hashview / hashview-old Goto Github PK

View Code? Open in Web Editor NEW

620.0 620.0 134.0 4.28 MB

A web front-end for password cracking and analytics

Home Page: http://www.hashview.io

License: GNU General Public License v3.0

Ruby 17.48% JavaScript 4.58% CSS 65.64% Shell 0.01% Haml 12.30%

analytics distributed hashcat hashes password-cracking passwords penetration-testing pentesting security-tools

hashview-old's Introduction

Hashview v0.8.1

Hashview is a tool for security professionals to help organize and automate the repetitious tasks related to password cracking. It is broken into two compoents, the Hashview Server, and Hashview Agent. The Hashview Server is a web application that manages one or more agents, deployed by you on dedicated hardware. (note you can run the server and agent on the same machine). Hashview strives to bring constiency in your hashcat tasks while delivering analytics with pretty pictures ready for ctrl+c, ctrl+v into your reports.

Note: If you are running version v0.8.0 and want to upgrade. All you need to do is git pull on main and start hashview.py, this should automatically upgrade your instance to the latest version.

Server Requirements

Python 3.7+
Mysql DB installed with known username/password
Access to a SMTP email service (used for password resets and notifications)

Agent Requirements

Python 3.7+
Hashcat 6.2.x+

Installation

Follow these instructions to install Hashview Server on Ubuntu 20.04.3 LTS server. In theory Hashview should be able to run on any *nix system, but the dev's only installed/tested on Debian/Ubuntu.

1) Setup MySQL

sudo apt update
sudo apt install mysql-server
sudo service mysql start
sudo mysql_secure_installation

2) Configure MySQL

Log into your mysql server and create a dedicated user for hashview. Hashview can run as root, but doesnt need to. And since we practice what we preach. we should use a lower priv account for this. If you're installing hashview on a different server than the system where the mysql db is running on, adjust the account creation.

sudo mysql
CREATE USER 'hashview'@'localhost' IDENTIFIED BY 'DoNotUseThisPassword123!';
GRANT ALL PRIVILEGES ON hashview.* TO 'hashview'@'localhost';
FLUSH PRIVILEGES;
create database hashview;
exit

3) Install Hashview Server

The following are to install hashview after the mysql db has been setup.

sudo apt-get install python3 python3-pip python3-flask
git clone https://github.com/hashview/hashview
cd hashview
pip3 install -r requirements.txt
./setup.py
./hashview.py # (note you can add a --debug if you are attempting to troubleshoot an issue)

4) Log into your hashview server

Navigate to your server, default port is 8443. https://IP:8443

(note) Because hashview is installed with a self signed certificate, you will be prompted about it being invalid. You're welcome to use properly signed certs by replacing the files under hashview/hashview/control/ssl/

Once logged in, before you can start cracking hashes, you need to install a Hashview-Agent.

Installing Hashview-Agent

After you've installed hashview you will need to install a hashview-agent. The agent can run on the same system as hashview, but doesn't have to.

1) Log into hashview as an Administrator

2) Navigate to Agents Menu

3) Click Download Agent to get a .tgz package of the hashview-agent

4) Move agent to the system you'd like to run it on

5) Install Agent

You will need to decompress the package and run the hashview-agent.py script. Upon initial execution it will prompt you for information about your hashview server.

tar -xzvf hashview-agent.<version>.tgz
cd install/
cp -r hashview-agent ../
cd ../hashview-agent
pip3 install -r requirements.txt
python3 ./hashview-agent.py

6) Once running, you (or another admin) will need to navigate back into Hashview->Manage->agents and approve the agent.

Developing and Contributing

Please see the Contribution Guide for how to develop and contribute. If you have any problems, please consult Issues page first. If you don't see a related issue, feel free to add one and we'll help.

Feature Requests

We accept Pull Requests :). But if you'd like a feature without submitting code, first check the issues section to see if someone has already requested it. If so, go ahead an upvote that request. Otherwise feel free to create your own new feature request. No promises it'll get implemented, but it cant hurt to ask.

Authors

Using Docker

A basic docker setup for development is provided. It is not meant to be production-ready. Use at your own risk.

1) Create a `./hashview/config.conf`file, customizing it as needed. Note the hostname should changed to `db` so that the app container can find the right host

2) Be sure to change the MYSQL_PASSWORD in `docker-compose.yml` (and match it with the value in `config.conf`).

