Click here to Skip to main content
65,938 articles
CodeProject is changing. Read more.
Articles / Languages / Python

Distributed TMTO Hash Database

4.22/5 (5 votes)
5 Sep 2016CPOL5 min read 22.4K   113  
Create a distributed P2P TMTO Hash database

Introduction

I expanded my first NTLM TMTO database. I moved to Python 3.4 from C# and created a p2p system. I made the system as moduler as possible so other hashes could be used, currently NTLM hashes are created.

You don't have to generate hash if you don't want to. For example, you are at a clients' site and you are doing a pen test.

The program works on Windows and should work on Linux.

The system runs in a command window, there is no GUI.

The concept of the program is to create a part of the large database. The more peers the better change to store all combinations of 23 characters. For example, if the 8 character set is 2 terabyes, using this program at the default size limit of 1 gig. It would take at least 2,000 people to store all possible combinations.

Yet, it would only take seconds to find the clear text for the hash you are looking for. It would still only take seconds to find the clear text if it was 20 characters. The reason is because everyone has a small part of the whole.

Features

  • Uses the character set: US alpha (upper and lower), numbers, most special. 84 total
  • Start and stop generating hash at any time
  • Generate 1 - 22 character in lengths
  • Create a dictionary file after clear text files are used
  • Servers run as threads
  • Limit the amount of disk space used. Default is 1 gig
  • Crack wpa psk hashes using the created dictionary files.

Background

I created this program because a 2 TB rainbow table is not very portable.

How the program works is the serverconn reads a list of all of the known connection servers and announces that it is online. Then, it downloads and updates the connection server list and the peers list. The client reads the connection list and connects to the connection servers, then the connection server updates its peers list, then the client downloads the new peers list. The client then reads the bookmark to find out where it left off. The client connects to the peers one by one to see if that client has the file it is looking for. If it does, then the client checks to see how far the peer has gotten in the hash generation process and downloads that file and starts from there. Every time the client generates a block of hashes (85), it updates its bookmark and checks the peers to see how far they got.

The concept is like leap frog. If the client finds a peer that has more characters generated, it starts where they are and continues.

If there are no peers available, it connects to itself and starts generating files from what it has. Then after a block of hashes is created, it checks the peers list to see if anyone is available.

Example:

  • Client A is generating all 4 character combinations.
  • Client B connects to Client A, updates its peer list and starts generating all 5 character combinations.
  • Client C connects to Client A, updates its peer list, finds out that Client B is generating all 5 character combinations. Client C connects to Client B and begins to generate all 6 character combinations.

Using the Code

The program uses ports 50000, 50001, 50002, and 50003. After you run the servers, please make sure those ports are accessible from the internet. A good site to test is grc.com.

To generate the ntlm hashes, follow these steps:

  1. Download python 3.4
  2. Click the "Download Source" link at the top of this article
  3. Unzip the file
  4. Edit the config.ini file
  5. Change the IP address to the local IP that has an internet connection
  6. Double click on start.py

To search for a NTLM hash, follow these steps:

  1. Edit the batchntlmhash file
  2. Use the following format
    1. username,hash
  3. Double click on searchNTLMHash
  4. Your results will be in the batchNTLMHashResults file.
    1. The result file will have the output username, hash, clear text

To search for a WPA hash, follow these steps:

  1. Edit the batchwpahash file
  2. Use the following format
    1. SSID,hash
  3. Double click on searchWAPHash
  4. Your results will be in the batchWPAHashResults file.
    1. The result file will have the output SSID, hash, clear text

Points of Interest

I added a new ntlm generating file for those who do not run the program 24/7. genNTLMFilesClassNoSizeCheck.py does not have the size check so it run 500% faster.

All you need to do is rename genNTLMFilesClass.py to genNTLMFilesClassSizeCheck.py then rename genNTLMFilesClassNoSizeCheck.py to genNTLMFilesClass.py.

To give you an idea of how much of an increase 20 minutes of using genNTLMFilesClassNoSizeCheck.py generated the same amount of hashes as the check size version took over 8 hours.

In order to increase search time, I had to break the dictionary and hash files into 10 meg files.

The hash server indexes each hash file and if the hash is in one of the files, it only searches that file for the clear text.

Now indexing hashes, now searching for one hash takes less than 5 seconds even if there are thousands of hash files.

Created the check size limit as a seperate process for checking the size every minute. It is disabled by default because after a few days, the system will be checking the size more than it will be generating the hashes. To enable the feature, edit the client.py file and remove the # in front of the line "executor.submit(check)" at the bottom of the file.

Now, there is one file that will run all of the servers and the client. Just run start.py or startLinux.py.

To upgrade, create a new folder location and copy your current work into the new folder.

NOTE: Need to run startLinux.py with elevated privileges. sudo python3 startLinux.py

History

If you have any fixes or updates, please post them here so I can update the main program.

Thank you.

  • 2.00.00
    • Hundreds of bug fixes.
    • Replaced ftp transport with native Python transport for increased reliability.
    • Created the check size limit as a seperate process for checking the size every minute.
    • NOT compatible with any 1.0 version.
  • 1.04.00
    • Fixed the duplicate IP addresses in the peer.txt and connect.txt files.
    • Fixed Linux version, will now generate hashes. NOTE: Need to run startLinux.py with elevated privileges. sudo python3 startLinux.py
  • For a complete list of changes, please check the change log.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)