opexxx

crackHOR.py

Sep 1st, 2014
411
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 27.55 KB | None | 0 0
  1. #!/usr/bin/python
  2. #Version: crackHORv1.2
  3. #Author: Craig Freyman
  4. #Change log:
  5. # 08/19/2013: Added spin_cycle() function
  6. # 08/26/2013: More spin_cycle fixes
  7. # 10/02/2013: fixed the grep -vi issues on the cut up
  8. # 12/04/2013: Added user,hash,pass compiled list function => create_final_list()
  9. from __future__ import division
  10. import subprocess,sys,os,fnmatch,platform,fileinput,re,difflib,shutil
  11. def main():
  12. validate_file_folder_loc()
  13. clean_up()
  14. backup_file()
  15. check_and_cut()
  16. sort_and_dedupe()  
  17. hashcat_wordlists()
  18. hashcat_wordlist_with_rules()
  19. remove_cracked_hashes()
  20. #if lm_option in ("L","l"):
  21. #hashcat_LM()
  22. #rcrack_tables()
  23. ophcrack_lm_tables()
  24. hashcat_patterns()
  25. compile_all_passwords()
  26. merge_with_master()
  27. create_final_list()
  28. def validate_file_folder_loc():
  29. #This function validates the file/folder locations specified in main()
  30. #rcrack_table_loc_ver = os.path.exists(rcrack_table_location)
  31. ophcrack_table_loc_ver = os.path.exists(ophcrack_table_location)
  32. rcrack_location_ver = os.path.exists(rcrack_location)
  33. hashcat_location_ver = os.path.exists(hashcat_location)
  34. wordlist_folder_ver = os.path.exists(wordlist_folder)
  35. master_hor_file_ver = os.path.exists(master_hor_file)
  36. master_hor_ext_backup_ver = os.path.exists(master_hor_ext_backup)
  37. hashcat_plus_binary_ver = os.path.exists(hashcat_plus_binary)
  38. hashcat_plus_folder_ver = os.path.exists(hashcat_plus_folder)
  39. #if rcrack_table_loc_ver is False:
  40. # print "[-] "+rcrack_table_location+ " is an invalid path."
  41. # sys.exit(0)
  42. if ophcrack_table_loc_ver is False:
  43. print "\033[1;31m[-] "+ophcrack_table_location+ " is an invalid path.\033[1;m\n"
  44. sys.exit(0)
  45. if rcrack_location_ver is False:
  46. print "\033[1;31m[-] "+rcrack_location+ " is an invalid path.\033[1;m\n"
  47. sys.exit(0)
  48. if hashcat_location_ver is False:
  49. print "\033[1;31m[-] "+hashcat_location+ " is an invalid path.\033[1;m\n"
  50. sys.exit(0)
  51. if wordlist_folder_ver is False:
  52. print "\033[1;31m[-] "+wordlist_folder+ " is an invalid path.\033[1;m\n"
  53. sys.exit(0)
  54. if hashcat_plus_binary_ver is False:
  55. print "\033[1;31m[-] "+hashcat_plus_binary+ " is an invalid path.\033[1;m\n"
  56. sys.exit(0)
  57. if hashcat_plus_folder_ver is False:
  58. print "\033[1;31m[-] "+hashcat_plus_folder+ " is an invalid path.\033[1;m\n"
  59. sys.exit(0)
  60. if master_hor_file_ver is False:
  61. cont = raw_input("\033[1;31m[-] "+master_hor_file+ " does not exist. Create it now?\033[1;m\n")
  62. if "Y" or "y" in cont:
  63. os.system("touch "+master_hor_file)
  64. else:
  65. sys.exit(0)
  66. if master_hor_ext_backup_ver is False:
  67. print "\033[1;31m[-] Can't get to "+master_hor_ext_backup+ " exiting... \033[1;m\n"
  68. sys.exit(0)
  69. def clean_up():
  70. #This function looks to see if the script has already run and deletes the two folders created by it. Then it calls the merger passwords functions.
  71. dirlist = os.listdir(".")
  72. workingdir = "working_files"
  73. crackeddir = "cracked_passwords"
  74. #remove hashcat.dicstat file
  75. os.system("rm "+hashcat_plus_folder+"/hashcat.dictstat")
  76. if workingdir in dirlist:
  77. #If we find existing directories, lets compile and merge any passwords in limbo to the master file.