3) Run `docker compose up`

hashview-old's People

Contributors

Stargazers

Watchers

Forkers

wflk rlugojr puppycodes techlord-rce awesome-security minkione securitywarrior nasnaq nebriv taylorwin dp4ng samyoyo caijiji songofhack kaicastledine johnnydep br3ign dinamite01 allwithfly seemirra m00zh33 caineqt h3len network23 stasonhub webvul suzzz110 billm ll2b jothatron syn-ack-zack adolfoeliazat opt9 kbahaxor rich-roth security-geeks wuyasec dshtanger libertyunix q1f3 pacejj27 nicbrink ahen0910 stevenchen0x01 p01ice deduplicate crypto-breaker tigerteamdevops aln7 grepitall cainiaoxiaobai2016 bestprojects tobey123 mfadzilramli nqis mengqhui drewhjelm stwstw121 jahawkins therindor 007scorpio ro9ueadmin 0xffffe001 thomassan fuckup1337 wolfwhoami hossamasran sgachies imjustanoob tarunyadav jayyogesh sil3ntcor3 dmaasland olgermolla fang0654 ccsplit seeiron mvalles36 und3rf10w orange-cyberdefense rubyattack3r maxpowers script-nomad securitym0nk peterg75 ronnieyego jakedunn comdet cjsatuforc noraj badbiddy benkettlewell jock312452 mike198300 lostnatives stl314159 jjensn modulexcite ckr g-unit123

hashview-old's Issues

Support for Hybrid Mode

Feature Request for Hybrid Mode Support:

-a 6 dict.file - -a6 rockyou.txt ?a?a

-a 7 dict.file - -a7 ?a?a rockyou.txt

home page "feed me nom nom" needs to be updated

currently does not detect if hashcat is running when not using cuda hashcat

Clean up Settings page

There are few settings listed like max run time, client mode, which currently do nothing. If we dont plan on having these features by release they should be removed.

Support for Mask Files

Feature request for support for mask files.

-a3 hashfile

... could be added to the control subdirectory along with the existing rules directory

-a3 runlisthashes.txt quickscan.hcmask

in jobs/list wordlist should have name displayed in model

right now the id is displayed. display name similar to how its done in tasks

Support distributed cracking

distributed support is on the roadmap, but +1 this issue if you'd like to see it expedited.

Home page Hashes Cracked shows multiple entries

If multiple job's are queued, Hashes Cracked progress bar shows multiple lines.

