Gladius - Easy mode from Responder to Credentials


Gladius provides an automated method for cracking credentials from various sources during an engagement. We currently crack hashes from Responder, secretsdump.py, and smart_hashdump.

Install
pip install watchdog
git clone https://www.github.com/praetorian-inc/gladius
cd gladius
git clone https://www.github.com/praetorian-inc/Hob0Rules
cp Hob0Rules/* .
rm -rf Hob0Rules/

Start
python gladius.py
Now start the responder session as normal
cd /usr/share/responder
python Responder.py -i YOUR_IP -I YOUR_INTERFACE

Working with secretsdump
Send results of secretsdump to Gladius for parsing and cracking.
for ip in $(cat ips); do secretsdump.py DOMAIN/username:password@$ip > /usr/share/responder/secretsdump_$ip; done

Help
$ python gladius.py -h
usage: gladius.py [-h] [-v] [--responder-dir RESPONDER_DIR]
[--hashcat HASHCAT] [-r RULESET] [-w WORDLIST] [--no-art]

optional arguments:
-h, --help show this help message and exit
-v, --verbose Increased output verbosity
--responder-dir RESPONDER_DIR
Directory to watch for Responder output
--hashcat HASHCAT Path to hashcat binary
-r RULESET, --ruleset RULESET
Ruleset to use with hashcat
-w WORDLIST, --wordlist WORDLIST
Wordlist to use with hashcat
--no-art Disable the sword ascii art for displaying credentials
and default to only text.

Workings

Ruleset
The default ruleset is a better best64 ruleset from Julian Dunning ( @hob0man ) of Praetorian. His presentation on the topic can be found below:



Responder
Watches responder log for *NTLM*txt files. For each file found, parses output, creates a temp file containing the new hashes, and passes this to hashcat with the correct hash type
To watch for NTLM hashes from hashdump, simply create a file with NTLM hashes from hashdump and drop a file with `hashdump` in its name in the Responder directory.
Note: Will have to manually examine output in `./engagement/responderhander_out/*` to check for results from `hashdump` cracking.

Credentials
Watches for output from hashcat and exports files with the following format:
Domain Username Password

Example module
To extend Gladius:
  • Create a new Handler class that inherits from GladiusHandler .
  • Add a list of regex matches for your specific file names (or '*' if the filename doesn't matter)
  • Create a process(self, event) function to perform actions on all files matching your pattern.
class YourHandler(GladiusHandler):

patterns = ['*']

def process(self, event):
data = self.get_lines(event)

# Perform work on data
Add yourself to the handlers list
handlers = [
(ResponderHandler, args.responder,
(CredsHandler, ResponderHandler().outpath),
(YourHandler, CredsHandler().outpath),
(YourHandler, '/tmp'),
]


Disqus Comments