  78. print "\033[1;31m[-] Found existing working directories.\033[1;m"
  79. #if os.path.exists("cracked_passwords/ophcrack.hashandpw.tmp"):
  80. # print "\033[1;34m[-] Below are hashes I don't know what to do with. Manually add them to "+master_hor_file+"\033[1;m"
  81. # print "\033[1;34m[-] Refer to --> cracked_passwords/ophcrack.hashandpw.tmp\033[1;m"
  82. # raw_input("\033[1;34m[-] Press ENTER to LESS the file...\033[1;m")
  83. # os.system("less cracked_passwords/ophcrack.hashandpw.tmp")
  84. if os.path.exists("cracked_passwords/lm.passwords.tmp"):
  85. print "\033[1;34m[-] Below are hashes I don't know what to do with. Manually add them to "+master_hor_file+"\033[1;m"
  86. print "\033[1;34m[-] Refer to --> cracked_passwords/lm.passwords.tmp\033[1;m"
  87. raw_input("\033[1;34m[-] Press ENTER to LESS the file...\033[1;m")
  88. os.system("less cracked_passwords/lm.passwords.tmp")
  89. #if lm.passwords is there, lets run the toggle attack to finish
  90. if os.path.exists("cracked_passwords/lm.passwords"):
  91. lm_toggle_case()
  92. #compile and merge anything that is there
  93. compile_all_passwords()
  94. merge_with_master()
  95. answer = raw_input("\033[1;34m[-] Do you want to see a list of the discovered passwords from last session?\033[1;m")
  96. if answer in ("Y","y"):
  97. create_final_list()
  98. while True:
  99. delwork = raw_input("\033[1;31m[-] "+workingdir+" exists. Delete? (Y/n) \033[1;m")
  100. if delwork in ("N","n"):
  101. break
  102. if delwork in ("y","Y"):
  103. shutil.rmtree("working_files/")
  104. log_file.write("[*] Clean_up() function deleted the working_files folder.")
  105. break
  106. if delwork not in ("Y","y","N","n"):
  107. print "\033[1;31m[-] Please press y or n \033[1;m"
  108. if crackeddir in dirlist:
  109. while True:
  110. delcrack = raw_input("\033[1;31m[-] "+crackeddir+" exists. Delete? (Y/n) \033[1;m")
  111. if delcrack in ("N","n"):
  112. break
  113. if delcrack in ("y","Y"):
  114. shutil.rmtree("cracked_passwords/")
  115. log_file.write("[*] Clean_up() deleted the cracked_passwords folder.")
  116. break
  117. if delcrack not in ("Y","y","N","n"):
  118. print "\033[1;31m[-] Please press y or n \033[1;m"
  119. def backup_file():
  120. #This function backs up the original hash file and creates our working directories.
  121. #Created file: working_files/<hash file>.original
  122. try:
  123. os.makedirs("working_files")
  124. os.makedirs("cracked_passwords")
  125. except:
  126. pass
  127. try:
  128. os.system("cp " +hash_file+" working_files/hashfile.original")
  129. #print "\033[1;32m[*] Backed up original hash file: "+hash_file+" to working_files/"+hash_file+".original\033[1;m"
  130. os.system("cp " +master_hor_file+ " "+master_hor_ext_backup)
  131. #print "\033[1;32m[*] Backed up master file to external media.\033[1;m"
  132. log_file.write("[*] Backupfile() backed up "+hash_file+" to: working_files/"+hash_file+".original\n")
  133. log_file.write("[*] Backupfile() backed up "+master_hor_file+" to: "+master_hor_ext_backup)
  134. except Exception, e:
  135. print "[-] Backup_file() had a problem. Exiting..."
  136. print e
  137. log_file.write("[-] Backup_file had a problem. Exiting...")
  138. sys.exit(0)
  139. #raw_input("\033[1;32m[*] Done backing up files, press ENTER to continue...\033[1;m")
  140. def check_and_cut():
  141. #This function makes a weak attempt at verifying the original file is in PWDUMP format.
  142. #Then it removes the machine$ and IUSR_ hashes out.
  143. #Finally, it creates two files for further processing.
