Distributing Hashcat tasks to Multiple Computers

Probability, Hashcat is the fastest password cracking tool. It is an open source and comes for Linux, Windows and Mac OS platforms. Hashcat supports various hashing algorithms including LM Hashes, WPA2 and etc.

It’s easier to understand if you are already familiar with Linux, Hashcat, and Windows NTLMv2 hash function. You may read about in my previous posts [1][2]. Commands can be copy-paste in a terminal window. Need to change just an IP address.

Server Prerequisites [3]

sudo apt update
sudo DEBIAN_FRONTEND=noninteractive apt upgrade -yq
sudo apt install -y php-gd php-pear lamp-server^

Server Installation

git clone https://github.com/s3inlc/hashtopolis.git
sudo mkdir /var/www/hashtopolis
sudo cp -r hashtopolis/src/* /var/www/hashtopolis
sudo chown -R www-data:www-data /var/www/hashtopolis

Credentials below, also will be used for in a Web App installation.

sudo mysql -uroot -e "create database hashtopolis;"
sudo mysql -uroot -e "GRANT ALL ON hashtopolis.* TO 'hashtopolis'@'localhost' identified by 'securePassword';"
sudo mysql -uroot -e "flush privileges;"

I created a virtual host file with Web App configurations below:

sudo nano /etc/apache2/sites-available/hashtopolis.lt.conf

Server name could be different.

<VirtualHost *:80>
ServerName hashtopolis.lt
DocumentRoot /var/www/hashtopolis
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

Disable default and enable hashtopolis Web App. Apache service needs to reload.

sudo sudo a2dissite 000-default
sudo a2ensite hashtopolis.lt
sudo systemctl reload apache2

Hashtopolis Installation

On a favorite browser, I entered domain address of my Linux machine. I see welcome and the installation page. In a step below I gave my database credentials.

Setup an administrator account.

Great. What’s next! :)

Agent configuration: on A website go to “Agent > New Agent” and create a new voucher.

On another machine

sudo nano /etc/hosts

updated my host file an IP of server machine.  hashtopolis.lt

Then installed Agent Prerequisites [4]

sudo apt update
sudo DEBIAN_FRONTEND=noninteractive apt upgrade -yq
sudo apt install -y python3-pip zippip3 install requests psutil

Downloaded agent file

curl http://hashtopolis.lt/agents.php?download=1 -so agent.zippython3 agent.zip

in my case URL and Voucher there is:

URL http://hashtopolis.lt/api/server.phpVoucher A11QA26Q

You have to paste your server URL and voucher. It’s for the first time, next time only needs to use the command below.

python3 agent.zip

Okay, let’s create single tasks for this demonstration.

First need to define a hashlist in a menu

“List > new hashlist”

I am using the same NTLMv2 hash from my previous post [2].

then add tasks “tasks > new task”

please note: “-a 3” defines a brute force method and “?d?d?d?d?d?d?d?d” password mask is of eight digits.

assign to the agent machine

Task was completed in a few.

on task details we see cracked 1 and if we press we get results of a current NTLM hash.

My password is 12345678

Cleanup and security enhancements

On a server machine we can modify agent code:

sudo apt install -y python3-pip zipgit clone https://github.com/s3inlc/hashtopolis-agent-python
cd hashtopolis-agent-python/
pip3 install -r requirements.txt

Edit the and build an agent

bash build.shsudo cp hashtopolis.zip /var/www/hashtopolis/bin

If the server couldn’t handle a lot of connections might need to increase it via Apache config file.

sudo nano /etc/apache2/apache2.conf

# change values accordingly

KeepAliveTimeout 10
MaxKeepAliveRequests 1000
AllowOverride All

To take effect needs to reload web server settings

sudo systemctl reload apache2

Remove an installation directory.

sudo rm -r /var/www/hashtopolis/install

Consider changing the passwords of the Database and WebApp.

I set some policies and changed in my MySQL database.

sudo mysql_secure_installation

Adding agents in to pool can be automated.

About project information in URL [5].

Photo by Caspar Camille Rubin on Unsplash


#1 https://medium.com/@tomas_savenas/all-great-things-start-from-installing-ubuntu-9500873fec82
#2 https://medium.com/@tomas_savenas/testing-my-local-network-security-with-responder-caa1af10d2ca
#3 https://github.com/s3inlc/hashtopolis/wiki/Server-Prerequisites
#4 https://github.com/s3inlc/hashtopolis-agent-python
#5 https://hashtopolis.org

Kibernetinio saugumo entuziastas; Aktyviausias Lietuvis TryHackMe platformoje; Inovacijų valdymo ir Antreprenerystės Magistrantas @ KTU