I expanded my first NTLM TMTO database. I moved to Python 3.4 from C# and created a p2p system. I made the system as moduler as possible so other hashes could be used, currently NTLM hashes are created.
You don't have to generate hash if you don't want to. For example, you are at a clients' site and you are doing a pen test.
The program works on Windows and should work on Linux.
The system runs in a command window, there is no GUI.
The concept of the program is to create a part of the large database. The more peers the better change to store all combinations of 23 characters. For example, if the 8 character set is 2 terabyes, using this program at the default size limit of 1 gig. It would take at least 2,000 people to store all possible combinations.
Yet, it would only take seconds to find the clear text for the hash you are looking for. It would still only take seconds to find the clear text if it was 20 characters. The reason is because everyone has a small part of the whole.
- Uses the character set: US alpha (upper and lower), numbers, most special. 84 total
- Start and stop generating hash at any time
- Generate 4 - 23 character in lengths
- Create a dictionary file after clear text files are used
- Servers run as threads
- Limit the amount of disk space used. Default is 1 gig
- Crack wpa psk hashes using the created dictionary files.
I created this program because a 2 TB rainbow table is not very portable.
How the program works is the serverconn reads a list of all of the known connection servers and announces that it is online. Then, it downloads and updates the connection server list and the peers list. The client reads the connection list and connects to the connection servers, then the connection server updates its peers list, then the client downloads the new peers list. The client then reads the bookmark to find out where it left off. The client connects to the peers one by one to see if that client has the file it is looking for. If it does, then the client checks to see how far the peer has gotten in the hash generation process and downloads that file and starts from there. Every time the client generates a block of hashes (85), it updates its bookmark and checks the peers to see how far they got.
The concept is like leap frog. If the client finds a peer that has more characters generated, it starts where they are and continues.
If there are no peers available, it connects to itself and starts generating files from what it has. Then after a block of hashes is created, it checks the peers list to see if anyone is available.
- Client A is generating all 4 character combinations.
- Client B connects to Client A, updates its peer list and starts generating all 5 character combinations.
- Client C connects to Client A, updates its peer list, finds out that Client B is generating all 5 character combinations. Client C connects to Client B and begins to generate all 6 character combinations.
Using the Code
The program uses ports 21, 50000, 50001, 50002, and 50003. After you run the servers, please make sure those ports are accessible from the internet. A good site to test is grc.com.
To generate the ntlm hashes, follow these steps:
- Download python 3.4
- Click the "Download Source" link at the top of this article
- Unzip the file
- Edit the config.ini file
- Change the IP address to the local IP that has an internet connection
- Double click on start.py
To search for a NTLM hash, follow these steps:
- Edit the batchntlmhash file
- Use the following format
- Double click on searchNTLMHash
- Your results will be in the batchNTLMHashResults file.
- The result file will have the output username, hash, clear text
To search for a WPA hash, follow these steps:
- Edit the batchwpahash file
- Use the following format
- Double click on searchWAPHash
- Your results will be in the batchWPAHashResults file.
- The result file will have the output SSID, hash, clear text
Points of Interest
I added a new ntlm generating file for those who do not run the program 24/7. genNTLMFilesClassNoSizeCheck.py does not have the size check so it run 500% faster.
All you need to do is rename genNTLMFilesClass.py to genNTLMFilesClassSizeCheck.py then rename genNTLMFilesClassNoSizeCheck.py to genNTLMFilesClass.py.
To give you an idea of how much of an increase 20 minutes of using genNTLMFilesClassNoSizeCheck.py generated the same amount of hashes as the check size version took over 8 hours.
In order to increase search time, I had to break the dictionary and hash files into 10 meg files.
The hash server indexes each hash file and if the hash is in one of the files, it only searches that file for the clear text.
Now using processes to generate hashes. Too many processes will cause duplicate entries. Four processes max. I learned that two processes are just as fast as four processes.
Now indexing hashes, now searching for one hash takes less than 5 seconds even if there are thousands of hash files.
Now, there is one file that will run all of the servers and the client. Just run start.py.
If you have any fixes or updates, please post them here so I can update the main program.
- Fixed dictionary creation bug.
- Created index search for dictionary files for WPA hashes.
- Updated FTP module, now has authentication and is a python script. (Only have to change the IP address in one location)
- Made many changes to increase speed. Created an index for the hashes to increase the speed of searching. Implemented the use of threads and processes. Used processes to generate hashes which increases generation. Also, I created start.py which starts the servers and the client.
- Fixed case-sensitive error (Line 41)
- Broke up hash and dictionary files to increase search speed. Size is controlled by config.ini file.
- Set start of character generation to 4 from 1. Starting point is controled by config.ini file.
- Created a header row for generated files because searching skips first row.
- Created log files for troubleshooting.
- Commented out the update storage usage
- For a complete list of changes, please check the change log.