  144. #Created files: working_files/inputfile.no.machine
  145. # working_files/lm_ntlm.ophcrack
  146. # working_files/ntlm.hashcat
  147. counter = 1
  148. for line in fileinput.input(hash_file):
  149. # line = line.lstrip()
  150. pwdump_format = re.search(r'[a-zA-Z0-9\*\s]{32}:[a-zA-Z0-9\*\s]{32}:::',line,re.M)
  151. # if pwdump_format is None:
  152. # print "\033[1;31m[-] Line "+str(counter)+" might be bad.\033[1;m"
  153. # counter +=1
  154. if pwdump_format is None:
  155. print "\033[1;31m[-] This file might not be in PWDUMP format. The rest of this might fail.\033[1;m"
  156. log_file.write("[*] Check_and_cut() function thinks the original input file might have issues.\n")
  157. #If the file looks good, pull out machine accounts and create a lm_ntlm.ophcrack and a ntlm.hashcat file
  158. #print "\033[1;32m[*] Creating Ophcrack file in LM:NTLM format and NTLM format for hashcat. Also removing machine accounts.\033[1;m"
  159. print "\033[1;34m-----------------------------------------------------------\033[1;m"
  160. print "\033[1;31m| Number of Starting Hashes \t\t"+str(count_lines(hash_file))+"\t\n\033[1;m"
  161. try:
  162. #os.system("grep -vi ASPNET "+hash_file+" > working_files/inputgrep.noaspnet")
  163. #os.system("grep -vi \\\\$ "+hash_file+" > working_files/inputgrep.nomachine")
  164. #os.system("grep -vi IUSR_ "+hash_file+"> working_files/inputgrep.noiusr")
  165. #os.system("cat working_files/inputgrep* > working_files/inputfile.no.machine")
  166. os.system("cat "+hash_file+" | grep -vi ASPNET | grep -vi \\\\$ | grep -vi IUSR_ > working_files/inputfile.no.machine")
  167. os.system("cut -d : -f3,4 working_files/inputfile.no.machine > working_files/lm_ntlm.ophcrack.tmp")
  168. #Remove all the LM hashes that have NO PASSWORD in them.
  169. os.system("cat working_files/lm_ntlm.ophcrack.tmp | grep -vi 'NO PASSWORD*********************' | grep -vi 'aad3b435b51404eeaad3b435b51404ee' | grep -vi '00000000000000000000000000000000' > working_files/lm_ntlm.ophcrack")
  170. os.system("cut -d : -f4 working_files/inputfile.no.machine > working_files/ntlm.hashcat")
  171. log_file.write("[*] Check_and_cut() sucessfully cut all files.\n")
  172. except:
  173. print "[-] Check_and_cut() had a problem. Exiting...\n"
  174. log_file.write("[-] Check_and_cut() had a problem. Exiting...\n")
  175. sys.exit(0)
  176. first_count = count_lines(hash_file)
  177. second_count_oph = count_lines("working_files/lm_ntlm.ophcrack")
  178. second_count_hashcat = count_lines("working_files/ntlm.hashcat")
  179. diff_oph = first_count - second_count_oph
  180. diff_hash = first_count - second_count_hashcat
  181. print "\033[1;34m| Non User Accounts Removed \tLM: \t"+ str(diff_oph)+"\n|\t\t\t\tNTLM: \t"+str(diff_hash)+"\t\033[1;m"
  182. def sort_and_dedupe():
  183. #This function sorts and deduplicates lm_ntlm.ophcrack and ntlm.hashcat. It outputs two files.
  184. #Created files: working_files/lm_ntlm.ophcrack.deduped
  185. # working_files/ntlm.hashcat.deduped
  186. firstfile_count = count_lines('working_files/lm_ntlm.ophcrack')
  187. os.system("sort working_files/lm_ntlm.ophcrack -u > working_files/lm_ntlm.ophcrack.deduped")
  188. secondfile_count = count_lines("working_files/lm_ntlm.ophcrack.deduped")
  189. difference1 = firstfile_count - secondfile_count
  190. log_file.write("[+] Sort_and_dedupe() removed "+str(difference1)+" duplicates from lm_ntlm.ophcrack\n")
  191. firstfile_count = count_lines('working_files/ntlm.hashcat')
  192. os.system("sort working_files/ntlm.hashcat -u > working_files/ntlm.hashcat.deduped")
  193. secondfile_count = count_lines("working_files/ntlm.hashcat.deduped")
  194. difference2 = firstfile_count - secondfile_count
  195. print "\033[1;34m| Duplicates Removed\t\tLM: \t"+str(difference1)+"\n|\t\t\t\tNTLM: \t"+str(difference2)+"\033[1;m"
  196. log_file.write("[+] Sort_and_dedupe() removed "+str(difference2)+" duplicates from ntlm.hashcat\n")
  197. raw_input("\033[1;32m| Hashes Left to Crack \t\tLM:\t"+str(count_lines("working_files/lm_ntlm.ophcrack.deduped"))+ "\n|\t\t\t\tNTLM:\t"+str(count_lines("working_files/ntlm.hashcat.deduped"))+"\n|\n| \t\tPress ENTER to continue...\n|\t\t crackHOR "+version+"\n-----------------------------------------------------------\033[1;m")
  198. def count_lines(somefile):
  199. #A simple function that counts the lines in a file.
