opexxx

PS_MultiCrack.sh

May 6th, 2014
280
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 9.08 KB | None | 0 0
  1. #!/bin/bash
  2.  
  3. ##########################################################################################
  4. # PS_MultiCrack
  5. #       Fully cracks LM Half Chall passwords from an input file using Rcrack_mt and John
  6. #
  7. # Usage: PS_MultiCrack.sh INPUT_FILE OUTPUT_FILE
  8. #
  9. # Requirements:
  10. #               -Rcracki_mt, Rainbow tables, and John
  11. #
  12. # To Add:
  13. #        - Stats for number of hashes cracked, number not found, total time
  14. #        - Delete the previous temp files on startup
  15. #        - Add option to load a config file, or just take the RT and Rcrack paths as parameters
  16. #
  17. #
  18. # Originally written by Karl Fosaaen
  19. #   Twitter: @kfosaaen
  20. # Translated to bash by Ryan Gandrud
  21. #   Twitter: @siegenapster
  22. #
  23. ##########################################################################################
  24.  
  25. #Setup your local directories for stuff here
  26. #This should be your John\Run directory
  27. John_DIR=~/Desktop/Scripts/john-1.7.9-jumbo-6/run
  28. #Where your rcrack_mt.exe lives
  29. rcrack_DIR=~/Desktop/rcracki_mt_0.7.0_src/rcracki_mt/rcracki_mt
  30.  
  31. #Where your halflmchall Rainbow tables are
  32. rtables_DIR=~/Desktop/Cracking/halflmchall
  33.  
  34. #Checks your ARGS
  35. if [ $# -eq 2 ]
  36. then
  37.     input_file=$1
  38.     output_file=$2
  39.     #Writes your output file to the dir that you run this from
  40.     home_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
  41.     file_to_write="$home_DIR/$output_file"
  42.     half_hash_loc="$home_DIR/halfhash.txt"
  43. else
  44.     if [ $# -eq 1 ]
  45.     then
  46.         echo "No second argument supplied"
  47.     fi
  48.     if [ $# -eq 0 ]
  49.     then
  50.         echo "No arguments supplied"
  51.     fi
  52.     if [ $# -gt 2 ]
  53.     then
  54.         echo "Too many arguments supplied"
  55.     fi
  56. fi
  57.  
  58. #Just some global variables
  59. LineNum=1
  60. LineValid="true"
  61.  
  62. #Verify the hashes in the file before trying to open them
  63. while read -r p; do
  64. #The read -r makes backslash does not act as an escape character.
  65.  
  66.     #Resets each iteration
  67.     input_type="DEFAULT"
  68.  
  69.  
  70.     #Check if it's DOMAIN\User
  71.     username_check=$(echo $p | cut -f1 -d:)
  72.     #Write-Host "Line"$username_check
  73.    
  74.     #Checks if the Domain is after the second :, if so, then it's John format
  75.     domain_check=$(echo $p | cut -f3 -d:)
  76.     #Write-Host "Line"$domain_check
  77.    
  78.     #Length of 48
  79.     lmhash_check=$(echo $p | cut -f4 -d:)
  80.     #Write-Host "Line"$lmhash_check
  81.    
  82.     #Length of 48
  83.     ntlmhash_check=$(echo $p | cut -f5 -d:)
  84.     #Write-Host "Line"$ntlmhash_check
  85.    
  86.     #Length of 16
  87.     salt_check=$(echo $p | cut -f6 -d:)
  88.     #Write-Host "Line"$salt_check
  89.  
  90.     #Check if third field is empty. If so, then format is John
  91.     if [ ${#domain_check} -ge 1 ]
  92.     then
  93.         input_type="JOHN"
  94.     fi
  95.  
  96.     #Check if username contains \. If so, if input_type is still DEFAULT, then there is an error in formatting.
  97.     if [[ ! "$username_check" == *'\'* ]]
  98.     then
  99.         if [ $input_type == "DEFAULT" ]
  100.         then
  101.             echo -e "Line"$LineNum" is not properly formatted at the Domain\Username. Add a \\ \n\n$p\n\nProper hash format is:\n\nDomain\USER:::LMHASH:NTLMHASH:1122334455667788\nor\nUSER::Domain:LMHASH:NTLMHASH:1122334455667788\n"
  102.         exit
  103.         fi
  104.        
  105.     fi
  106.  
