Home

Awesome

Gladius

Easy mode from Responder to Credentials

Author: Cory Duplantis (@ctfhacker) / blog

Blog post on Gladius

asciicast

Gladius provides an automated method for cracking credentials from various sources during an engagement. We currently crack hashes from Responder, secretsdump.py, and smart_hashdump.

Install

pip install watchdog
git clone https://www.github.com/praetorian-inc/gladius
cd gladius
git clone https://www.github.com/praetorian-inc/Hob0Rules
cp Hob0Rules/* .
rm -rf Hob0Rules/

Start

python gladius.py --hashcat ../hashcat/hashcat-cli64.bin -r d3adhob0.rule -w rockyou.txt

Now start the responder session as normal

cd /usr/share/responder
python Responder.py -i YOUR_IP -I YOUR_INTERFACE

Working with secretsdump

Send results of secretsdump to Gladius for parsing and cracking.

for ip in $(cat ips); do secretsdump.py DOMAIN/username:password@$ip > /usr/share/responder/secretsdump_$ip; done

Help

$ python gladius.py -h
usage: gladius.py [-h] [-v] [--responder-dir RESPONDER_DIR]
                  [--hashcat HASHCAT] [-r RULESET] [-w WORDLIST] [--no-art]

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         Increased output verbosity
  --responder-dir RESPONDER_DIR
                        Directory to watch for Responder output
  --hashcat HASHCAT     Path to hashcat binary
  -r RULESET, --ruleset RULESET
                        Ruleset to use with hashcat
  -w WORDLIST, --wordlist WORDLIST
                        Wordlist to use with hashcat
  --no-art              Disable the sword ascii art for displaying credentials
                        and default to only text.

Workings

Ruleset

The default ruleset is a better best64 ruleset from Julian Dunning (@hob0man) of Praetorian. His presentation on the topic can be found below:

Picture to Youtube

Responder

Watches responder log for *NTLM*txt files. For each file found, parses output, creates a temp file containing the new hashes, and passes this to hashcat with the correct hash type

To watch for NTLM hashes from hashdump, simply create a file with NTLM hashes from hashdump and drop a file with `hashdump` in its name in the Responder directory.
Note: Will have to manually examine output in `./engagement/responderhander_out/*` to check for results from `hashdump` cracking.

Credentials

Watches for output from hashcat and exports files with the following format:

Domain Username Password

Example module

To extend Gladius:

class YourHandler(GladiusHandler):

    patterns = ['*']

    def process(self, event):
        data = self.get_lines(event)

        # Perform work on data

Add yourself to the handlers list

handlers = [
            (ResponderHandler, args.responder,
            (CredsHandler, ResponderHandler().outpath),
            (YourHandler, CredsHandler().outpath),
            (YourHandler, '/tmp'),
           ]