  200. numlines = 0
  201. for line in open(somefile):
  202. numlines += 1
  203. return numlines
  204. def spin_cycle():
  205. c = 0.0
  206. file_exists = os.path.exists("cracked_passwords/hashcatPlus.hashandpw")
  207. if file_exists is True:
  208. a = count_lines("cracked_passwords/hashcatPlus.hashandpw")
  209. b = count_lines("working_files/ntlm.hashcat.deduped")
  210. c = a/b
  211. if c >= .01:
  212. print "c is " + str(c)
  213. print "hashcatPlus.hashandpw file has " +str(a)+" lines"
  214. print "ntlm.hashcat.deduped file has " +str(b)+" lines"
  215. raw_input("\n\033[1;32mAbout to hit the hashcat rules again. Continue?\033[1;m")
  216. remove_cracked_hashes()
  217. hashcat_wordlist_hor_only()
  218. def hashcat_wordlists():
  219. #This function takes ntlm.hashcat.dedup and runs it through the straight hashcat wordslist attack to pull out passwords we already have.
  220. #Creates file: cracked_passwords/hashcat.hashandpw
  221. print "\033[1;32m[*] Hashcat wordlist mode\033[1;m"
  222. try:
  223. os.system(hashcat_location+" --hash-mode 1000 --remove -o cracked_passwords/hashcat.hashandpw working_files/ntlm.hashcat.deduped "+wordlist_folder)
  224. log_file.write("[*] Hashcat_wordlists() was successful.\n")
  225. except Exception,e:
  226. print "[-] Hashcat_wordlists() had a problem. Exiting...\n"
  227. print e
  228. log_file.write("[-] Hashcat_wordlists() had a problem. Exiting...\n")
  229. sys.exit(0)
  230. def hashcat_wordlist_hor_only():
  231. compile_all_passwords()
  232. merge_with_master()
  233. os.system(hashcat_plus_binary+" --hash-type 1000 --remove -r "+hashcat_plus_folder+"rules/passwordspro.rule --outfile cracked_passwords/hashcatPlus.hashandpw working_files/ntlm.hashcat.deduped "+master_hor_file)
  234. #raw_input("just ran spincycle on master_hor.txt")
  235. def hashcat_wordlist_with_rules():
  236. #This function takes ntlm.hashcat.dedup and runs the GPU hashcatPlus rule attacks.
  237. print "\033[1;32m[*] Hashcat wordlist WITH rules mode\033[1;m"
  238. try:
  239. os.system(hashcat_plus_binary+" --hash-type 1000 --remove -r "+hashcat_plus_folder+"rules/toggles1.rule -r "+hashcat_plus_folder+"rules/toggles2.rule -r "+hashcat_plus_folder+"rules/toggles3.rule -r "+hashcat_plus_folder+"rules/toggles4.rule -r "+hashcat_plus_folder+"rules/toggles5.rule -r "+hashcat_plus_folder+"rules/passwordspro.rule --outfile cracked_passwords/hashcatPlus.hashandpw working_files/ntlm.hashcat.deduped "+master_hor_file)
  240. os.system(hashcat_plus_binary+" --hash-type 1000 --remove -r "+hashcat_plus_folder+"rules/"+rules+" --outfile cracked_passwords/hashcatPlus.hashandpw working_files/ntlm.hashcat.deduped "+master_hor_file+ " "+hashcat_plus_rules_wordlists)
  241. spin_cycle()
  242. except Exception,e:
  243. print "[-] Hashcat_wordlist_with_rules() had a problem. Exiting...\n"
  244. print e
  245. log_file.write("[-] Hashcat_wordlist_with_rules() had a problem. Exiting...\n")
  246. sys.exit(0)
  247. def remove_cracked_hashes():
  248. #This function removes the discovered hashes in hashcat.hashandpw from lm_ntlm.ophcrack.deduped. Reason being, our next attack will utilize ophcrack, which uses an input file in a different format.
  249. #Creates files: working_files/hashcat.hashandpw.uniq
  250. # working_files/hashcat.hashandpw.uniq.upper
  251. # working_files/lm_ntlm.ophcrack.deduped.upper
  252. # working_files/lm_ntlm.ophcrack.deduped.ready
  253. print "\033[1;32m[*] Removing cracked hashes in hashcat.hashandpw from Ophcrack file\033[1;m"
  254. os.system("cat cracked_passwords/*.hashandpw |sort | cut -d : -f1 | uniq > working_files/hashcat.hashandpw.uniq")
  255. #Convert the hashes to uppercase because hashcat puts them in lower
  256. f1 = open('working_files/hashcat.hashandpw.uniq','r')
  257. f2 = open('working_files/hashcat.hashandpw.uniq.upper','w')
  258. for line in f1:
  259. line = line.lstrip()
  260. f2.write(line.upper())
  261. f1.close()
  262. f2.close()
  263. #Do the same with this file, just in case
  264. f3 = open('working_files/lm_ntlm.ophcrack.deduped','r')
  265. f4 = open('working_files/lm_ntlm.ophcrack.deduped.upper','w')
  266. for line in f3:
  267. line = line.lstrip()
  268. f4.write(line.upper())
  269. f3.close()
  270. f4.close()
  271. #Store all the discovered hashcat hashes in a set which we reference later
  272. with open("working_files/hashcat.hashandpw.uniq.upper", "r") as f1:
  273. keys = set(f1.read().splitlines())
  274. #Search through lm_ntlm.ophcrack.deduped line by line, referencing the set above.
