Carrie Roberts
d4709021fb
* updating atomics count in README.md [ci skip] * wip * handle spaces in path * update readme * fix typo --------- Co-authored-by: publish bot <opensource@redcanary.com>
46 lines
2.4 KiB
YAML
46 lines
2.4 KiB
YAML
attack_technique: T1110.002
|
|
display_name: 'Brute Force: Password Cracking'
|
|
atomic_tests:
|
|
- name: Password Cracking with Hashcat
|
|
auto_generated_guid: 6d27df5d-69d4-4c91-bc33-5983ffe91692
|
|
description: Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
hashcat_exe:
|
|
description: Path to Hashcat executable
|
|
type: string
|
|
default: 'PathToAtomicsFolder\..\ExternalPayloads\hashcat6\hashcat-6.1.1\hashcat.exe'
|
|
input_file_sam:
|
|
description: Path to SAM file
|
|
type: string
|
|
default: PathToAtomicsFolder\T1110.002\src\sam.txt
|
|
input_file_passwords:
|
|
description: Path to password list
|
|
type: string
|
|
default: PathToAtomicsFolder\T1110.002\src\password.lst
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: Hashcat must exist on disk at specified location (#{hashcat_exe})
|
|
prereq_command: |
|
|
if (Test-Path $(cmd /c echo "#{hashcat_exe}")) {exit 0} else {exit 1}
|
|
get_prereq_command: |-
|
|
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
|
Invoke-WebRequest "https://www.7-zip.org/a/7z1900.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\7z1900.exe"
|
|
Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\7z1900.exe" -ArgumentList "/S /D=PathToAtomicsFolder\..\ExternalPayloads\7zi" -NoNewWindow
|
|
Invoke-WebRequest "https://hashcat.net/files/hashcat-6.1.1.7z" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\hashcat6.7z"
|
|
Start-Process cmd.exe -Args "/c %temp%\7z\7z.exe x %temp%\hashcat6.7z -aoa -o%temp%\hashcat-unzip" -Wait
|
|
New-Item -ItemType Directory (Split-Path $(cmd /c echo #{hashcat_exe})) -Force | Out-Null
|
|
Move-Item "PathToAtomicsFolder\..\ExternalPayloads\hashcat-unzip\hashcat-6.1.1\*" $(cmd /c echo #{hashcat_exe}\..) -Force -ErrorAction Ignore
|
|
executor:
|
|
command: |-
|
|
cd #{hashcat_exe}\..
|
|
#{hashcat_exe} -a 0 -m 1000 -r .\rules\Incisive-leetspeak.rule #{input_file_sam} #{input_file_passwords}
|
|
cleanup_command: |-
|
|
del "PathToAtomicsFolder\..\ExternalPayloads\hashcat6.7z" >nul 2>&1
|
|
del "PathToAtomicsFolder\..\ExternalPayloads\7z1900.exe" >nul 2>&1
|
|
del "PathToAtomicsFolder\..\ExternalPayloads\7z" /Q /S >nul 2>&1
|
|
del "PathToAtomicsFolder\..\ExternalPayloads\hashcat-unzip" /Q /S >nul 2>&1
|
|
name: command_prompt
|
|
elevation_required: true
|