{"id":20814643,"url":"https://github.com/eth0izzle/cracke-dit","last_synced_at":"2025-04-07T10:19:37.458Z","repository":{"id":27798069,"uuid":"115835786","full_name":"eth0izzle/cracke-dit","owner":"eth0izzle","description":"cracke-dit (\"Cracked It\") makes it easier to perform regular password audits against Active Directory environments.","archived":false,"fork":false,"pushed_at":"2025-02-28T15:45:57.000Z","size":18259,"stargazers_count":113,"open_issues_count":7,"forks_count":37,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-03-31T09:41:24.504Z","etag":null,"topics":["active-directory","hashcat","ntds","password-cracking","passwords"],"latest_commit_sha":null,"homepage":"https://www.darkport.co.uk","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/eth0izzle.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-12-31T01:39:27.000Z","updated_at":"2025-02-28T15:45:59.000Z","dependencies_parsed_at":"2022-07-26T10:02:09.666Z","dependency_job_id":null,"html_url":"https://github.com/eth0izzle/cracke-dit","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eth0izzle%2Fcracke-dit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eth0izzle%2Fcracke-dit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eth0izzle%2Fcracke-dit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eth0izzle%2Fcracke-dit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/eth0izzle","download_url":"https://codeload.github.com/eth0izzle/cracke-dit/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247631834,"owners_count":20970069,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["active-directory","hashcat","ntds","password-cracking","passwords"],"created_at":"2024-11-17T21:17:37.111Z","updated_at":"2025-04-07T10:19:37.445Z","avatar_url":"https://github.com/eth0izzle.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 🚨 cracke-dit is no longer maintained. If you need support or consultation for your password cracking endeavours, drop me an e-mail paul@darkport.co.uk 🚨\n\n# cracke-dit\n**cracke-dit** *(\"Cracked It\")* **makes it easier to perform regular password audits against Active Directory environments.**\n\nEnsuring your users have strong passwords throughout the organisation is still your best line of defence against common attacks. Many organisations over estimate just how secure their users' passwords are. \"London123\", \"Winter2017\", \"Passw0rd\" - all complex passwords, according to the default Group Policy rules, and probably your users.\n\nBy performing regular audits, you can identify users with weak passwords and take action inline with your policies and procedures.\n\n## Installation\n\nPython 2.7+ and pip are required. Then just:\n\n1. `git clone https://github.com/eth0izzle/cracke-dit.git`\n2. *(optional)* Create a virtualenv with `pip install virtualenv \u0026\u0026 virtualenv .virtualenv \u0026\u0026 source .virtualenv/bin/activate`\n2. `pip install -r requirements.txt`\n3. `python cracke-dit.py --help` (and see [Usage](#usage))\n\n## Usage\n### Step 1. Extracting the database\nThe first step in your password cracking adventure is to extract a copy of the Active Directory database, ntds.dit, which contains the password hashes. Depending on your persuasion you have a few options - choose one:\n\n#### a. Remote extraction *(recommended)*\nIf you are on the same network as a domain controller you can extract the hashes directly.\n1. `python cracke-dit.py --username administrator --password passw0rd --target 192.168.1.1` (where 192.168.1.1 is a DC).\n2. Move on to Step 3.\n\n#### b. Local extraction *(yourself or nicely ask a Sys Admin)*\n1. On a Domain Controller open up an elevated command prompt.\n2. Run `ntdsutil \"ac i ntds\" \"ifm\" \"create full c:\\temp\" q q`.\n3. **Securely** extract `c:\\temp\\Active Directory\\ntds.dit` and `c:\\temp\\registry\\SYSTEM` to your system with cracke-dit.\n4. Move on to Step 2.\n\n### Step 2. Extracting the hashes\n\n*(not required if you followed Step 1a and remotely extracted with cracke-dit)*\n\nAll password hashes are protected with 3 layers of encryption. Thankfully everything we need to decrypt is within the SYSTEM hive. The next step is to extract the hashes and usernames in to a separate file for cracking:\n\n1. Run `python cracke-dit.py --system SYSTEM --ntds ntds.dit` (optionally with `--no-history` flag if you don't care about historic passwords)\n2. Once complete, your username:hash file will be at `\u003cdomain\u003e.hashes.ntlm` - delicious.