  275. #If there is a match, do nothing. If there isnt a match, that means the password still needs to be cracked so write that line to a new file.
  276. with open("working_files/lm_ntlm.ophcrack.deduped.upper", "r") as f2:
  277. with open("working_files/lm_ntlm.ophcrack.deduped.ready", "w") as dest:
  278. for line in f2:
  279. line = line.strip()
  280. try:
  281. if line.split(":")[1] in keys:
  282. log_file.write("[*] Remove_hashes() "+line+" found, ignoring.\n")
  283. else:
  284. dest.write(line+"\n")
  285. log_file.write("[*] Remove_hashes() "+line+" not found sent to Ophcrack.\n")
  286. except:
  287. continue
  288. #This file will be used for the lm hash attack
  289. os.system("cut -d : -f1 working_files/lm_ntlm.ophcrack.deduped.ready > working_files/lm.hashes")
  290. def hashcat_LM():
  291. empty_hash = "AAD3B435B51404EE"
  292. with open("working_files/lm.hashes", "r") as f1:
  293. for line in f1:
  294. chunk1 = line[0:16]
  295. chunk2 = line[16:32]
  296. if empty_hash in chunk1 and chunk2:
  297. print "breaking out"
  298. break
  299. #The LM toggle case attack
  300. #Hashcat return codes:
  301. #0 = cracked
  302. #1 = not cracked
  303. #255 = weak hash
  304. #status1 = subprocess.Popen(hashcat_plus_binary+" --hash-type 3000 --outfile-format=2 --outfile working_files/hashcatPlusLM.lmpass "+chunk1+" -a 3 ?u?u?u?u?u?u?u --force --increment",shell=True).wait()
  305. #status2 = subprocess.Popen(hashcat_plus_binary+" --hash-type 3000 --outfile-format=2 --outfile working_files/hashcatPlusLM.lmpass "+chunk2+" -a 3 ?u?d?d?d?d?d?d --force --increment",shell=True).wait()
  306. #brute force blaster
  307. status1 = subprocess.Popen(hashcat_plus_binary+" --hash-type 3000 --outfile-format=2 --outfile working_files/hashcatPlusLM.lmpass "+chunk1+" -a 3 -1 charsets/lm.charset --force --increment --increment-max=7",shell=True).wait()
  308. status2 = subprocess.Popen(hashcat_plus_binary+" --hash-type 3000 --outfile-format=2 --outfile working_files/hashcatPlusLM.lmpass "+chunk2+" -a 3 -1 charsets/lm.charset --force --increment --increment-max=7",shell=True).wait()
  309. #if both are cracked then write to file
  310. if status1 is 0 and status2 is 0:
  311. f = open("working_files/hashcatPlusLM.lmpass")
  312. linelist = f.readlines()
  313. f.close()
  314. pass1 = linelist[-2]
  315. pass2 = linelist[-1]
  316. lmpass = pass1.strip()+pass2.strip()
  317. f2 = open("cracked_passwords/lm.passwords", "a")
  318. f2.write(lmpass+"\n")
  319. f2.close()
  320. #if first part is cracked and second is empty, write to file
  321. elif status1 is 0 and status2 is 255:
  322. f = open("working_files/hashcatPlusLM.lmpass")
  323. linelist = f.readlines()
  324. f.close()
  325. pass1 = linelist[-1]
  326. lmpass = pass1.strip()
  327. f2 = open("cracked_passwords/lm.passwords", "a")
  328. f2.write(lmpass+"\n")
  329. f2.close()
  330. #if both are not cracked, write to file
  331. elif status1 is 1 and status2 is 1:
  332. f4 = open("working_files/lm_not_cracked.txt", "a")
  333. f4.write("NothingCracked:"+line)
  334. f4.close()
  335. #if first is not cracked and second is empty
  336. elif status1 is 1 and status2 is 255:
  337. f5 = open("working_files/lm_not_cracked.txt", "a")
  338. f5.write("NothingCracked:"+line)
  339. f5.close()
  340. #if first is not cracked and second is cracked
  341. elif status1 is 1 and status2 is 0:
  342. f3 = open("working_files/lm_not_cracked.txt", "a")
  343. f3.write("1stHNotCracked:"+chunk1+":"+line)
  344. f3.close()
  345. #if first is not cracked and second is empty
  346. elif status1 is 1 and status2 is 255:
  347. f6 = open("working_files/lm_not_cracked.txt", "a")
  348. f6.write("1stHNotCracked:"+chunk1+":"+line)
  349. f6.close()
  350. #if first is cracked but second is not cracked
  351. elif status1 is 0 and status2 is 1:
  352. f3 = open("working_files/lm_not_cracked.txt", "a")
  353. f3.write("2ndHNotCracked:"+chunk2+":"+line)
  354. f3.close() 
  355. lm_toggle_case()
  356. remove_cracked_hashes()
  357. def lm_toggle_case():
  358. #after we're done with all the hashes, run the toggle case attack on them all to get the real password.
