Skip to content
master
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 

README.md

Gladius

Easy mode from Responder to Credentials

Author: Cory Duplantis (@ctfhacker) / blog

Blog post on Gladius

asciicast

Gladius provides an automated method for cracking credentials from various sources during an engagement. We currently crack hashes from Responder, secretsdump.py, and smart_hashdump.

Install

pip install watchdog
git clone https://www.github.com/praetorian-inc/gladius
cd gladius
git clone https://www.github.com/praetorian-inc/Hob0Rules
cp Hob0Rules/* .
rm -rf Hob0Rules/

Start

python gladius.py --hashcat ../hashcat/hashcat-cli64.bin -r d3adhob0.rule -w rockyou.txt

Now start the responder session as normal

cd /usr/share/responder
python Responder.py -i YOUR_IP -I YOUR_INTERFACE

Working with secretsdump

Send results of secretsdump to Gladius for parsing and cracking.

for ip in $(cat ips); do secretsdump.py DOMAIN/username:password@$ip > /usr/share/responder/secretsdump_$ip; done

Help

$ python gladius.py -h
usage: gladius.py [-h] [-v] [--responder-dir RESPONDER_DIR]
                  [--hashcat HASHCAT] [-r RULESET] [-w WORDLIST] [--no-art]

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         Increased output verbosity
  --responder-dir RESPONDER_DIR
                        Directory to watch for Responder output
  --hashcat HASHCAT     Path to hashcat binary
  -r RULESET, --ruleset RULESET
                        Ruleset to use with hashcat
  -w WORDLIST, --wordlist WORDLIST
                        Wordlist to use with hashcat
  --no-art              Disable the sword ascii art for displaying credentials
                        and default to only text.

Workings

Ruleset

The default ruleset is a better best64 ruleset from Julian Dunning (@hob0man) of Praetorian. His presentation on the topic can be found below:

Picture to Youtube

Responder

Watches responder log for *NTLM*txt files. For each file found, parses output, creates a temp file containing the new hashes, and passes this to hashcat with the correct hash type

To watch for NTLM hashes from hashdump, simply create a file with NTLM hashes from hashdump and drop a file with `hashdump` in its name in the Responder directory.
Note: Will have to manually examine output in `./engagement/responderhander_out/*` to check for results from `hashdump` cracking.

Credentials

Watches for output from hashcat and exports files with the following format:

Domain Username Password

Example module

To extend Gladius:

  • Create a new Handler class that inherits from GladiusHandler.
  • Add a list of regex matches for your specific file names (or '*' if the filename doesn't matter)
  • Create a process(self, event) function to perform actions on all files matching your pattern.
class YourHandler(GladiusHandler):

    patterns = ['*']

    def process(self, event):
        data = self.get_lines(event)

        # Perform work on data

Add yourself to the handlers list

handlers = [
            (ResponderHandler, args.responder,
            (CredsHandler, ResponderHandler().outpath),
            (YourHandler, CredsHandler().outpath),
            (YourHandler, '/tmp'),
           ]

About

Automated Responder/secretsdump.py cracking

Resources

Releases

No releases published

Packages

No packages published

Languages

You can’t perform that action at this time.