\n\n### Step 3. Cracking the hashes\ncracke-dit doesn't actually *crack* passwords, you will need to use your favourite password cracker for that. cracke-dit just needs a `.pot` file (hash:password) for processing. I'm partial to hashcat so:\n\n1. `hashcat -m 1000 --potfile-path \u003cdomain\u003e.pot --username \u003cdomain\u003e.hashes.ntlm /usr/share/Wordlists/rockyou.txt` which will be pretty quick.\n2. I'd recommend a second pass with [H0bRules](https://github.com/praetorian-inc/Hob0Rules): `hashcat -m 1000 --potfile-path \u003cdomain\u003e.pot --username \u003cdomain\u003e.hashes.ntlm /usr/share/Wordlists/rockyou.txt -r hob064.rule`\n\n### Step 4. Processing the passwords\nNow we have cracked a bunch of hashes, let's load them in to cracke-dit!\n\n1. `python cracke-dit.py --pot \u003cdomain\u003e.pot --domain \u003cdomain\u003e` (where domain is FQDN, i.e. acme.local). Optionally pass in `--only-users` or `--only-enabled` - hopefully they are self explanatory.\n\nUsing the ntds.dit and SYSTEM in `./samples` we get the following output:\n\n![Demo](samples/demo.gif)\n\n### Step 5. Interpreting results\n\n* Users highlighted in **green** are enabled, **red** are disabled, and **gray** is an historic password.\n\n* Password scores are based on [Dropbox's zxcvbn](https://github.com/dropbox/zxcvbn):\n\n    | Score         | Description           | Guesses  |\n    |------:|:----------------------| :-----|\n    | 0     | **Too guessable**: risky password. | \u003c 10^3 |\n    | 1     | **Very guessable**: protection from throttled online attacks. | \u003c 10^6 |\n    | 2     | **Somewhat guessable**: protection from unthrottled online attacks. | \u003c 10^8 |\n    | 3     | **Safely unguessable**: moderate protection from offline slow-hash scenario. | \u003c 10^10 |\n    | 4     | **Very unguessable**: strong protection from offline slow-hash scenario. | =\u003e 10^10 |\n\n* By default passwords are checked against [Have I Been Pwned](https://haveibeenpwned.com/API/v2) to see if they appear in breach lists. **Passwords are never transmitted as we use the k-Anonymity model.**\n\n## Output modules\n\nResults can be processed by different output modules via the `--output` argument.\n\n### Console (`stdout`)\nThe default output module and shown in the demo above. Shows interesting stats, top 10 passwords by reuse, the top 5 worst passwords and if any passwords use month or day names.\n\n### E-mail (`email`)\nE-mails the top 25 passwords (by reuse).\n\n### Password Cloud (`password_cloud`)\nSpits out a wordcloud of all passwords, colored by password score.\n\n![Demo](samples/password_cloud.png)\n\n## Tips for organisations\n\n1. Introduce internal training on what a secure password is, why they are important and embed it in to your induction programme.\n\n2. Consider rolling out a password manager and adequate training for all of your users. Stronger, longer and more unique passwords is better for everyone.\n\n3. Gradually increase your password minimum length requirement to 12 characters. Generally longer passwords are more secure.\n\n4. Phase out forcing your users to \"reset password every X days\". There is research to suggest that this doesn't help create strong passwords, but in fact has the opposite effect. Don't forget the [actual cost of this](https://www.sans.org/security-awareness-training/blog/why-90-day-rule-password-changing).\n\n5. Carry out a password audit quarterly. You can very easily cron the steps above and run with the `email` output to have automated password cracking.\n\n6. Do not name and shame people with poor password hygiene - educate them! Get HR buy-in and introduce a \"3 strike system\" that will carry a formal warning.\n\n## Contributing\n\nCheck out the [issue tracker](https://github.com/eth0izzle/cracke-dit/issues) and see what takes your fancy.\n\n1. Fork it, baby!\n2. Create your feature branch: `git checkout -b my-new-feature`\n3. Commit your changes: `git commit -am 'Add some feature'`\n4. Push to the branch: `git push origin my-new-feature`\n5. Submit a pull request.\n\n## License\n\ncracke-dit is under MIT. See [LICENSE](LICENSE)\nImpacket is under a slightly modified version of the Apache Software License. See [LICENSE](impacket/LICENSE)\n\n## Credits\n\nHuge thanks [CoreSecurity's Impacket](https://github.com/CoreSecurity/impacket)!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feth0izzle%2Fcracke-dit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Feth0izzle%2Fcracke-dit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feth0izzle%2Fcracke-dit/lists"}