Skip to content

Commit

Permalink
final tweaks for the dual (remote or local hashcat) mode changes
Browse files Browse the repository at this point in the history
  • Loading branch information
hkelley committed Sep 23, 2021
1 parent 34e6102 commit dd16aad
Show file tree
Hide file tree
Showing 3 changed files with 56 additions and 18 deletions.
47 changes: 38 additions & 9 deletions HelperFuncs.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,24 @@ Function Get-ADHashesAsTestSet {
}


$reHex = [regex] '\$HEX\[(?<hexcodes>[\da-f]+)\]'

function Get-StringFromHex ($hexcodes)
{
$outString = ""

$chars = $hexcodes.ToCharArray()

for($i=0; $i -lt $chars.count; $i = $i+2 )
{
$charHex = $chars[$i..($i + 1)] -join ""

$outString += [char] [CONVERT]::toint16($charHex,16)
}

$outString
}

function Test-HashesWithHashcat{
[CmdletBinding()]
param(
Expand Down Expand Up @@ -118,7 +136,7 @@ function Test-HashesWithHashcat{
$session = New-SSHSession -ComputerName $HashcatHost -Credential $HashcatHostCred

# crack hashes and add to potfile
$cmd = "{0}hashcat -m 1000 -O --session {1} {2} --rules-file {3} {4} 2>&1 1> {1}" -f $HashcatDir,$logFile.Name,$scratchFile.Name,$($HashcatDir + $Rules),$($HashcatDir + $WordList)
$cmd = "{0}hashcat -m 1000 -O --session {1} {2} --rules-file {3} {4} 2>&1 1> {5}" -f $HashcatDir,$jobName,$scratchFile.Name,$($HashcatDir + $Rules),$($HashcatDir + $WordList),$logFile.Name
$result = Invoke-SSHCommand -SSHSession $session -Command $cmd -TimeOut (60*60*$TimeoutHours)

# export results
Expand All @@ -135,25 +153,30 @@ function Test-HashesWithHashcat{

Remove-SSHSession $session | Out-Null

$hashcatOutput = Get-Content $logFile.FullName
}
else
{
# local hashcat #### NEEDS REVIEW. MAY BE BROKEN AFTER CHANGES TO ALLOW SSH REMOTING #####
# local hashcat

PUSHD $HashcatDir

# crack hashes and add to potfile
$cmd = "{0}hashcat -m 1000 -O --session {1} {2} --rules-file {3} {4} 2>&1 1> {1}.log" -f $HashcatDir,$jobName,$scratchFile.Name,$($HashcatDir + $Rules),$($HashcatDir + $WordList)
$cmd = "{0}hashcat -m 1000 -O --session {1} {2} --rules-file {3} {4} 2>&1 1> {5}" -f $HashcatDir,$jobName,$scratchFile.FullName,$($HashcatDir + $Rules),$($HashcatDir + $WordList),$logFile.FullName
Write-Warning $cmd
$result = Invoke-Expression -Command $cmd

# export results
$cmd = "{0}hashcat -m 1000 --show --outfile {1} {2}" -f $HashcatDir,$outputFile.Name,$scratchFile.Name
# export results to file
$cmd = "{0}hashcat -m 1000 --show --outfile {1} {2}" -f $HashcatDir,$outputFile.FullName,$scratchFile.FullName
Write-Warning $cmd
$result = Invoke-Expression -Command $cmd

# $cmd = "{0}hashcat -m 1000 -O --session {1} --potfile-disable --outfile {2} {3} --rules-file {4} {5}" -f $HashcatDir,$jobName,$outputFile.FullName,$scratchFile.FullName,$($HashcatDir + $WordList),$($HashcatDir + $Rules)
$cmd = "{0}hashcat -m 1000 -O --session {1} --show --outfile {2} {3} --rules-file {4} {5}" -f $HashcatDir,$jobName,$outputFile.FullName,$scratchFile.FullName,$($HashcatDir + $WordList),$($HashcatDir + $Rules)
$hashcatOutput = Invoke-Expression -Command $cmd
POPD
}

$stopwatch.Stop()

$hashcatOutput = Get-Content $logFile.FullName

Write-Host ("Hashcat processing time: {0:n0} minutes" -f $stopwatch.Elapsed.TotalMinutes)

if($ShowOutput)
Expand All @@ -173,6 +196,12 @@ function Test-HashesWithHashcat{
foreach($user in $hashesToTest[$crack.hash].Users)
{
$TestSet[$user].Condition = "weak"

if($crack.result -match $reHex)
{
$crack.result = Get-StringFromHex -hexcodes $Matches.hexcodes
}

$TestSet[$user].Context = $crack.result
}
}
Expand Down
20 changes: 13 additions & 7 deletions demo.ps1
Original file line number Diff line number Diff line change
@@ -1,23 +1,29 @@
# dotsource the functions
. Z:\_Active\PasswordPiffle\HelperFuncs.ps1

# get the hashes via online pull from a domain controller
## get the hashes via online pull from a domain controller
$filter = {enabled -eq $true -and objectcategory -eq "person"}
$testset = Get-ADHashesAsTestSet -Filter $filter

# First, try to crack, this way we can see the weak values
Test-HashesWithHashcat -TestSet $testset -HashcatDir E:\Utils\hashcat
## First, try to crack, this way we can see the weak values

# Second, check for the presence on a banned list
# MODE A: Using a remote (Linux) server over SSH. This allows you more flexibility with cloud-provided GPUs
Test-HashesWithHashcat -TestSet $testset -ShowOutput -HashcatHost $HashcatHost -HashcatHostCred $HashcatCred -HashcatDir "/opt/hashcat-6.2.4/" -WordList "wordlists/40GB_CleanUpFile.txt" -Rules "rules/OneRuleToRuleThemAll.rule"

# MODE B: Local hashcat on Windows
Test-HashesWithHashcat -TestSet $testset -ShowOutput -HashcatDir "E:\Utils\Hashcat\" -WordList "wordlists\40GB_CleanUpFile.txt" -Rules "rules\best64.rule"


## Second, check for the presence on a banned list
Test-HashesAgainstList -TestSet $testset -BadHashesSortedFile E:\Utils\haveibeenpwned.com\pwned-passwords-ntlm-ordered-by-hash-v7.txt

# Third, look for accounts that re-use the same password between manager and report (lazy IT people who use same password for admin ID)
## Third, look for accounts that re-use the same password between manager and report (lazy IT people who use same password for admin ID)
Test-HashesForPasswordSharing $testset

# Fourth, find people who are using the same password over and over again, even though it should be rotating (probably have a buddy in IT resetting it for them)
## Fourth, find people who are using the same password over and over again, even though it should be rotating (probably have a buddy in IT resetting it for them)
Test-HashesForPasswordReuse $testset

# Raw results for further processing (resets, email, etc.)
## Raw results for further processing (resets, email to users, etc.)
Get-FlattenedResults -TestSet $testset

# Counts based on condition
Expand Down
7 changes: 5 additions & 2 deletions hashcat-setup-notes-for-Ubuntu-with-Windows-remoting.txt
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,11 @@ https://arminreiter.com/2020/11/using-azure-vm-to-crack-passwords/

https://docs.nvidia.com/cuda/cuda-installation-guide-linux/index.html

# PSremoting steps adapted from:
https://adamtheautomator.com/psremoting-linux/
# PSremoting steps use
https://github.com/darkoperator/Posh-SSH




lsb_release -a

Expand Down

0 comments on commit dd16aad

Please sign in to comment.