists/Passwords/rockyou.txt","/opt/wordlists/Passwords/rockyou.txt"],
  "hcatHybridlist": ["/opt/wordlists/Passwords/rockyou.txt"],
  "hcatMiddleCombinatorMasks": ["2","4"," ","-","_","+",",",".","&"],
  "hcatMiddleBaseList": "/opt/wordlists/Passwords/rockyou.txt",
  "hcatThoroughCombinatorMasks": ["0","1","2","3","4","5","6","7","8","9"," ","-","_","+",",","!","#","$","\"","%","&","'","(",")","*",",",".","/",":",";","<","=",">","?","@","[","\\","]","^","`","{","|","}","~"],
  "hcatThoroughBaseList": "/opt/wordlists/Passwords/rockyou.txt",
  "hcatGoodMeasureBaseList": "/opt/wordlists/Passwords/rockyou.txt",
  "hcatRules": ["OneRuleToRuleThemAll.rule", "best64.rule","d3ad0ne.rule", "T0XlC.rule", "dive.rule"],
  "hcatPrinceBaseList": "/opt/wordlists/Passwords/rockyou.txt",
  "pipalPath": "/path/to/pipal"
}

Now create some optimized word lists:

mkdir /opt/wordlists/optimized
sed -i "s/hashcat-utils\/bin\//\/opt\/hashcat-utils\/bin\//g" /opt/hatecrack/wordlist_optimizer.py
python3 /opt/hatecrack/wordlist_optimizer.py /opt/wordlists/Passwords/wordlists.txt /opt/wordlists/optimized

Note: last time I ran this I had to run it with python3.

Run hatecrack!

Here's an example where I crack a text file full of Net-NTLMv2 hashes:

tmux
python3 /opt/hatecrack/hate_crack.py /crackme/big-bucket-of-hashes.txt 5600

Follow the rest of the hatecrack read me, and have fun!

Reassemble AD -> user password mappings

If you've followed my gist on dumping a backup of AD hashes and then cracked a list of just hashes, you may want the ability to come back in later and reconnect the relationship between hash and user. Thanks to my pal hackern0v1c3, he created a perfect tool for the job here. Oh, and if you need to take the output of a dump from something like secretsdump.py and turn it into something hash_combiner can chew on, try this:

cat secrets_dump.txt |cut -d'\' -f2 | cut -d':' -f1,4 > secrets_dump_reformated.txt

Enjoy!

Capturing/cracking WPA handshakes

First capture the handshake. Then convert the .cap to hccapx format with:

/opt/hashcat-utils/bin/cap2hccapx.bin NAME-OF-YOUR.cap NAME-OF-YOUR.hccapx

Then see this page to see all the different ways you can attack the handshake (dictionary, brute-force, etc.). One example of a dictionary attack is:

hashcat.exe -m 2500 NAME-OF-YOUR.hccapx rockyou.txt

Or if using hatecrack:

/opt/hatecrack/hate_crack.py /NAME-OF-YOUR.hccapx 2500

Monitoring your crack jobs

I found that this script is really helpful for monitoring changes to the hashcat.pot file and then triggering an action of your choice.

For example, you could save the mikedmullin script as monme.sh and then have a command like this:

monme.sh /opt/hashcat/hashcat.pot /scripts/somescript.sh

The somescript.sh would contain the commands you'd want to have run once a change to the hashcat.pot file was detected.

Added lines to disable Nouveau

Updated the reference to the NVidia drivers version

Added a ASCII-only filter to the crackstation human only list to get rid of errors withwordlist_optimiser

Added a lazy "chmod -R 777" to /opt to deal with the odd permissions issue and constantly forgetting to use sudo... Yes I know this isn't good practice but as the machine is built up and torn down for a task it feels acceptable