Cat under the hood. Part 1

In our work we actively use hashcat, but we began to miss some functions in this product. For example: the ability to send notifications, the presence of a single interface to manage hacking hashes, convenient storage of "hacked" hashes (after a while, hashcat.potfile hurts your eyes). In some situations, it is necessary to perform parallel hacking hashes, that is, to distribute hacking tasks among several hosts.

In this series of articles, we want to share our "finds" on the topic of management interfaces and / or the distributed launch of the hashcat program, storing statistics on the "hacked" hashes. In the first part we will look at some existing solutions, then we will take a closer look at the Hashtopolis product.

In general, if the topic is close to you - ask "under the cat" and in the comments.

Talk about cats

A bit about hashcat itself (hashcat)

Hashcat is, according to the creators, the world's fastest password recovery tool. Versions are available for Linux, macOS and Windows, and can be presented in variants based on CPU or GPU.

Hashcat gained its popularity due to the flaws found by its creator in other programs that use data encryption. At the moment, Hashcat is actively used to select WPA / WPA2 passwords, crack passwords from MS Office documents, PDF, 7-Zip, RAR, TrueCrypt.

A source

What kind of hashes hacking is?

Today, the most common authentication method is “password authentication”. The user (or “process”) in one form or another sends the password to check the target system, where the obtained data is compared with the presentation that is stored in the system. For example, in the case of digest authentication, the password is not transmitted and is not stored in clear text, but using cryptography, some session identifier is converted by overlaying the password hash value. A similar procedure is performed on the target system, and if the results of the two operations are the same — authentication is considered passed, an authorization cookie is generated, or a TGT, or something else.
')
The authentication mechanism in the Web is summarized here: https://habr.com/ru/en/post/28534/, and in detail here: https://habr.com/ru/company/dataart/blog/262817/

Another task arises for a security researcher (or auditor) - pick / guess passwords, intercept or bypass authentication.

In the case of attacks on passwords, you can divide into two categories (and everything else in the third, for example the attack “spying on the user input”):

online attacks: multiple authentication attempts by selecting a password, which can “make a lot of noise” or cause account lockout. This is similar to “picking” with master keys in the keyhole - the owners can call the police, and even cause injuries;
offline attacks: the attacker managed to get the hashes, and a more targeted system is not required for password selection, the whole process takes place on the attacker's side. As if you managed to get the "cast" of the castle and "pick" away from the guarded door.

There may be situations like picking up passwords for archives, protected documents or private keys, but in general this is a password attack, i.e. need to pick up the key / combination to the lock.

Most attacks on passwords and hashes can be divided into:

"Dictionary" (English "dictionary", "wordlist")
"In the forehead" (or "brutfors" from the English. "Bruteforce", ie, "brute force")
"Hybrid" (dictionary + some mask for brute force)

As a result of searching the network for ready-made "interfaces" for working with hashcat, we came across the following solutions:

The names begin with the word 'hash' - from English this word is translated as “a hodgepodge”, “confusion”, “a dish of finely chopped meat and vegetables”. If you literally translate these names into Russian, the resulting phrases give rise to a mess in the reader's brain. The name “Hashtopussy” is especially wildly perceived (smile)

Let's start the review with Hashpass . He was interested in a wealth of functions (at first glance): a line of hashes to break in, visualization on the global map of caught WPA-handshake, C2C for “spy” raspberries, support for SMS informing, beautiful wallpaper a fun interface with visualization. The task status panel in Hashpass looks like this:

When diving into a project description on GitHub, it was discovered that for distributed hacking hashes "dj-zombie" developed a separate project Hive. We did not manage to find relevant information about this project. Those. "Out of the box" to get a "conductor's stick" for parallel hacking on several hosts is impossible. As a stand-alone solution, Hashpass is very interesting, and given the related project Rotten Pi - you should definitely pay attention to Hashpass.

On this familiarity with Hashpass ended, perhaps we will return to his detailed review in a series of articles.

