From dd16aad2b2162714cfe185653f4057258edfc2d4 Mon Sep 17 00:00:00 2001 From: Hugh <8828244+hkelley@users.noreply.github.com> Date: Wed, 22 Sep 2021 20:30:01 -0400 Subject: [PATCH] final tweaks for the dual (remote or local hashcat) mode changes --- HelperFuncs.ps1 | 47 +++++++++++++++---- demo.ps1 | 20 +++++--- ...notes-for-Ubuntu-with-Windows-remoting.txt | 7 ++- 3 files changed, 56 insertions(+), 18 deletions(-) diff --git a/HelperFuncs.ps1 b/HelperFuncs.ps1 index b9e1112..75331ef 100644 --- a/HelperFuncs.ps1 +++ b/HelperFuncs.ps1 @@ -58,6 +58,24 @@ Function Get-ADHashesAsTestSet { } +$reHex = [regex] '\$HEX\[(?[\da-f]+)\]' + +function Get-StringFromHex ($hexcodes) +{ + $outString = "" + + $chars = $hexcodes.ToCharArray() + + for($i=0; $i -lt $chars.count; $i = $i+2 ) + { + $charHex = $chars[$i..($i + 1)] -join "" + + $outString += [char] [CONVERT]::toint16($charHex,16) + } + + $outString +} + function Test-HashesWithHashcat{ [CmdletBinding()] param( @@ -118,7 +136,7 @@ function Test-HashesWithHashcat{ $session = New-SSHSession -ComputerName $HashcatHost -Credential $HashcatHostCred # crack hashes and add to potfile - $cmd = "{0}hashcat -m 1000 -O --session {1} {2} --rules-file {3} {4} 2>&1 1> {1}" -f $HashcatDir,$logFile.Name,$scratchFile.Name,$($HashcatDir + $Rules),$($HashcatDir + $WordList) + $cmd = "{0}hashcat -m 1000 -O --session {1} {2} --rules-file {3} {4} 2>&1 1> {5}" -f $HashcatDir,$jobName,$scratchFile.Name,$($HashcatDir + $Rules),$($HashcatDir + $WordList),$logFile.Name $result = Invoke-SSHCommand -SSHSession $session -Command $cmd -TimeOut (60*60*$TimeoutHours) # export results @@ -135,25 +153,30 @@ function Test-HashesWithHashcat{ Remove-SSHSession $session | Out-Null - $hashcatOutput = Get-Content $logFile.FullName } else { - # local hashcat #### NEEDS REVIEW. MAY BE BROKEN AFTER CHANGES TO ALLOW SSH REMOTING ##### + # local hashcat + + PUSHD $HashcatDir # crack hashes and add to potfile - $cmd = "{0}hashcat -m 1000 -O --session {1} {2} --rules-file {3} {4} 2>&1 1> {1}.log" -f $HashcatDir,$jobName,$scratchFile.Name,$($HashcatDir + $Rules),$($HashcatDir + $WordList) + $cmd = "{0}hashcat -m 1000 -O --session {1} {2} --rules-file {3} {4} 2>&1 1> {5}" -f $HashcatDir,$jobName,$scratchFile.FullName,$($HashcatDir + $Rules),$($HashcatDir + $WordList),$logFile.FullName + Write-Warning $cmd + $result = Invoke-Expression -Command $cmd - # export results - $cmd = "{0}hashcat -m 1000 --show --outfile {1} {2}" -f $HashcatDir,$outputFile.Name,$scratchFile.Name + # export results to file + $cmd = "{0}hashcat -m 1000 --show --outfile {1} {2}" -f $HashcatDir,$outputFile.FullName,$scratchFile.FullName + Write-Warning $cmd + $result = Invoke-Expression -Command $cmd -# $cmd = "{0}hashcat -m 1000 -O --session {1} --potfile-disable --outfile {2} {3} --rules-file {4} {5}" -f $HashcatDir,$jobName,$outputFile.FullName,$scratchFile.FullName,$($HashcatDir + $WordList),$($HashcatDir + $Rules) - $cmd = "{0}hashcat -m 1000 -O --session {1} --show --outfile {2} {3} --rules-file {4} {5}" -f $HashcatDir,$jobName,$outputFile.FullName,$scratchFile.FullName,$($HashcatDir + $WordList),$($HashcatDir + $Rules) - $hashcatOutput = Invoke-Expression -Command $cmd + POPD } $stopwatch.Stop() + $hashcatOutput = Get-Content $logFile.FullName + Write-Host ("Hashcat processing time: {0:n0} minutes" -f $stopwatch.Elapsed.TotalMinutes) if($ShowOutput) @@ -173,6 +196,12 @@ function Test-HashesWithHashcat{ foreach($user in $hashesToTest[$crack.hash].Users) { $TestSet[$user].Condition = "weak" + + if($crack.result -match $reHex) + { + $crack.result = Get-StringFromHex -hexcodes $Matches.hexcodes + } + $TestSet[$user].Context = $crack.result } } diff --git a/demo.ps1 b/demo.ps1 index 3edb6f5..1092776 100644 --- a/demo.ps1 +++ b/demo.ps1 @@ -1,23 +1,29 @@ # dotsource the functions . Z:\_Active\PasswordPiffle\HelperFuncs.ps1 -# get the hashes via online pull from a domain controller +## get the hashes via online pull from a domain controller $filter = {enabled -eq $true -and objectcategory -eq "person"} $testset = Get-ADHashesAsTestSet -Filter $filter -# First, try to crack, this way we can see the weak values -Test-HashesWithHashcat -TestSet $testset -HashcatDir E:\Utils\hashcat +## First, try to crack, this way we can see the weak values -# Second, check for the presence on a banned list +# MODE A: Using a remote (Linux) server over SSH. This allows you more flexibility with cloud-provided GPUs +Test-HashesWithHashcat -TestSet $testset -ShowOutput -HashcatHost $HashcatHost -HashcatHostCred $HashcatCred -HashcatDir "/opt/hashcat-6.2.4/" -WordList "wordlists/40GB_CleanUpFile.txt" -Rules "rules/OneRuleToRuleThemAll.rule" + +# MODE B: Local hashcat on Windows +Test-HashesWithHashcat -TestSet $testset -ShowOutput -HashcatDir "E:\Utils\Hashcat\" -WordList "wordlists\40GB_CleanUpFile.txt" -Rules "rules\best64.rule" + + +## Second, check for the presence on a banned list Test-HashesAgainstList -TestSet $testset -BadHashesSortedFile E:\Utils\haveibeenpwned.com\pwned-passwords-ntlm-ordered-by-hash-v7.txt -# Third, look for accounts that re-use the same password between manager and report (lazy IT people who use same password for admin ID) +## Third, look for accounts that re-use the same password between manager and report (lazy IT people who use same password for admin ID) Test-HashesForPasswordSharing $testset -# Fourth, find people who are using the same password over and over again, even though it should be rotating (probably have a buddy in IT resetting it for them) +## Fourth, find people who are using the same password over and over again, even though it should be rotating (probably have a buddy in IT resetting it for them) Test-HashesForPasswordReuse $testset -# Raw results for further processing (resets, email, etc.) +## Raw results for further processing (resets, email to users, etc.) Get-FlattenedResults -TestSet $testset # Counts based on condition diff --git a/hashcat-setup-notes-for-Ubuntu-with-Windows-remoting.txt b/hashcat-setup-notes-for-Ubuntu-with-Windows-remoting.txt index 5b311cc..1c344d5 100644 --- a/hashcat-setup-notes-for-Ubuntu-with-Windows-remoting.txt +++ b/hashcat-setup-notes-for-Ubuntu-with-Windows-remoting.txt @@ -4,8 +4,11 @@ https://arminreiter.com/2020/11/using-azure-vm-to-crack-passwords/ https://docs.nvidia.com/cuda/cuda-installation-guide-linux/index.html -# PSremoting steps adapted from: -https://adamtheautomator.com/psremoting-linux/ +# PSremoting steps use +https://github.com/darkoperator/Posh-SSH + + + lsb_release -a