  359. #os.system(hashcat_location+" -m 1000 -o cracked_passwords/lm_attack.hashandpw -a 2 working_files/ntlm.hashcat.deduped cracked_passwords/lm.passwords")
  360. os.system(hashcat_plus_binary+" --hash-type 1000 --remove -r "+hashcat_plus_folder+"rules/passwordspro.rule --outfile cracked_passwords/hashcatPlus.hashandpw working_files/ntlm.hashcat.deduped cracked_passwords/lm.passwords")
  361. def ophcrack_lm_tables():
  362. #raw_input()
  363. #This function takes the trimmed down lm_ntlm.ophcrack.deduped.ready and sends it through the XP_Special tables in ophcrack.
  364. #Creates file: cracked_passwords/ophcrack.out
  365. #print "\033[1;32m[*] Ophcrack LM table mode\033[1;m"
  366. try:
  367. #Ophcrack recommends to change the number of threads to 1 more than the amount of cores on the CPU --> -n option
  368. os.system("ophcrack -g -n 5 -e -d "+ophcrack_table_location+" -t XP_special -f working_files/lm_ntlm.ophcrack.deduped.ready -S working_files/ophcrack.session -o cracked_passwords/ophcrack.out")
  369. log_file.write("[*] Ophcrack_lm_tables() was successful.\n")
  370. except:
  371. print "[-] Ophcrack_lm_tables() had a problem. Exiting...\n"
  372. log_file.write("[-] Ophcrack_lm_tables() had a problem. Exiting...\n")
  373. sys.exit(0)
  374. def hashcat_patterns():
  375. print "\033[1;32m[*] Hashcat patterns attack\033[1;m"
  376. try:
  377. os.system(hashcat_plus_binary+" --hash-type 1000 --remove --outfile cracked_passwords/hashcatPlus.hashandpw working_files/ntlm.hashcat.deduped --force -a 3 ?s?u?l?l?l?l?l?l")
  378. os.system(hashcat_plus_binary+" --hash-type 1000 --remove --outfile cracked_passwords/hashcatPlus.hashandpw working_files/ntlm.hashcat.deduped --force -a 3 ?d?d?u?l?l?l?l?l")
  379. os.system(hashcat_plus_binary+" --hash-type 1000 --remove --outfile cracked_passwords/hashcatPlus.hashandpw working_files/ntlm.hashcat.deduped --force -a 3 ?d?u?l?l?l?l?l?l")
  380. os.system(hashcat_plus_binary+" --hash-type 1000 --remove --outfile cracked_passwords/hashcatPlus.hashandpw working_files/ntlm.hashcat.deduped --force -a 3 ?u?l?l?l?l?l?d?s")
  381. os.system(hashcat_plus_binary+" --hash-type 1000 --remove --outfile cracked_passwords/hashcatPlus.hashandpw working_files/ntlm.hashcat.deduped --force -a 3 ?u?l?l?l?l?l?d?d")
  382. os.system(hashcat_plus_binary+" --hash-type 1000 --remove --outfile cracked_passwords/hashcatPlus.hashandpw working_files/ntlm.hashcat.deduped --force -a 3 ?u?l?l?l?l?l?l?d?d")
  383. os.system(hashcat_plus_binary+" --hash-type 1000 --remove --outfile cracked_passwords/hashcatPlus.hashandpw working_files/ntlm.hashcat.deduped --force -a 3 ?u?l?l?l?l?d?d?d?d")
  384. os.system(hashcat_plus_binary+" --hash-type 1000 --remove --outfile cracked_passwords/hashcatPlus.hashandpw working_files/ntlm.hashcat.deduped --force -a 3 ?u?l?l?l?l?l?l?l?d")
  385. except Exception,e:
  386. print "[-] Hashcat_patterns() had a problem. Exiting...\n"
  387. print e
  388. log_file.write("[-] Hashcat_patterns() had a problem. Exiting...\n")
  389. sys.exit(0)
  390. def rcrack_tables():
  391. #This function takes the outputted file from ophcrack_lm_tables(), cuts it up outputs the NTLM hashes that have not been cracked to a new file, ready for rcrack. Uncracked hashes have the ::: in them.