Downloading cracked file results in internal error

Opening analytics and going to Download Cracked File

URL: https://SERVER:4567/download?custid=2

Results in Internal Server Error

The error output is below

^[2016-10-06 16:11:16 - NoMethodError - undefined method+' for nil:NilClass:
main.rb:1114:in block (3 levels) in <main>' /home/useraccount/.rvm/gems/ruby-2.2.2/gems/dm-core-1.2.1/lib/dm-core/collection.rb:50 8:inblock in each'
/home/useraccount/.rvm/gems/ruby-2.2.2/gems/dm-core-1.2.1/lib/dm-core/support/lazy_arr
ay.rb:411:in block in each' /home/useraccount/.rvm/gems/ruby-2.2.2/gems/dm-core-1.2.1/lib/dm-core/support/lazy_arr ay.rb:411:ineach'
/home/useraccount/.rvm/gems/ruby-2.2.2/gems/dm-core-1.2.1/lib/dm-core/support/lazy_array.rb:411:in each' /home/useraccount/.rvm/gems/ruby-2.2.2/gems/dm-core-1.2.1/lib/dm-core/collection.rb:505:ineach'
main.rb:1113:in block (2 levels) in <main>' main.rb:1112:inopen'
main.rb:1112:in block in <main>' /home/useraccount/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.7/lib/sinatra/base.rb:1611:incall'
/home/useraccount/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.7/lib/sinatra/base.rb:1611:in block in compile!' /home/useraccount/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.7/lib/sinatra/base.rb:975:in[]'
/home/useraccount/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.7/lib/sinatra/base.rb:975:in block (3 levels) in route!' /home/useraccount/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.7/lib/sinatra/base.rb:994:inroute_eval'
/home/useraccount/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.7/lib/sinatra/base.rb:975:in block (2 levels) in route!' /home/useraccount/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.7/lib/sinatra/base.rb:1015:inblock in process_route'
/home/useraccount/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.7/lib/sinatra/base.rb:1013:in catch' /home/useraccount/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.7/lib/sinatra/base.rb:1013:inprocess_route'
/home/useraccount/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.7/lib/sinatra/base.rb:973:in block in route!' /home/useraccount/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.7/lib/sinatra/base.rb:972:ineach'
/home/useraccount/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.7/lib/sinatra/base.rb:972:in route!' /home/useraccount/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.7/lib/sinatra/base.rb:1085:inblock in dispatch!'
/home/useraccount/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.7/lib/sinatra/base.rb:1067:in block in invoke' /home/useraccount/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.7/lib/sinatra/base.rb:1067:incatch'
/home/useraccount/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.7/lib/sinatra/base.rb:1067:in invoke' /home/useraccount/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.7/lib/sinatra/base.rb:1082:indispatch!'
/home/useraccount/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.7/lib/sinatra/base.rb:907:in block in call!' /home/useraccount/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.7/lib/sinatra/base.rb:1067:inblock in invoke'
/home/useraccount/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.7/lib/sinatra/base.rb:1067:in catch' /home/useraccount/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.7/lib/sinatra/base.rb:1067:ininvoke'
/home/useraccount/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.7/lib/sinatra/base.rb:907:in call!' /home/useraccount/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.7/lib/sinatra/base.rb:895:incall'
/home/useraccount/.rvm/gems/ruby-2.2.2/gems/rack-protection-1.5.3/lib/rack/protection/xss_header.rb:18:in call' /home/useraccount/.rvm/gems/ruby-2.2.2/gems/rack-protection-1.5.3/lib/rack/protection/base.rb:49:incall'
/home/useraccount/.rvm/gems/ruby-2.2.2/gems/rack-protection-1.5.3/lib/rack/protection/base.rb:49:in call' /home/useraccount/.rvm/gems/ruby-2.2.2/gems/rack-protection-1.5.3/lib/rack/protection/path_traversal.rb:16:incall'
/home/useraccount/.rvm/gems/ruby-2.2.2/gems/rack-protection-1.5.3/lib/rack/protection/json_csrf.rb:18:in call' /home/useraccount/.rvm/gems/ruby-2.2.2/gems/rack-protection-1.5.3/lib/rack/protection/base.rb:49:incall'
/home/useraccount/.rvm/gems/ruby-2.2.2/gems/rack-protection-1.5.3/lib/rack/protection/base.rb:49:in call' /home/useraccount/.rvm/gems/ruby-2.2.2/gems/rack-protection-1.5.3/lib/rack/protection/frame_options.rb:31:incall'
/home/useraccount/.rvm/gems/ruby-2.2.2/gems/rack-1.6.4/lib/rack/session/abstract/id.rb:225:in context' /home/useraccount/.rvm/gems/ruby-2.2.2/gems/rack-1.6.4/lib/rack/session/abstract/id.rb:220:incall'
/home/useraccount/.rvm/gems/ruby-2.2.2/gems/rack-1.6.4/lib/rack/logger.rb:15:in call' /home/useraccount/.rvm/gems/ruby-2.2.2/gems/rack-1.6.4/lib/rack/commonlogger.rb:33:incall'
/home/useraccount/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.7/lib/sinatra/base.rb:219:in call' /home/useraccount/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.7/lib/sinatra/base.rb:212:incall'
/home/useraccount/.rvm/gems/ruby-2.2.2/gems/rack-1.6.4/lib/rack/head.rb:13:in call' /home/useraccount/.rvm/gems/ruby-2.2.2/gems/rack-1.6.4/lib/rack/methodoverride.rb:22:incall'
/home/useraccount/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.7/lib/sinatra/base.rb:182:in call' /home/useraccount/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.7/lib/sinatra/base.rb:2013:incall'
/home/useraccount/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.7/lib/sinatra/base.rb:1487:in block in call' /home/useraccount/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.7/lib/sinatra/base.rb:1787:insynchronize'
/home/useraccount/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.7/lib/sinatra/base.rb:1487:in call' /home/useraccount/.rvm/gems/ruby-2.2.2/gems/rack-1.6.4/lib/rack/handler/webrick.rb:88:inservice'
/home/useraccount/.rvm/rubies/ruby-2.2.2/lib/ruby/2.2.0/webrick/httpserver.rb:138:in service' /home/useraccount/.rvm/rubies/ruby-2.2.2/lib/ruby/2.2.0/webrick/httpserver.rb:94:inrun'
/home/useraccount/.rvm/rubies/ruby-2.2.2/lib/ruby/2.2.0/webrick/server.rb:294:in block in start_thread' 10.110.5.12 - - [06/Oct/2016:16:11:16 -0500] "GET /download?custid=2 HTTP/1.1" 500 30 0.0403 10.110.5.12 - - [06/Oct/2016:16:11:16 CDT] "GET /download?custid=2 HTTP/1.1" 500 30 https://SERVER:4567/analytics?custid=2 -> /download?custid=2 10.110.5.12 - - [06/Oct/2016:16:11:20 -0500] "GET /analytics?custid=2 HTTP/1.1" 200 20858 0.0981 10.110.5.12 - - [06/Oct/2016:16:11:20 CDT] "GET /analytics?custid=2 HTTP/1.1" 200 20858 https://SERVER:4567/analytics?custid=5 -> /analytics?custid=2 sh: 1: nvidia-settings: not found

Add warning message on home page if hashcat settings arnt populated

Would be nice from a user standpoint to have a reminder to configure hashview settings if they're not already populated. Alternatively, we could auto-redirect the user to the settings page upon login if not currently set.

Set Idle Task

I think it would be a useful feature to select a hashlist that will be run upon idle with just raw brute force.

So everyone has had their own tasks completed, it's come to the weekend, everyone has gone home to be with family etc.

The cracking rig is sat there cold lonely and sad. This shouldn't be a thing.

It should be able to see it isn't being used and spin up on the preferred hashlist to make the most of your hardware.

Allow user to manually enter hashfile filetype and hashtype

Right now only options provided to the end user are ones detected, this should be updated to allow user to enter their own desired type to override a detected setting.

Export to text file

Would it be possible to add a export to text file a list of all the cracked users and passes?

Pressing Stop on the Jobs screen does not stop job

When you click the Stop or the queue Icon to stop a job it is not removed the from queue. Hahsview still processes the jobs.

I am currently running on the dev branch.

Hash submission breaks cracking

When I submit a hash file. Hashview reads in the file. When the new file is written out to be cracked it is written out as all lowercase. This is causing hashcat to not crack any passwords.

I duplicated the issue by taking my hashed file and manually running the exact hashcat command line parameters that hashview is running against my file and the file outputted by hashview temporarily.

Support task grouping

Is there currently any way to copy a job's tasks to a new job? If I have a standard task list made up of 10-15 different cracking operations on wordlists it'd be convenient to be able to build the job off of a template instead of having to re-add the tasks.

jobs page errors if no customers exist

add check for customers before allowing user to visit jobs/list

Task not starting - marked as queued

Hi,

With my install hashview doesn't find the correct uploaded hash file, the uploaded hash file path is in "control/hashes/hashfile_upload_job_id-10-i1kcekuz.txt" while it is expecting it to be at "control/hashes/hashfile_11_2.txt"

here is the command line printed :
/opt/hashcat-3.30/hashcat64.bin -m 0 --potfile-disable --status-timer=15 --outfile-format 3 --outfile control/outfiles/hc_cracked_11_2.txt -r control/rules/best64.rule control/hashes/hashfile_11_2.txt control/wordlists/password -w 3

Hashcat works fine when replacing "control/hashes/hashfile_11_2.txt" with "control/hashes/hashfile_upload_job_id-10-i1kcekuz.txt"

any idea why the path is wrong ?

Creating Task Sort Wordlist and Dictionary Rules

This is a feature request to sort the drop down boxes for the wordlist and the Dictionary Rules when creating a task.

Editing Tasks Redirects to 'page under construction'

This component needs to be developed.

Start a New Job should be renamed

Under Job/list and /home
Probably to Create a New Job?
Should also be moved to the left

task creation errs bc it assumes wordlists are bundled (which we are not anymore)

+252 in main.rb

Task for custom charset

I would like to use the custom charset [a-z][A-Z][0-9] with the length between 4 and 9. but the current task support mask and bruteforce without the charsets. How do I create such task?

500 error on large wordlist upload

I have several large wordlists ... the largest is almost 17 Gig in flat txt.. Useful for policies over 14 characters in corp settings and WPA cracking.

