server icon indicating copy to clipboard operation
server copied to clipboard
verified publisher icon hashtopolis

New Task: Added Hashcat Command Validation

Open shivanraptor opened this issue 5 years ago • 6 comments

When creating a new task, the hashcat command is parsed and validated by Optparse.js and Optparse Hashtopolis plugin.

The task name is marked as required as well, and the total length of the command is checked (now limited to 200) to avoid database field truncation.

shivanraptor avatar Oct 23 '20 05:10 shivanraptor

Added Optparse Hashtopolis Plugin version to 0.2 to add support of Combinator attack command validation.

shivanraptor avatar Oct 28 '20 08:10 shivanraptor

Modified the display of "Estimated time" to display a number of years if days are over 365 days.

shivanraptor avatar Nov 13 '20 02:11 shivanraptor

Thanks for the contribution! There are a few points on these changes.

  • First, it should distinguish if a user selected hashcat or another cracker program and only be active if hashcat was selected.
  • Ideally, as there are so many things possible with hashcat and it's maybe not always possible to keep up-to-date with all hashcat options, it would be good to have this feature as option in the server config (If you are not sure about this, I can do that after the merge, just let me know how I best should deactivate the functionality).
  • Hashcat now has a new attack mode (-a 9), any plans of having it in the validation as well?
  • And last but not least, remote files are a no-go. There are users not having their machines connected to the internet and also dynamically loading code from a third-party source would be suspect to quite some users. These files should be included locally.

Please let me know if there is anything not clear or if you are not sure how you should change some parts, I will try to help with that, or implement it afterwards.

s3inlc avatar Dec 19 '20 15:12 s3inlc

Agree with your points and concerns.

  1. Yes, the changes will detect whether hashcat cracker is being used or not. If hashcat is not used, the validation should not be implemented.
  2. Yes, it could be implemented as an option as server config.
  3. I am looking into hashcat v6.1.1, and I only see the following attack modes: 0, 1, 3, 6, 7
  4. The validation JS files can be bundled or marked as an optional dependency of your next release.

I will try to work on the first 2 points. Hope I can help you to improve Hashtopolis.

shivanraptor avatar Dec 22 '20 08:12 shivanraptor

Thanks for looking into it.

Regarding the new attack mode. As far as I remember correctly, in 6.1.1 release this was not implemented, it was added since and is available on the master branch on the repository.

s3inlc avatar Dec 22 '20 10:12 s3inlc

Correct me if I am wrong, but it seems the parser does not correctly parse attack commands that have multiple consecutive spaces in it. Hashcat does accept such commands. This is simply fixed by applying replace(/\s+/g, ' ')

SherlockNL avatar Jan 29 '21 14:01 SherlockNL