The Hashview project is not inferior to its fellow Hashpass in terms of functional richness, and the approach to the “visual component” of the interface, we believe, is better implemented.

Example of the statistics screen:

Here is what Hashview has to offer:

Collaboration - the application supports the creation of separate accounts and the distribution of roles
OTP (One Time Password) support for user authentication
Direct access to the hashcat command interface of the instance
Creating queues of tasks for cracking hashes
Event Email Notifications
Search the internal database of hashes, username, password
Metric Visualization and Reporting System

Installing a Hashview server requires a working hashcat on the host, the current RVM, MySQL, Redis environment. Ubuntu support for versions 14.04 and 16.04 is officially announced; in other Linux distributions, Hashview has been confirmed by the community.

And now about the "cons":

The project officially supports hashcat 4.x, support for version 5 is unknown (there is a ticket https://github.com/hashview/hashview/issues/448)
Agent support is still officially in the “Alpha” version, and in our case support for Windows agents is important (https://github.com/hashview/hashview/wiki/04-Distributed-Cracking)

Both projects, Hashpass and Hashview, create the impression of abandonment, commits have been in the repository for a long time, and the documentation is not updated.

We decided to put Hashview on one shelf with Hashpass and move on to the next project.

Hashtopolis saw the light in 2016 as the development of a “wrapper” for hashcat - Hashtopus (https://github.com/curlyboi/hashtopus). At first it was called “Hashtopussy”, but for reasons of “political correctness” it was renamed “Hashtopolis”. Official page of the project: https://hashtopolis.org. In fact, this is a forum where you can collect useful information about the product. Also found a channel on the Discord: https://discord.gg/S2NTxbz

Features and features of Hashtopolis:

“Easy + convenient” install and use server / agents
Access from anywhere via the web interface
Adaptability of the server side with common web hosting configurations
Autonomous agents at controlled crack stations
Manage dictionaries and rules files
Auto Update Hashtopolis and Hashcat
Hacking multiple hash lists of the same type as if they were the same list.
A single file for running the agent on Windows, Linux and OS X
Files and hashes marked as “secret” (secret) are distributed only to agents marked as “trusted”
Many parameters of data import and export
Rich statistics on hashes and running tasks
A visual representation of the distribution of “hash chunks” (chunk distribution)
Multi-user work with the application
Support user access levels
Different types of notifications
The ability to create mini-tasks for hacking hashes by the CPU
Granular distribution of access through the use of groups in the appointment of agents and users

The most "captivating" chip of Hashtopolis for us was the support of notifications in Telegram right out of the box. We use this messenger on a daily basis. Getting timely notifications about “hacked” hashes seemed extremely attractive. Of course, this functionality can be implemented by scripts, but this feature was not the only one that attracted to Hashtopolis.

Hashtopolis can manage hashcat instances starting with version 4.0.0. Support for “generic crackers” (some common command interface to software for “hacking hashes”) is also implemented. More information about generic crackers here

The appearance of the Hashtopolis interface is pleasant, and the navigation becomes clear after a few minutes of acquaintance.

Task list:

Beautiful statistics on the work of the agent:

Additional sources of information we referred to on Hashtopolis:

Project repository on GitHub: https://github.com/s3inlc/hashtopolis
Wiki project pages on GitHub: https://github.com/s3inlc/hashtopolis/wiki
Blog of one of the developers of the project (s3inlc): https://s3inlc.wordpress.com
Hashtopolis API documentation is available in a PDF document: https://github.com/s3inlc/hashtopolis/blob/master/doc/protocol.pdf

This concludes the introductory part, we shared our “first impression”. Unfortunately, the reviewed projects do not have the best quality documentation, the information is scattered and is presented very concisely.

We hope that we managed to arouse the interest of the reader to the reviewed products, because the more users there are, the better the projects will become and, as a result, more information will appear on usage.

In the next part, we will analyze the installation and configuration of the Hashtopolis product.

Source: https://habr.com/ru/post/445740/

All Articles

Cat under the hood. Part 1

Talk about cats

More articles: