It was created to fill a unique need to answer the question of how long it might take to crack passwords with certain wordlists and rule sets. With this information, you can suggest how a password policy might be improved and how to educate users on creating better passwords. The script will attempt to re-crack passwords using a wordlist and ruleset. When the script finishes, a .csv file will be created with information gathered during the password-cracking process with hashcat.
- Hashcat installed and in your PATH
- Python3
- Install requirements.txt
- You will likely be using this for NTLM hashes. They must be in the JTR format of:
user1:1234:aad3b435b51404eeaad3b435b51404ee:b4b9b02e6f09a9bd760f388b67351e2b:::
-s: single pass without attempt to crack over and over with each wordlist and ruleset
-m: The password hash type (ntlm: 1000)
-d: Directory where the the hashes are
-p: Pot file to store cracked password. Will be placed in the hashes directory you created. Note: Just the beginning of the file name, exclude `.pot`
-f: Name of the hashes file.
python3 crackmeup.py -s -m 1000 -d /opt/tools/hashcat-files/hashes/2023PWAudit -f 20231028-ad-int-hashes.txt -p ad_name-ntlmWhile cracking passwords, multiple files will be created, such as:
.logfiles for keeping track of hashcat sessions.potfiles for cracked passwords for each wordlist and ruleset used.csvfile that will output a complete analysis of cracked passwords based upon each wordlist and ruleset used
You must run the example command above in a screen session if you are working over SSH to your password-cracking rig. You will also need to let the password cracking run its course because there is only a recovery or option to analyze passwords after first working through cracking.