├── PS_MultiCrack.ps1 ├── README.txt └── PS_MultiCrack.sh /PS_MultiCrack.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NetSPI/PS_MultiCrack/HEAD/PS_MultiCrack.ps1 -------------------------------------------------------------------------------- /README.txt: -------------------------------------------------------------------------------- 1 | READ ME 2 | ---------------------------------------------------------------------------------- 3 | You need to specify your rcrack, john, and rainbow table directories in the script 4 | ---------------------------------------------------------------------------------- 5 | 6 | Usage: PS_MultiCrack.ps1 INPUT_FILE OUTPUT_FILE 7 | or 8 | Usage: PS_MultiCrack.sh INPUT_FILE OUTPUT_FILE 9 | 10 | 11 | Hashes in the input file need to be in either format: 12 | Domain\User:::LMHASH:NTLMHASH:1122334455667788 13 | User::Domain:LMHASH:NTLMHASH:1122334455667788 14 | 15 | The output file writes to the directory that you run this script from. 16 | 17 | Latest Updates: (as of 01/09/2013) 18 | 19 | -Additional support for linux now 20 | -Same functionality, just now it's written in bash 21 | 22 | -No need for a functional netntlm.pl 23 | -I found people had issues getting it to work, 24 | so I rewrote it in this script 25 | -Much cleaner output to the powershell window 26 | -I nulled the output for rcrack, so it looks better 27 | -Hashes can be either format listed above 28 | 29 | If you find any issues in either script, please let me know. -------------------------------------------------------------------------------- /PS_MultiCrack.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ########################################################################################## 4 | # PS_MultiCrack 5 | # Fully cracks LM Half Chall passwords from an input file using Rcrack_mt and John 6 | # 7 | # Usage: PS_MultiCrack.sh INPUT_FILE OUTPUT_FILE 8 | # 9 | # Requirements: 10 | # -Rcracki_mt, Rainbow tables, and John 11 | # 12 | # To Add: 13 | # - Stats for number of hashes cracked, number not found, total time 14 | # - Delete the previous temp files on startup 15 | # - Add option to load a config file, or just take the RT and Rcrack paths as parameters 16 | # 17 | # 18 | # Originally written by Karl Fosaaen 19 | # Twitter: @kfosaaen 20 | # Translated to bash by Ryan Gandrud 21 | # Twitter: @siegenapster 22 | # 23 | ########################################################################################## 24 | 25 | #Setup your local directories for stuff here 26 | #This should be your John\Run directory 27 | John_DIR=~/Desktop/Scripts/john-1.7.9-jumbo-6/run 28 | #Where your rcrack_mt.exe lives 29 | rcrack_DIR=~/Desktop/rcracki_mt_0.7.0_src/rcracki_mt/rcracki_mt 30 | 31 | #Where your halflmchall Rainbow tables are 32 | rtables_DIR=~/Desktop/Cracking/halflmchall 33 | 34 | #Checks your ARGS 35 | if [ $# -eq 2 ] 36 | then 37 | input_file=$1 38 | output_file=$2 39 | #Writes your output file to the dir that you run this from 40 | home_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 41 | file_to_write="$home_DIR/$output_file" 42 | half_hash_loc="$home_DIR/halfhash.txt" 43 | else 44 | if [ $# -eq 1 ] 45 | then 46 | echo "No second argument supplied" 47 | fi 48 | if [ $# -eq 0 ] 49 | then 50 | echo "No arguments supplied" 51 | fi 52 | if [ $# -gt 2 ] 53 | then 54 | echo "Too many arguments supplied" 55 | fi 56 | fi 57 | 58 | #Just some global variables 59 | LineNum=1 60 | LineValid="true" 61 | 62 | #Verify the hashes in the file before trying to open them 63 | while read -r p; do 64 | #The read -r makes backslash does not act as an escape character. 