  392. #Creates files: working_files/rcrack.ready
  393. # cracked_passwords/rcrack.out
  394. print "\033[1;32m[*] Rcrack NTLM table mode\033[1;m"
  395. try:
  396. os.system("awk -F ':::' '{ print $2 }' cracked_passwords/ophcrack.out | sort -u > working_files/rcrack.ready")
  397. os.system("awk -F '::' '{ print $2 }' cracked_passwords/ophcrack.out | sort -u > working_files/rcrack.tmp")
  398. os.system("cut -d : -f2 working_files/rcrack.tmp | sort -u >> working_files/rcrack.ready")
  399. os.system(rcrack_location+" -l working_files/rcrack.ready -t2 "+rcrack_table_location+" -o cracked_passwords/rcrack.out")
  400. log_file.write("[*] Rcrack_tables() was successful.\n")
  401. except:
  402. print "[-] Rcrack_tables() had a problem. Exiting...\n"
  403. log_file.write("[-] Rcrack_tables() had a problem. Exiting...\n")
  404. sys.exit()
  405. def find_bad_chars():
  406. #Both ophcrack and hashcat have problems when there are colons in the password.
  407. #This function looks for them and puts them into another file for the user to look at.
  408. count1 = 0
  409. count2 = 0
  410. try:
  411. with open("cracked_passwords/ophcrack.out", "r") as f5:
  412. with open("cracked_passwords/ophcrack.hashandpw.tmp", "w") as dest:
  413. for line in f5:
  414. line = line.strip()
  415. if ":::" in line:
  416. continue
  417. else:
  418. if "\xc1" in line:
  419. print "[-] Found bad ophcrack chars. Look at cracked_passwords/ophcrack.hashandpw.tmp manually"
  420. line = line.replace("\xc1",":")
  421. dest.write(line+"\n")
  422. count1+=1
  423. else:
  424. continue
  425. except:
  426. pass
  427. if count1 == 0:
  428. tmp1 = os.path.exists("cracked_passwords/ophcrack.hashandpw.tmp")  
  429. if tmp1 is True:
  430. os.system("rm cracked_passwords/ophcrack.hashandpw.tmp")
  431. try:
  432. with open("cracked_passwords/lm.passwords", "ra") as source:
  433. with open("cracked_passwords/lm.passwords.tmp", "w") as dest:
  434. for line in source:
  435. #print "HERE WE ARE"
  436. line = line.strip()
  437. if "\x9c" in line:
  438. print "[-] Found bad hashcat chars. Look at cracked_passwords/lm.passwords.tmp"
  439. newline = line.replace("\x9c",":")
  440. dest.write(newline+"\n")
  441. count2+=1
  442. except:
  443. pass
  444. if count2 == 0:
  445. tmp2 = os.path.exists("cracked_passwords/lm.passwords.tmp")
  446. if tmp2 is True:
  447. os.system("rm cracked_passwords/lm.passwords.tmp")
  448. def compile_all_passwords():
  449. #This function takes all the cracked passwords and compiles them into a single file.
  450. #Since ophcrack outputs into a different format, we have to clean up the file first.
  451. find_bad_chars()   
  452. #devnull = open('/dev/null', 'w')
  453. os.system("cut -d : -f7- cracked_passwords/ophcrack.out |sort -u > cracked_passwords/ophcrack.pwonly")
  454. os.system("cut -d : -f2 cracked_passwords/rcrack.out |sort -u > cracked_passwords/rcrack.pwonly")
  455. os.system("cut -d : -f1,2 cracked_passwords/rcrack.out | sort -u > cracked_passwords/rcrack.hashandpw")
  456. os.system("cut -d : -f2- cracked_passwords/hashcat.hashandpw |sort -u > cracked_passwords/hashcat.pwonly")
  457. os.system("cut -d : -f2- cracked_passwords/lm_attack.hashandpw |sort -u > cracked_passwords/hashcatLM.pwonly")
  458. os.system("cut -d : -f2- cracked_passwords/hashcatPlus.hashandpw |sort -u > cracked_passwords/hashcatPlus.pwonly")
  459. oph_bad_char_file = os.path.exists("cracked_passwords/ophcrack.hashandpw.tmp")
  460. if oph_bad_char_file is True:
  461. os.system("cut -d : -f8- cracked_passwords/ophcrack.hashandpw.tmp |sort -u > cracked_passwords/ophcrack2.pwonly")
  462. os.system("cat cracked_passwords/*.pwonly |sort -u > cracked_passwords/final.pwonly")
  463. os.system("cat cracked_passwords/*.hashandpw |sort -u > cracked_passwords/final.hashandpw")
  464. def merge_with_master():
  465. #This function copies the master password file into working_files. Then we cat our final.pwonly file with that file and sent it back to
  466. #the wordlist location. Only the changes are saved.