  107.     #Check if lmhash_check is a valid lm hash length
  108.     if [ ${#lmhash_check} -ne 48 ]
  109.     then
  110.         echo -e "Line $LineNum is not properly formatted at the LMHASH.\n\n$p\n\nCheck your hashes and/or your colons.\nProper hash format is:\n\nDomain\USER:::LMHASH:NTLMHASH:1122334455667788\nor\nUSER::Domain:LMHASH:NTLMHASH:1122334455667788\n"
  111.     exit
  112.     fi
  113.  
  114.     if [ ${#ntlmhash_check} -ne 48 ]
  115.     then
  116.         echo -e "Line $LineNum is not properly formatted at the NTLMHASH.\n\n$p\n\nCheck your hashes and/or your colons.\nProper hash format is:\n\nDomain\USER:::LMHASH:NTLMHASH:1122334455667788\nor\nUSER::Domain:LMHASH:NTLMHASH:1122334455667788\n"
  117.     exit
  118.     fi
  119.  
  120.     if [ ${#salt_check} -ne 16 ]
  121.     then
  122.         echo -e "Line $LineNum is not properly formatted at the SALT.\n\n$p\n\nCheck your hashes and/or your colons.\nProper hash format is:\n\nDomain\USER:::LMHASH:NTLMHASH:1122334455667788\nor\nUSER::Domain:LMHASH:NTLMHASH:1122334455667788\n"
  123.     exit
  124.     fi
  125.  
  126.     LineNum=$(($LineNum + 1))
  127.  
  128. #This is the input file for the while loop above
  129. done < $input_file
  130.  
  131. #Start the big loop
  132. while read -r p; do
  133.  
  134.     #parsing the hash
  135.     domain=$(echo $p | cut -f3 -d:)
  136.     lmhash=$(echo $p | cut -f4 -d:)
  137.     ntlmhash=$(echo $p | cut -f5 -d:)
  138.     salt=$(echo $p | cut -f6 -d:)
  139.     if [ ${#domain} -ge 1 ]
  140.     then
  141.         username=$(echo $p | cut -f1 -d:)
  142.         domain=$(echo $p | cut -f3 -d:)
  143.         username_to_crack=$username'\'$domain
  144.         correct_string=$username_to_crack":::"$lmhash":"$ntlmhash":"$salt
  145.     else
  146.         username_to_crack=$(echo $p | cut -f1 -d:)
  147.         correct_string=$p
  148.     fi
  149.  
  150.     #Check if the hash is already in john.pot
  151.     pot_file_loc=$John_DIR"/john.pot"
  152.     if [ -a $pot_file_loc ]
  153.     then
  154.         done="false"
  155.         while read -r q; do
  156.             #Parsing the john.pot file
  157.             pot_hash_start=$(echo $q | cut -f4 -d$)
  158.             pot_hash=$(echo $pot_hash_start | cut -f1 -d:)
  159.             prev_pass=$(echo $pot_hash_start | cut -f2 -d:)
  160.  
  161.             if [ "$pot_hash" == "$ntlmhash" ]
  162.             then
  163.                 prev_cracked="Previously Cracked:"$username_to_crack" "$prev_pass
  164.                 `echo $prev_pass"     ("$username_to_crack")" >> $file_to_write`
  165.                 echo -e $prev_cracked
  166.                 done="true"
  167.             fi
  168.         done < $pot_file_loc
  169.     else
  170.         echo "No john.pot file available"
  171.         done="false"
  172.     fi
  173.  
  174.     #If hash not found in john.pot, start the cracking loop
  175.     if [ $done == "false" ]
  176.     then
  177.         echo "$username_to_crack is going to get cracked"
  178.         file_loc=$home_DIR"/current.txt"
  179.         echo $correct_string > $file_loc
  180.  
  181.         HALFHASH=${lmhash:0:16}
  182.         rcrack_command=$rcrack_DIR" -h "$HALFHASH" "$rtables_DIR" -o halfhash.txt"
  183.         rcrack=`$rcrack_command`
  184.         #If the halfhash.txt is created, then continue cracking
  185.         if [ -a $half_hash_loc ]
  186.         then
  187.             #Parse out the seed to pipe into john
  188.             Del_Half="true"
  189.             while read -r z; do
  190.                 seedin1=$z
  191.                 seed=$(echo $z | cut -f2 -d:)
  192.             done < $half_hash_loc
  193.  
  194.             cd $John_DIR
  195.  