65 | 66 | #Resets each iteration 67 | input_type="DEFAULT" 68 | 69 | 70 | #Check if it's DOMAIN\User 71 | username_check=$(echo $p | cut -f1 -d:) 72 | #Write-Host "Line"$username_check 73 | 74 | #Checks if the Domain is after the second :, if so, then it's John format 75 | domain_check=$(echo $p | cut -f3 -d:) 76 | #Write-Host "Line"$domain_check 77 | 78 | #Length of 48 79 | lmhash_check=$(echo $p | cut -f4 -d:) 80 | #Write-Host "Line"$lmhash_check 81 | 82 | #Length of 48 83 | ntlmhash_check=$(echo $p | cut -f5 -d:) 84 | #Write-Host "Line"$ntlmhash_check 85 | 86 | #Length of 16 87 | salt_check=$(echo $p | cut -f6 -d:) 88 | #Write-Host "Line"$salt_check 89 | 90 | #Check if third field is empty. If so, then format is John 91 | if [ ${#domain_check} -ge 1 ] 92 | then 93 | input_type="JOHN" 94 | fi 95 | 96 | #Check if username contains \. If so, if input_type is still DEFAULT, then there is an error in formatting. 97 | if [[ ! "$username_check" == *'\'* ]] 98 | then 99 | if [ $input_type == "DEFAULT" ] 100 | then 101 | echo -e "Line"$LineNum" is not properly formatted at the Domain\Username. Add a \\ \n\n$p\n\nProper hash format is:\n\nDomain\USER:::LMHASH:NTLMHASH:1122334455667788\nor\nUSER::Domain:LMHASH:NTLMHASH:1122334455667788\n" 102 | exit 103 | fi 104 | 105 | fi 106 | 107 | #Check if lmhash_check is a valid lm hash length 108 | if [ ${#lmhash_check} -ne 48 ] 109 | then 110 | echo -e "Line $LineNum is not properly formatted at the LMHASH.\n\n$p\n\nCheck your hashes and/or your colons.\nProper hash format is:\n\nDomain\USER:::LMHASH:NTLMHASH:1122334455667788\nor\nUSER::Domain:LMHASH:NTLMHASH:1122334455667788\n" 111 | exit 112 | fi 113 | 114 | if [ ${#ntlmhash_check} -ne 48 ] 115 | then 116 | echo -e "Line $LineNum is not properly formatted at the NTLMHASH.\n\n$p\n\nCheck your hashes and/or your colons.\nProper hash format is:\n\nDomain\USER:::LMHASH:NTLMHASH:1122334455667788\nor\nUSER::Domain:LMHASH:NTLMHASH:1122334455667788\n" 117 | exit 118 | fi 119 | 120 | if [ ${#salt_check} -ne 16 ] 121 | then 122 | echo -e "Line $LineNum is not properly formatted at the SALT.\n\n$p\n\nCheck your hashes and/or your colons.\nProper hash format is:\n\nDomain\USER:::LMHASH:NTLMHASH:1122334455667788\nor\nUSER::Domain:LMHASH:NTLMHASH:1122334455667788\n" 123 | exit 124 | fi 125 | 126 | LineNum=$(($LineNum + 1)) 127 | 128 | #This is the input file for the while loop above 129 | done < $input_file 130 | 131 | #Start the big loop 132 | while read -r p; do 133 | 134 | #parsing the hash 135 | domain=$(echo $p | cut -f3 -d:) 136 | lmhash=$(echo $p | cut -f4 -d:) 137 | ntlmhash=$(echo $p | cut -f5 -d:) 138 | salt=$(echo $p | cut -f6 -d:) 139 | if [ ${#domain} -ge 1 ] 140 | then 141 | username=$(echo $p | cut -f1 -d:) 142 | domain=$(echo $p | cut -f3 -d:) 143 | username_to_crack=$username'\'$domain 144 | correct_string=$username_to_crack":::"$lmhash":"$ntlmhash":"$salt 145 | else 146 | username_to_crack=$(echo $p | cut -f1 -d:) 147 | correct_string=$p 148 | fi 149 | 150 | #Check if the hash is already in john.pot 151 | pot_file_loc=$John_DIR"/john.pot" 152 | if [ -a $pot_file_loc ] 153 | then 154 | done="false" 155 | while read -r q; do 156 | #Parsing the john.pot file 157 | pot_hash_start=$(echo $q | cut -f4 -d$) 158 | pot_hash=$(echo $pot_hash_start | cut -f1 -d:) 159 | prev_pass=$(echo $pot_hash_start | cut -f2 -d:) 160 | 161 | if [ "$pot_hash" == "$ntlmhash" ] 162 | then 163 | prev_cracked="Previously Cracked:"$username_to_crack" "$prev_pass 164 | `echo $prev_pass" ("$username_to_crack")" >> $file_to_write` 165 | echo -e $prev_cracked 166 | done="true" 167 | fi 168 | done < $pot_file_loc 169 | else 170 | echo "No john.pot file available" 171 | done="false" 172 | fi 173 | 174 | #If hash not found in john.pot, start the cracking loop 175 | if [ $done == "false" ] 176 | then 177 | echo "$username_to_crack is going to get cracked" 178 | file_loc=$home_DIR"/current.txt" 179 | echo $correct_string > $file_loc 180 | 181 | HALFHASH=${lmhash:0:16} 182 | rcrack_command=$rcrack_DIR" -h "$HALFHASH" "$rtables_DIR" -o halfhash.txt" 183 | rcrack=`$rcrack_command` 184 | #If the halfhash.txt is created, then continue cracking 185 | if [ -a $half_hash_loc ] 186 | then 187 | #Parse out the seed to pipe into john 188 | Del_Half="true" 189 | while read -r z; do 190 | seedin1=$z 191 | seed=$(echo $z | cut -f2 -d:) 192 | done < $half_hash_loc 193 | 194 | cd $John_DIR 195 | 196 | #Writing own custom john.conf file for LM cracking 197 | Conftowrite="[Incremental:LM]\nFile = lanman.chr\nMinLen = 1\nMaxLen = 7\nCharCount = 69\n\n[List.External:HalfLM]\nvoid init()\n{\n word[14] = 0;\n}\n\nvoid filter()\n{\n word[13] = word[6];\n word[12] = word[5];\n word[11] = word[4];\n word[10] = word[3];\n word[9] = word[2];\n word[8] = word[1];\n word[7] = word[0];\n word[6] = '"${seed:6:1}"';\n word[5] = '"${seed:5:1}"';\n word[4] = '"${seed:4:1}"';\n word[3] = '"${seed:3:1}"';\n word[2] = '"${seed:2:1}"';\n word[1] = '"${seed:1:1}"';\n word[0] = '"${seed:0:1}"';\n}\n\n[List.Rules:Wordlist]\n:\n-c T0Q\n-c T1QT[z0]\n-c T2QT[z0]T[z1]\n-c T3QT[z0]T[z1]T[z2]\n-c T4QT[z0]T[z1]T[z2]T[z3]\n-c T5QT[z0]T[z1]T[z2]T[z3]T[z4]\n-c T6QT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]\n-c T7QT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]\n-c T8QT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]\n-c T9QT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]\n-c TAQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]\n-c TBQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]T[zA]\n-c TCQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]T[zA]T[zB]\n-c TDQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]T[zA]T[zB]T[zC]" 198 | 199 | john_temp_folder=$John_DIR"/tmpcrack" 200 | if [ -a $john_temp_folder ] 201 | then 202 | echo -e $Conftowrite > tmpcrack/john.conf 203 | touch tmpcrack/john.dict 204 | touch tmpcrack/john.session 205 | else 206 | mkdir $john_temp_folder 207 | echo -e $Conftowrite >> tmpcrack/john.conf 208 | touch tmpcrack/john.dict 209 | touch tmpcrack/john.session 210 | fi 211 | 212 | #Commands to execute for cracking with john 213 | LMCrackerComm="./john -format:netlm -config:tmpcrack/john.conf -external:HalfLM -incremental:LM -session:tmpcrack/john.session $file_loc" 214 | LMShowComm="./john -format:netlm -show $file_loc" 215 | NTLMCrackerComm="./john -format:netntlm -config:tmpcrack/john.conf -wordlist:tmpcrack/john.dict --rules -user:$username_to_crack -session:tmpcrack/john.session $file_loc" 216 | 217 | #Crack the LM 218 | LMCracker=`$LMCrackerComm` 219 | #Get the LM from the -show command 220 | LMShow=`$LMShowComm` 221 | seed2=$(echo $LMShow | cut -f2 -d:) 222 | echo $seed2 >> tmpcrack/john.dict 223 | 224 | #Crack the NTLM 225 | NTLMCracker=`$NTLMCrackerComm > /dev/null` 226 | 227 | #Clean up temp files 228 | `rm -rf tmpcrack` 229 | 230 | #Run john a third time to output the case-sensitive password for easier parsing 231 | John_command3="./john -format:netntlm -show "$file_loc 232 | ntlm_return=`$John_command3` 233 | final_username=$(echo $ntlm_return | cut -f1 -d:) 234 | final_pass=$(echo $ntlm_return | cut -f2 -d:) 235 | if [ "$final_username" == "$username" ] 236 | then 237 | echo -e $final_pass" ("$username")" >> $file_to_write 238 | echo -e "\nSuccessfully cracked "$username_to_crack" - Password is "$final_pass"\n" 239 | elif [ "$final_username" = "$username_to_crack" ] 240 | then 241 | echo -e $final_pass" ("$username_to_crack")" >> $file_to_write 242 | echo -e "\nSuccessfully cracked "$username_to_crack" - Password is "$final_pass"\n" 243 | fi 244 | #If the halflm is not found in the rainbow tables 245 | else 246 | echo -e "The hash for "$username_to_crack" was not found in the rainbow tables." 247 | echo -e "The hash for "$username_to_crack" was not found in the rainbow tables." >> $file_to_write 248 | Del_Half="false" 249 | 250 | fi 251 | 252 | #Clean up temp files 253 | cd $home_DIR 254 | if [ $Del_Half == "true" ] 255 | then 256 | `rm halfhash.txt` 257 | fi 258 | `rm current.txt` 259 | fi 260 | 261 | 262 | #This is the input file for the while loop above 263 | done < $input_file 264 | 265 | --------------------------------------------------------------------------------