While attempting to upload... the file seems to make it successfully, but post processing fails after a few minutes. Looks like an out of memory error with Sinatra....

https://1.1.1.1:4567/wordlists/list -> /wordlists/add
2017-03-11 13:04:20 - NoMemoryError - failed to allocate memory:
/home/administrator/hashview/routes/wordlists.rb:55:in block (2 levels) in <top (required)>' /home/administrator/hashview/routes/wordlists.rb:55:in open'
/home/administrator/hashview/routes/wordlists.rb:55:in block in <top (required)>' /home/administrator/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:1611:in call'
/home/administrator/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:1611:in block in compile!' /home/administrator/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:975:in []'
/home/administrator/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:975:in block (3 levels) in route!' /home/administrator/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:994:in route_eval'
/home/administrator/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:975:in block (2 levels) in route!' /home/administrator/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:1015:in block in process_route'
/home/administrator/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:1013:in catch' /home/administrator/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:1013:in process_route'
/home/administrator/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:973:in block in route!' /home/administrator/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:972:in each'
/home/administrator/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:972:in route!' /home/administrator/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:1085:in block in dispatch!'
/home/administrator/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:1067:in block in invoke' /home/administrator/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:1067:in catch'
/home/administrator/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:1067:in invoke' /home/administrator/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:1082:in dispatch!'
/home/administrator/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:907:in block in call!' /home/administrator/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:1067:in block in invoke'
/home/administrator/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:1067:in catch' /home/administrator/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:1067:in invoke'
/home/administrator/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:907:in call!' /home/administrator/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:895:in call'
/home/administrator/.rvm/gems/ruby-2.2.2/gems/rack-protection-1.5.3/lib/rack/protection/xss_header.rb:18:in call' /home/administrator/.rvm/gems/ruby-2.2.2/gems/rack-protection-1.5.3/lib/rack/protection/base.rb:49:in call'
/home/administrator/.rvm/gems/ruby-2.2.2/gems/rack-protection-1.5.3/lib/rack/protection/base.rb:49:in call' /home/administrator/.rvm/gems/ruby-2.2.2/gems/rack-protection-1.5.3/lib/rack/protection/path_traversal.rb:16:in call'
/home/administrator/.rvm/gems/ruby-2.2.2/gems/rack-protection-1.5.3/lib/rack/protection/json_csrf.rb:18:in call' /home/administrator/.rvm/gems/ruby-2.2.2/gems/rack-protection-1.5.3/lib/rack/protection/base.rb:49:in call'
/home/administrator/.rvm/gems/ruby-2.2.2/gems/rack-protection-1.5.3/lib/rack/protection/base.rb:49:in call' /home/administrator/.rvm/gems/ruby-2.2.2/gems/rack-protection-1.5.3/lib/rack/protection/frame_options.rb:31:in call'
/home/administrator/.rvm/gems/ruby-2.2.2/gems/rack-1.6.5/lib/rack/session/abstract/id.rb:225:in context' /home/administrator/.rvm/gems/ruby-2.2.2/gems/rack-1.6.5/lib/rack/session/abstract/id.rb:220:in call'
/home/administrator/.rvm/gems/ruby-2.2.2/gems/rack-1.6.5/lib/rack/logger.rb:15:in call' /home/administrator/.rvm/gems/ruby-2.2.2/gems/rack-1.6.5/lib/rack/commonlogger.rb:33:in call'
/home/administrator/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:219:in call' /home/administrator/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:212:in call'
/home/administrator/.rvm/gems/ruby-2.2.2/gems/rack-1.6.5/lib/rack/head.rb:13:in call' /home/administrator/.rvm/gems/ruby-2.2.2/gems/rack-1.6.5/lib/rack/methodoverride.rb:22:in call'
/home/administrator/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:182:in call' /home/administrator/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:2013:in call'
/home/administrator/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:1487:in block in call' /home/administrator/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:1787:in synchronize'
/home/administrator/.rvm/gems/ruby-2.2.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:1487:in call' /home/administrator/.rvm/gems/ruby-2.2.2/gems/rack-1.6.5/lib/rack/handler/webrick.rb:88:in service'
/home/administrator/.rvm/rubies/ruby-2.2.2/lib/ruby/2.2.0/webrick/httpserver.rb:138:in service' /home/administrator/.rvm/rubies/ruby-2.2.2/lib/ruby/2.2.0/webrick/httpserver.rb:94:in run'
/home/administrator/.rvm/rubies/ruby-2.2.2/lib/ruby/2.2.0/webrick/server.rb:294:in `block in start_thread'
1.1.1.2 - - [11/Mar/2017:13:04:20 -0700] "POST /wordlists/upload/ HTTP/1.1" 500 30 0.3712
1.1.1.2 - - [11/Mar/2017:12:58:19 MST] "POST /wordlists/upload/ HTTP/1.1" 500 30
https://1.1.1.1:4567/wordlists/add -> /wordlists/upload/