  196.             #Writing own custom john.conf file for LM cracking
  197.             Conftowrite="[Incremental:LM]\nFile = lanman.chr\nMinLen = 1\nMaxLen = 7\nCharCount = 69\n\n[List.External:HalfLM]\nvoid init()\n{\n  word[14] = 0;\n}\n\nvoid filter()\n{\n  word[13] = word[6];\n  word[12] = word[5];\n  word[11] = word[4];\n  word[10] = word[3];\n  word[9] = word[2];\n  word[8] = word[1];\n  word[7] = word[0];\n  word[6] = '"${seed:6:1}"';\n  word[5] = '"${seed:5:1}"';\n  word[4] = '"${seed:4:1}"';\n  word[3] = '"${seed:3:1}"';\n  word[2] = '"${seed:2:1}"';\n  word[1] = '"${seed:1:1}"';\n  word[0] = '"${seed:0:1}"';\n}\n\n[List.Rules:Wordlist]\n:\n-c T0Q\n-c T1QT[z0]\n-c T2QT[z0]T[z1]\n-c T3QT[z0]T[z1]T[z2]\n-c T4QT[z0]T[z1]T[z2]T[z3]\n-c T5QT[z0]T[z1]T[z2]T[z3]T[z4]\n-c T6QT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]\n-c T7QT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]\n-c T8QT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]\n-c T9QT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]\n-c TAQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]\n-c TBQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]T[zA]\n-c TCQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]T[zA]T[zB]\n-c TDQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]T[zA]T[zB]T[zC]"
  198.        
  199.             john_temp_folder=$John_DIR"/tmpcrack"
  200.             if [ -a $john_temp_folder ]
  201.             then
  202.                 echo -e $Conftowrite > tmpcrack/john.conf
  203.                 touch tmpcrack/john.dict
  204.                 touch tmpcrack/john.session
  205.             else
  206.                 mkdir $john_temp_folder
  207.                 echo -e $Conftowrite >> tmpcrack/john.conf
  208.                 touch tmpcrack/john.dict
  209.                 touch tmpcrack/john.session
  210.             fi
  211.  
  212.             #Commands to execute for cracking with john
  213.             LMCrackerComm="./john -format:netlm -config:tmpcrack/john.conf -external:HalfLM -incremental:LM -session:tmpcrack/john.session $file_loc"
  214.             LMShowComm="./john -format:netlm -show $file_loc"
  215.             NTLMCrackerComm="./john -format:netntlm -config:tmpcrack/john.conf -wordlist:tmpcrack/john.dict --rules -user:$username_to_crack -session:tmpcrack/john.session $file_loc"
  216.  
  217.             #Crack the LM
  218.             LMCracker=`$LMCrackerComm`
  219.             #Get the LM from the -show command
  220.             LMShow=`$LMShowComm`
  221.             seed2=$(echo $LMShow | cut -f2 -d:)
  222.             echo $seed2 >> tmpcrack/john.dict
  223.  
  224.             #Crack the NTLM
  225.             NTLMCracker=`$NTLMCrackerComm > /dev/null`
  226.  
  227.             #Clean up temp files
  228.             `rm -rf tmpcrack`
  229.  
  230.             #Run john a third time to output the case-sensitive password for easier parsing
  231.             John_command3="./john -format:netntlm -show "$file_loc
  232.             ntlm_return=`$John_command3`
  233.             final_username=$(echo $ntlm_return | cut -f1 -d:)
  234.             final_pass=$(echo $ntlm_return | cut -f2 -d:)
  235.             if [ "$final_username" == "$username" ]
  236.             then
  237.                 echo -e $final_pass"     ("$username")" >> $file_to_write
  238.                 echo -e "\nSuccessfully cracked "$username_to_crack" - Password is "$final_pass"\n"
  239.             elif [ "$final_username" = "$username_to_crack" ]
  240.             then
  241.                 echo -e $final_pass"     ("$username_to_crack")" >> $file_to_write
  242.                 echo -e "\nSuccessfully cracked "$username_to_crack" - Password is "$final_pass"\n"
  243.             fi
  244.         #If the halflm is not found in the rainbow tables
  245.         else
  246.             echo -e "The hash for "$username_to_crack" was not found in the rainbow tables."
  247.             echo -e "The hash for "$username_to_crack" was not found in the rainbow tables." >> $file_to_write
  248.             Del_Half="false"
  249.            
  250.         fi
  251.        
  252.         #Clean up temp files
  253.         cd $home_DIR
  254.         if [ $Del_Half == "true" ]
  255.         then
  256.             `rm halfhash.txt`
  257.         fi
  258.         `rm current.txt`
  259.     fi
  260.  
  261.  
  262. #This is the input file for the while loop above
  263. done < $input_file
Add Comment
Please, Sign In to add comment