Distributed Hash Cracking Hashcat Hashtopolis Tutorial

Welcome to HackingVision today we will be demonstrating how to distribute Hashcat tasks across multiple computers using Hashtopolis.

Hashtopolis is a Hashcat wrapper for distributed hash cracking its easy to use and is accessible via a web interface allowing you to use Hashtopolis where ever you are. In this tutorial, you will learn how to set up the Hashtopolis server, and agent.

About Hashtopolis

Hashtopolis is a multi-platform client-server tool for distributing hashcat tasks to multiple computers. The main goals for Hashtopolis’s development are portability, robustness, multi-user support, and multiple groups management. The application has two parts:

  • Agent Multiple clients (C#, Python), easily customizable to suit any need.
  • Server several PHP/CSS files operating on two endpoints: an Admin GUI and an Agent Connection Point

Aiming for high usability even on restricted networks, Hashtopolis communicates over HTTP(S) using a human-readable, hashing-specific dialect of JSON.

The server part runs on PHP using MySQL as the database back end. It is vital that your MySQL server is configured with performance in mind. Queries can be very expensive and proper configuration makes the difference between a few milliseconds of waiting and disastrous multi-second lags. The database schema heavily profits from indexing. Therefore, if you see a hint about pre-sorting your hashlist, please do so.

The web admin interface is the single point of access for all client agents. New agent deployments require a one-time password generated in the New Agent tab. This reduces the risk of leaking hashes or files to rogue or fake agents.

Hashtopolis Features

  • Easy and comfortable to use
  • Accessible from anywhere via web interface
  • Server component highly compatible with common web hosting setups
  • Unattended agents
  • File management for word lists, rules, …
  • Self-updating of both Hashtopolis and Hashcat
  • Cracking multiple hashlists of the same hash type as though they were a single hashlist
  • Running the same client on Windows, Linux and OS X
  • Files and hashes marked as “secret” are only distributed to agents marked as “trusted”
  • Many data import and export options
  • Rich statistics on hashes and running tasks
  • Visual representation of chunk distribution
  • Multi-user support
  • User permission levels
  • Various notification types
  • Small and/or CPU-only tasks
  • Group assignment for agents and users for fine-grained access-control
  • Compatible with crackers supporting certain flags
  • Report generation for executed attacks and agent status
  • Multiple file distribution variants

https://github.com/s3inlc/hashtopolis

https://hashtopolis.org

Install Hashtopolis Server

In order to install the Hashtopolis server, you must have a server with root access. I will use a Droplet from DigitalOcean to demonstrate how to install and configure the Hashtopolis server in Ubuntu 18.04.

First login to your web server using SSH I am using Linux so I will use the built-in SSH command if you’re using Windows you can use PuTTY.

ssh root@serversipaddress

Now that we have established an SSH session with our webserver we need to make sure that we have LAMP (Linux, Apache, MySQL, PHP) installed on our server.

sudo apt update && sudo apt upgrade
sudo apt install mysql-server
sudo apt install apache2
sudo apt install libapache2-mod-php php-mysql php php-gd php-pear php-curl
sudo apt install git
sudo apt install phpmyadmin

Now that we installed dependencies we can secure our MySQL installation by entering the following command in your webservers SSH terminal.

mysql_secure_installation

During MySQL configuration, you will be asked the following questions.

Remove anonymous users?: y

Disallow root login remotely: y

Remove test database and access to it: y

reload privilege tables now?: y

Its time to clone Hashtopolis to our webserver in your servers SSH terminal enter the following commands.

git clone https://github.com/s3inlc/hashtopolis.git
sudo mkdir /var/www/hashtopolis
sudo cp -r hashtopolis/src/* /var/www/hashtopolis
sudo chown -R www-data:www-data /var/www/hashtopolis

Create a MySQL database

Let’s create a MySQL database to use with Hashtopolis. In your web servers, SSH terminal enter the commands below to create the MySQL database for Hashtopolis. Replace ‘securePassword’ with a secure password of your choice.

sudo mysql -uroot -e "create database hashtopolis;"
sudo mysql -uroot -e "GRANT ALL ON hashtopolis.* TO 'hashtopolis'@'localhost' identified by 'securePassword';"
sudo mysql -uroot -e "flush privileges;"

Create a Virtual host file for your domain replace prophishing.com with a domain you want to use for the Hashtopolis server. I will use prophishing.com

sudo nano /etc/apache2/sites-available/prophishing.com.conf

Change domain name to the domain that you will be using the Hashtopolis server with. In this tutorial, I will be using the domain prophishing.com.

<VirtualHost *:80>
 ServerName prophishing.com
 DocumentRoot /var/www/hashtopolis
 ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Disable access to default apache demo web application.

sudo sudo a2dissite 000-default

Point your domains A records to your servers IP address. You should have two A records one for your server’s main domain and one for www both should match your servers IP address our test servers IP address.

Enable the Hashtopolis web application for your domain. Change domain name with the domain you will be using for your Hashtopolis server.

sudo a2ensite prophishing.com

Reload Apache.

sudo systemctl reload apache2

Now we need to modify php.ini open php.ini up in nano use CTRL+W to search for the terms below modify the php.ini file when you have finished use CTRL+O in nano to write the changes to the file. To exit you CTRL+X.

nano /etc/php/7.2/apache2/php.ini
  • Search for “memory_limit”
  • change limit to 512M
  • search for upload_max_filesize – 500M
  • search post_max_size – 500M

Save changes and exit nano

Now we need to modify apache2.conf, open apache2.conf in nano.

sudo nano /etc/apache2/apache2.conf

Change values of KeepAliveTimeout, MaxKeepAliveRequests, and AllowOverride to the following.

KeepAliveTimeout 10
MaxKeepAliveRequests 1000
AllowOverride All

Reload apache2.

service apache2 reload

Start Hashtopolis Installation.

Fill out MySql database details. Server hostname should be localhost server port 3306 MySQL user: hashtopolis MySQL Password: Password for MySQL Database name: hashtopolis.

Now that we have established a database connection with Hashtopolis we are ready to set an administrator account up. Click on continue.

Choose a username and password and include an email address.

Login to Hashtopolis web application with your username and password.

For security reasons remove the Hashtopolis install directory from your server.

sudo rm -r /var/www/hashtopolis/install

Install Agent

In this tutorial, I will be installing Hashtopolis agent in Kali Linux Hashtopolis agent is multi-platform and will work on Windows, Linux, and macOS.

sudo apt update
sudo DEBIAN_FRONTEND=noninteractive apt upgrade -yq
sudo apt install -y python3-pip zippip3 install requests psutil

sudo apt install -y python3-pip zip

pip3 install requests psutil

curl http://prophishing.com/agents.php?download=1 -so agent.zip

python3 agent.zip

Enter your voucher code from the Agents tab in the Hashtopolis web interface. First, create a new Agent.

Create a new voucher code.

In Linux, we need to update /etc/hosts with the IP address of our Hashtopolis server. In a command, terminal use nano to modify /etc/hosts file. Add your server’s IP address and domain name.

sudo nano /etc/hosts
192.168.1.111  prophishing.com

Now that we have set up Hashtopolis agent on our password cracking machine we can run python3 agent.zip again leave it running. Hashtopolis agent will display No task available! unless you assign a job to the agent in the Hashtopolis web interface.

python3 agent.zip

Thanks, @tomas_savenas the information you provided in your medium post was useful when setting up the Hashtopolis server.
https://medium.com/@tomas_savenas/distributing-hashcat-tasks-to-multiple-computers-7bb98d8410bd