hashtopolis v0.13 released: A Hashcat wrapper for distributed hashcracking
Hashtopolis
Hashtopolis is a multi-platform client-server tool for distributing hashcat tasks to multiple computers. The main goals for Hashtopolis’s development are portability, robustness, multi-user support, and multiple groups management. The application has two parts:
- Agent Multiple clients (C#, Python), easily customizable to suit any need.
- Server several PHP/CSS files operating on two endpoints: an Admin GUI and an Agent Connection Point
Aiming for high usability even on restricted networks, Hashtopolis communicates over HTTP(S) using a human-readable, hashing-specific dialect of JSON.
The server part runs on PHP using MySQL as the database backend. It is vital that your MySQL server is configured with performance in mind. Queries can be very expensive and proper configuration makes the difference between a few milliseconds of waiting and disastrous multi-second lags. The database schema heavily profits from indexing. Therefore, if you see a hint about pre-sorting your hashlist, please do so.
The web admin interface is the single point of access for all client agents. New agent deployments require a one-time password generated in the New Agent tab. This reduces the risk of leaking hashes or files to rogue or fake agents.
Features
- Easy and comfortable to use
- Accessible from anywhere via web interface
- Server component highly compatible with common web hosting setups
- Unattended agents
- File management for word lists, rules, …
- Self-updating of both Hashtopolis and Hashcat
- Cracking multiple hashlists of the same hash type as though they were a single hashlist
- Running the same client on Windows, Linux and OS X
- Files and hashes marked as “secret” are only distributed to agents marked as “trusted”
- Many data import and export options
- Rich statistics on hashes and running tasks
- Visual representation of chunk distribution
- Multi-user support
- User permission levels
- Various notification types
- Small and/or CPU-only tasks
- Group assignment for agents and users for fine-grained access-control
- Compatible with crackers supporting certain flags
Changelog v0.13
Features
- Added monitoring of CPU utilization of agents.
- Cracked hashes for all hashlists can be shown together (caution: only use when having smaller hashlists).
- Allow abort all chunks of a specific access group from the User API.
- Tasks can be set to top priority (to be first in the list) by the User API.
- Supertask runtime can be estimated on the supertask detail page by entering expected attack speeds for hashcat wordlist and bruteforce attacks.
- Number of agents per task can be limited (pull request #764).
- Hashlists can be archived.
- Added hashtype dropdown autocompletion for creating new hashlists (pull request #781).
- Allow agents to register as CPU agents only (feature request #805).
Bugfixes
- Fixed search hash function.
- Fixed possible path traversal vulnerability on filename check.
- Fixed pre-crack import of lists with >1000 lines.
- Fixed availability of cracked hashes link on restrained permissions.
- Fixed access controls for owners of agents.
- Fixed improper updating of superhashlist counts on deletion of hashlists.
- Fixed missing .map files for javascript dependencies.
- Fixed users being able to access tasks with hashlists they would not be allowed to view.
- Fixed users being able to access hashlists they are not allowed to see.
- Adjusted handling to be able to deal with changed mode 22000 output.
- Fixed pagination of hashes on cracks page.
- Time of Zaps inserted is now saved.
- Fixed unable to unassign agent from the task detail screen.
- Fixed speed graph incorrect when status timer is different from servers default.
- Fixed sending two to headers when sending emails (issue #751).
- Fixed access group not being changed on Hashlist detailed screen (issue #765).
- Fixed missing check on permissions for sending notifications (issue #757).
- Fixed unassignable agents are shown as assignable (issue #777).
- Fixed not deleting all references (related to zaps) when deleting hashlist (issue #747).
- Added check for max length of the attack command (issue #668).
- Fixed missing flag isArchived on User API getTask requests (issue #794).
Enhancements
- Cracker version and name are shown on task details.
- Task notes and cracker version are copied.
- Agent activity is also shown on the agent status page.
- Chunks for a task can be all view, instead of only the last 100.
- Allow changing the status interval for created tasks.
- Permissions for managing access groups is separate from the permission to manage users.
- The agent status page shows more detailed information on temperature and usage.
- JQuery updated to v3.6.0.
- Print database connection error in UI theme.
- Agent detail page now has a hide/show button for the config parameters.
- Agents overview page and agent detail page now show counter for repeating devices.
- Increase size of database column for storing agentstats.
Setup & Tutorial
Copyright (C) s3inlc
Source: https://github.com/s3inlc/