When user submits a pwdump file with LM and NTLM hashes

Upon detecting the pwdump file, hashview should prompt the user which type of hashes it'd like to import/crack, ntlm or lm. once complete, the "hashtype" on the hashfile import can be removed.

Purge Data

When jobs are deleted, password hashes (completed/uncracked) are left in DB. This is done for historical purposes, but the option to purge all/some data should be allowed.

Masking or removing plaintext passwords

It'd be nifty to have a global or customer option to mask passwords ( P@ssw0rd -> usllldll) instead of printing plain text, or storing in plain text within the DB. Another option could be to just remove any masking and the password all together and just mark a user as cracked - potentially storing the plaintext in a separate table for analytics depending on paranoia levels.

This could be useful for corporate implementations where it may not be desirable to associate the cracked password with the user. Any idea if this would be feasible (& easily implemented) or desired? I'm going to poke around and see what I can hack together, but I'm not much of a ruby dev.

Email Settings

When using Hashview in AWS and via SES, you need to provide a FROM address, as the SMTP username is not the same as the domains added to SES.

Can we have an option to define the FROM address ?

Thanks :)

Data purges can include jobs which have yet to be deleted

A user can select and purge data from a DB before a job has been run.
Data purge should also remove Jobs and JobTasks entries

prevent user from removing a wordlist that is in use

Auto check uploads for previously cracked hashes

Upon upload, a job should be run to check to see if a cracked instance of a hash exists.

Brute force timeout

Look this will be the last one today ... I promise ....

So brute force attacks, they run for the global timeout set within hashview. Can we have a way to set timeouts from within the task menu, so we can create a quick brute force task that only runs for an hour at max, one that runs 6 hours etc then the max being the global timeout.

I've found running a quick brute force and then cancelling the job after 30 min has yielded enough results for what I needed at the time.

Move "Job Stats button" to point to Analytics page

Currently under Jobs / list, each completed job has a button which, when clicked, generates a file for the end user to download a text file with raw stats. With the new analytics page, this button should redirect the user to the corresponding page.

Domain Controller Dump Parser

HashView should parse the hash file before reading it with hashcat to parse out usernames. Using common tools (ntdsextract) to dump password hashes from a Domain Controller gives us

USERNAME:NT HASH

should be able to parse these to put into the database before cracking them with hashcat. This makes the process of attributing the username to the password easier.

Analytics: Top 10 should be changed to top X

Clients have asked that instead of showing a graph where multiple entries (passwords) have a count of one, that we limit the table to only show password counts where the value 2 or greater. This would result in table of "top password" instead of top 10 passwords.

--opencl-device-types

'feature request'

Consider modifying lines 35,37,40,42,45 in 'helpers/build_crack_cmd.rb' to include '--opencl-device-types 1,2,3', as this will automatically allow the cracking machine to leverage the processor, etc.

I modified the code in my local copy and it worked without a problem.

Great app, thanks!

500 Internal Error

Get 500 internal error when submitting KRB5 hashes. -m 13100

500 error on job/list page if you do not have any customers

Add generic hash parser to hashimporter.rb

Add another case to hashimporter.rb to account for generic user:hash scenarios.

Create Download metrics

Top X users with same password/hashes

includes username, passwords, hashes
Password lengths
Basewords
runtime?

job hangs due to file permissions from hashcat output file

http://hashview.io/ not resolving

http://hashview.io/ doesn't seem to be resolving.

