This document is under construction, but is intended to get you up and running quickly with cracking hashes in the cloud using the Paperspace service.

Resources used for this article:

• https://samiux.blogspot.com/2017/12/howto-install-hashcat-on-ubuntu-16043.html

• https://hashcat.net/wiki/doku.php?id=linux_server_howto

Setting up a cracking box using Paperspace

Get your Linux VM up and running

From Paperspace, choose the Ubuntu server option that has:

• 8 CPU
• 30 GB RAM
• 50 GB HD
• Quadro P6000 card

Note that when you spin this up it's SSHable from anywhere in the world so you might want to lock it down with an ACL. I also elected to pay the extra buck a month for a static IP.

Run this script to get the core updates and tools installed:

sudo dpkg --remove-architecture i386   
sudo apt-get update
sudo apt-get upgrade -y
sudo apt install ocl-icd-libopencl1 git build-essential -y
sudo git clone https://github.com/hashcat/hashcat /opt/hashcat
cd /opt/hashcat
sudo git submodule update --init
sudo make
sudo git clone https://github.com/hashcat/hashcat-utils /opt/hashcat-utils
cd /opt/hashcat-utils/src
sudo make
sudo cp *.bin ../bin
cd /tmp
# For the next command go to the NVidia site and ensure you're downloading the latest Linux drivers
sudo wget http://us.download.nvidia.com/XFree86/Linux-x86_64/384.69/NVIDIA-Linux-x86_64-384.69.run
sudo chmod +x ./NVIDIA-Linux-x86_64-384.69.run
sudo ./NVIDIA-Linux-x86_64-384.69.run

• Accept the agreement
• At the error about "nvidia-installer was forced to guess" error hit OK.
• At the error about "unable to find suitable" hit OK.
• At the "Would you like "nvidia-xconfig utility to..." hit YES
• At the "Your x configuration file has been successfully updated" hit OK

Then check out your Hashcat benchmarks:

sudo hashcat -b to see all benchmarks

sudo hashcat -b -m 1000 to see just, for example, NTLM hash crack rate.

Install hate_crack

sudo git clone https://github.com/trustedsec/hate_crack.git /opt/hatecrack

Get some wordlists

sudo mkdir /opt/wordlists
cd /opt/wordlists
# Get the popular wordlists from Daniel Miessler
sudo git clone https://github.com/danielmiessler/SecLists.git /opt/wordlists/
cd /opt/wordlists

# Get the "human only" list of passwords from Crackstation.net
sudo wget https://crackstation.net/files/crackstation-human-only.txt.gz
sudo gunzip crackstation-human-only.txt.gz
sudo rm crackstation-human-only.txt.gz
sudo mv crackstation-human-only.txt /opt/wordlists/Passwords

# Get the base password list from Crackstation.net
sudo wget https://crackstation.net/files/crackstation.txt.gz
sudo gunzip crackstation.txt.gz
sudo rm crackstation.txt.gz
sudo mv crackstation.txt /opt/wordlists/Passwords

# Get rockyou.txt ready to rock
cd /opt/wordlists/Passwords/Leaked-Databases
sudo tar xvzf rockyou.txt.tar.gz
sudo mv rockyou.txt ..
rm rock*.gz

# Get latest Pwned Passwords list from hashes.org
Go to the "leaks" area, search for "pwned" and you should find various versions of the Pwned Passwords database to download in plain text

# Consolidate all downloaded wordlists into one "master" text file
cd /opt/wordlists
sudo ls -rt -d -1 $PWD/Passwords/*.txt > wordlists.txt

Open the hatecrack config.json and adjust hcatPath, hcatBin, hcatWordlists and hcatOptimizedWordlists paths. Also adjust the .app extensions to be .bin:

{
  "hcatPath": "/opt/hashcat",
  "hcatBin": "hashcat",
  "hcatTuning": "--force --remove",
  "hcatWordlists": "/opt/wordlists/Passwords/",
  "hcatOptimizedWordlists": "/opt/wordlists/optimized",
  "hcatDictionaryWordlist": ["/opt/wordlists/Passwords/rockyou.txt"],
  ...
  ...
  ...

Open wordlist_optimizer.py and change the splitlen/rli extensions to be .bin:

splitlen_bin = "hashcat-utils/bin/splitlen.bin"
rli_bin = "hashcat-utils/bin/rli.bin"

Now create some optimized word lists:

sudo mkdir /opt/wordlists/optimized
sudo python wordlist_optimizer.py /opt/wordlists/Passwords/wordlists.txt /opt/wordlists/optimized

Note: last time I ran this I had to run it with python3.

Run hatecrack!

Here's an example where I crack a text file full of NTLM hashes:

sudo python /opt/hatecrack/hatecrack /crackme/big-bucket-of-hashes.txt 1000

Follow the rest of the hatecrack read me, and have fun!

Reassemble AD -> user password mappings

If you've followed my gist on dumping a backup of AD hashes and then cracked a list of just hashes, you may want the ability to come back in later and reconnect the relationship between hash and user. Thanks to my pal hackern0v1c3, he created a perfect tool for the job here. Oh, and if you need to take the output of a dump from something like secretsdump.py and turn it into something hash_combiner can chew on, try this:

cat secrets_dump.txt |cut -d'\' -f2 | cut -d':' -f1,4 > secrets_dump_reformated.txt

Enjoy!

Capturing/cracking WPA handshakes

First capture the handshake. Then convert the .cap to hccapx format with:

/opt/hashcat-utils/bin/cap2hccapx.bin NAME-OF-YOUR.cap NAME-OF-YOUR.hccapx

Then see this page to see all the different ways you can attack the handshake (dictionary, brute-force, etc.). One example of a dictionary attack is:

hashcat.exe -m 2500 NAME-OF-YOUR.hccapx rockyou.txt

Or if using hatecrack:

/opt/hatecrack/hate_crack.py /NAME-OF-YOUR.hccapx 2500

Monitoring your crack jobs

I found that this script is really helpful for monitoring changes to the hashcat.pot file and then triggering an action of your choice.

For example, you could save the mikedmullin script as monme.sh and then have a command like this:

monme.sh /opt/hashcat/hashcat.pot /scripts/somescript.sh

The somescript.sh would contain the commands you'd want to have run once a change to the hashcat.pot file was detected.