secrackit.py automates the following into a single command:
- Windows SMB auth checks (CrackMapExec)
- Parses worthy NTLM hashes from secrets (Impacket-secretsdump)
- Attempts to crack worthy NTLM hashes (Hashcat)
- Exports both parsed and original command outputs to a directory.
Example syntax using all optional arguments:
./secrackit.py DC-IP domain.name IPs.txt accountname pw badpassword123 -localauth -out_dir ~/Desktop/toolsoutput -wordlist ~/Desktop/wordlists/customwordlist.txt -rule ~/media/hashcatrules/TwoRule.rule
Required positional arguments:
DC-IP
- IP address of the domain controller.domain.name
- Active directory domain name.IP
orCIDR
or/File.txt
- Target IPs. Either a single IP, single networkID(CIDR), or the location of a file containing one IP per line.AccountName
- Single account name used for either local or domain authentication.pw
orntlm
- Specify whether a password (pw
) or NTLM hash (ntlm
) will be inputted.Password
orNTLM hash
- Value of password or NTLM hash. Ifpw
argument passed, provide a cleartext password. Ifntlm
argument passed, provide a NTLM hash.
Optional arguments:
-localauth
- Use local authentication against targets. (Default is domain authentication)-out_dir
- Specify directory location for results. (Defaults to the directory secrackit.py is ran from)-wordlist
- Specify custom wordlist location for Hashcat. (Default is/usr/share/wordlists/rockyou.txt
)-rule
- Specify rule location for Hashcat. (Default is no rule)-h
- Cancels script execution and displays help details.
- Packages
crackmapexec
,impacket-secretsdump
, andhashcat
must be installed and present in your $PATH. - If you aren't specifying a custom wordlist, via
-wordlist
, secrackit.py will default to rockyou.txt located at/usr/share/wordlists/rockyou.txt
. - If you're on Kali, simply do the following to install and prep the three required tools:
i.sudo apt update && sudo apt install crackmapexec python3-impacket hashcat
ii. If you haven't ran these tools before, run each tool once before running secrackit.py. Some tools create databases, etc on their first run and this may cause issues for secrackit.py.(never tested)
Story behind the script?
- After some AD labs online and at home, I found myself running these three scripts over and over. I also wanted to organize any dumped hashes by prepending IP, SAM or NTDS, etc to the NTLM hashes.
Why so many comments? XD
- I'm learning python and it helps when I come back to it later. Maybe it'll help others too. :)
Thanks to the creators of the following tools! You're awesome!
- CrackMapExec - https://github.com/byt3bl33d3r/CrackMapExec
- Impacket-secretsdump - https://github.com/fortra/impacket
- Hashcat - https://github.com/hashcat/hashcat
- I take zero(0) responsibility for your actions if and when you ever use(execute) "secrackit.py".
- Do NOT execute "secrackit.py" without prior WRITTEN authorization from the owners of ANY target(s), system(s), and/or network(s) secrackit.py may run against.
- Do NOT use "secrackit.py" for illegal activities and/or purposes.