$ dig hashview.io +nostats +nocomments +nocmd
; <<>> DiG 9.8.3-P1 <<>> hashview.io +nostats +nocomments +nocmd
;; global options: +cmd
;hashview.io.			IN	A
hashview.io.		613	IN	SOA	ns-715.awsdns-25.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

$ dig www.hashview.io +nostats +nocomments +nocmd
; <<>> DiG 9.8.3-P1 <<>> www.hashview.io +nostats +nocomments +nocmd
;; global options: +cmd
;www.hashview.io.		IN	A
www.hashview.io.	121	IN	CNAME	hashview.github.io.
hashview.github.io.	2417	IN	CNAME	github.map.fastly.net.
github.map.fastly.net.	28	IN	A	151.101.192.133
github.map.fastly.net.	28	IN	A	151.101.0.133
github.map.fastly.net.	28	IN	A	151.101.128.133
github.map.fastly.net.	28	IN	A	151.101.64.133

Hash importer not trimming new line characters

need to review hash importer and chomp hashes.

Option --force

I wanted to test hashview within a VM just to see what it's like before putting it on other hardware. The only issue is the VM doesn't have a GPU assigned to it.

So when I try to run jobs I get:-

Started: Tue Feb 28 22:24:28 2017
Stopped: Tue Feb 28 22:24:28 2017
job completed
And it only took: 0.15889592899998206 seconds
==== Importing cracked hashes =====
==== import complete ====
==== Crack File Deleted ====
===== creating hash_file =======
===== Hash_File Created ======
===== starting job =======
/usr/local/bin/hashcat -m 500 --potfile-disable --status-timer=15 --outfile-format 3 --outfile control/outfiles/hc_cracked_1_2.txt -r control/rules/best64.rule control/hashes/hashfile_1_2.txt control/wordlists/password -w 3 | tee -a control/outfiles/hcoutput_1.txt
hashcat (v3.30-382-g50b46d5) starting...

Device #1: Not a native Intel OpenCL runtime, expect massive speed loss
You can use --force to override this but do not post error reports if you do so
No devices found/left

Is it possible to set the --force option?

Update Recently cracked DB Query

As it stands the Recently cracked function on the home page grabs all entries in the DB of cracked passwords, this needs to be updated to top 10, sorted by time.

runtime cannot be nil in global settings

if max runtime is not defined hashcat will error

Mass wordlist upload

Would like to submit a feature request that would allow mass wordlist uploading. If I could point it at a directory and allow it to suck up all files within that dir as wordlists.

Force single task to be ran on job/s

Hey Dev's it's me again (I know I know, making more work for you, I am sorry).

So using hasview over the last few days, I can't help but think it would be useful if you could choose from the webUI to run a task against X job(s).

It's a pita when you create a new task, then need to go into a past job, remove all the tasks, then add the new one before telling it to run.

The option to create a new task, then from the task menu say fire this task off for these jobs would be amazing.

Allow for users to user their own SSL certs

Certs are dynamically created if not found on startup. Not sure if better to build a startup/install script to prompt users to gen ssl cert or intsall existing?

Installing onto Amazon AMI (and I presume CentOS as well)

So, I didn't install hashview onto a Debian box, so apt-get didn't exist etc etc. I installed onto an Amazon AMI, which has an OS based on CentOS and uses yum.

So, here's the issues I found, and here's how to overcome them !

sudo apt-get update
sudo apt-get install mysql-server libmysqlclient-dev redis-server openssl rake
[optional, but recommended]
mysql_secure_installation

OK, so libmysqlclient-dev doesn't exist, nor does redis-server. The first one is easy to fix, you just need to yum install mysql-devel.noarch. Second one is a little more complex - you need to download and run the script from https://gist.github.com/khelll/ff9461bfda8ebfdc488e (make sure you edit the version=3.2.0 line to be version=3.2.8 to get the latest version)

mysql_secure_installation will FAIL because it'll ask you for a root password, which you've not set up yet, so you need to start mysqld first via sudo service mysqld start and set a password via /usr/libexec/mysql55/mysqladmin -u root password 'newpassword'
Then you can run mysql_secure_installation and enter the password you just set

my.cnf is in /etc/my.cnf not the location shown in the installation instructions.

USAGE:
Other issues, the Setup asks you for the hashcat path, when actually it wants the binary name as well (ie not just the path). If you just put /opt/hashcat-3.30 in the box it'll fail to crack anything, you specifically have to put the binary name at the end of the path e.g. /opt/hashcat-3.30/hashcat64.bin

Hope this helps :)

When selecting hashtype in verify_hashtype, show hashcount

Right now we only return an array of detected hashtypes. This should be updated to show count.