  467. os.system("cp "+master_hor_file+" working_files/master_hor_pre.txt")   
  468. file_is_there = os.path.exists("cracked_passwords/final.pwonly")
  469. if file_is_there is True:
  470. os.system("cat cracked_passwords/final.pwonly working_files/master_hor_pre.txt | sort -u > working_files/tempcount.txt")
  471. firstfile_count = count_lines("working_files/tempcount.txt")
  472. secondfile_count = count_lines("working_files/master_hor_pre.txt")
  473. difference = firstfile_count - secondfile_count
  474. if difference > 0:
  475. os.system("cat cracked_passwords/final.pwonly working_files/master_hor_pre.txt | sort -u > "+master_hor_file)
  476. print "\033[1;34m[+] There were "+str(difference)+" new passwords added to your master file: "+master_hor_file+"\033[1;m"
  477. log_file.write("[*] Merge_with_master() says there were "+str(difference)+" new passwords added to your master file: "+master_hor_file+"\n")
  478. else:
  479. print "\033[1;32m[-] No final.pwonly found.\033[1;m"
  480. def create_final_list():
  481. counter = 0
  482. raw_input( "\033[1;34m[+] Press ENTER to see a list of the cracked creds.\033[1;m")
  483. os.system("cut -d : -f1,4 working_files/hashfile.original > working_files/details.txt")
  484. file1='working_files/details.txt'
  485. file2='cracked_passwords/final.hashandpw'
  486. file3='cracked_passwords/final.hashandpwandusername'
  487. with open(file3,"w") as final:
  488. with open(file1,"r") as f1:
  489. for line1 in f1:
  490. with open(file2,'r') as f2:
  491. for line2 in f2:
  492. if line2[:32].rstrip() in line1[-33:].rstrip():
  493. result= line1.rstrip() +"<==>"+ line2.rstrip()
  494. print result
  495. final.write(result+"\n")
  496. counter+=1
  497. print ("\033[1;34m[+] Cracked "+str(counter)+" passwords. An output file with usernames, passwords and hashes can be found in => cracked_passwords/final.hashandpwandusername \033[1;m")
  498. if __name__ == '__main__':
  499. #Specify the locations of all your stuff
  500. rcrack_table_location = "/media/DATA/labsshare/rcracki_rainbow_tables/ntlm_mixalpha-numeric#1-8_*/"
  501. ophcrack_table_location = "/coalfire/cracking/ophcrack_rainbow_tables"
  502. rcrack_location = "/coalfire/cracking/rcracki_mt_.7_beta_cuda/./rcracki_mt"
  503. hashcat_plus_binary = "/coalfire/cracking/hashcat/oclHashcat-plus-0.15/./cudaHashcat-plus64.bin"
  504. hashcat_plus_folder = "/coalfire/cracking/hashcat/oclHashcat-plus-0.15/"
  505. hashcat_location = "/coalfire/cracking/hashcat/hashcat-0.46/./hashcat-cli64.bin"
  506. wordlist_folder = "/coalfire/cracking/wordlists/"
  507. #wordlist_folder = "/media/data/crack/pword-list/"
  508. hashcat_plus_rules_wordlists = "/coalfire/cracking/wordlists/"
  509. master_hor_file = "/coalfire/cracking/wordlists/master_hor.txt"
  510. master_hor_ext_backup = "/media/ext_backup/"
  511. version = "1.2"
  512. log_file = open("hor.log", "w")
  513. keep_going = True
  514. if len(sys.argv) < 3:
  515. print "[+] USAGE:\t./filename <pwdump-file> <hashcat rule i.e. best64.rule>"
  516. print "[+] Possible rules: best64.rule, perfect.rule, combinator.rule, leetspeak.rule, specific.rule, d3ad0ne.rule, oscommerce.rule, T0XlC.rule, toggles1.rule, toggles2.rule, toggles3.rule, toggles4.rule, generated.rule, passwordspro.rule"
  517. sys.exit(0)
  518. if platform.system() == "Windows":
  519. print "[-] Windows is not supported."
  520. sys.exit(0)
  521. is_root = os.geteuid()
  522. if is_root is not 0:
  523. print "[-] Please run as root"
  524. sys.exit(0)
  525. try:
  526. hash_file = sys.argv[1]
  527. lm_option = sys.argv[2]
  528. rules = sys.argv[3]
  529. except:
  530. hash_file = sys.argv[1]
  531. rules = sys.argv[2]
  532. main()
  533. log_file.close()
Add Comment
Please, Sign In to add comment