Gladius: Automatic Responder Cracking

So there you are, performing your internal penetration test, using Responder to potentially grab hashed credentials and thinking “Responder is awesome… but manually cracking credentials isn’t fun.” Well, welcome Gladius! Gladius happily listens for Responder hashes (and.. spoiler alert.. secretsdump.py and hashdump) and automatically passes them to hashcat.

Get Gladius on GitHub →

At its core, Gladius listens in target directories for file events and then performs computations based on the event. Let’s walk through the Responder workflow with Gladius:

credentials workflow

At this point, we have a hashcat process furiously cracking credentials. Meanwhile, Gladius is watching the output directory from the hashcat process, waiting to parse the results for human consumption.

credentials workflow

The found credentials from Responder are then displayed to the user in an ascii gladius.

codeblock domain administrator pw

(For those of you who don’t like beautiful works of art, then —no-art is an option to disable the ascii gladius)

The usefulness of Gladius is that any sort of file driven event can be captured and triggered. By default, Gladius comes prepackaged with three types of events:

  • Watching for files that match *NTLM* from Responder in Responder’s default directory on Kali: /usr/share/responder
  • Watching for files that match *hashdump* from Metasploit’s smart_hashdump module in /root/.msf*/loot
  • Watching for files that match *secretsdump* from CoreSecurity’s secretsdump.py also in Responder’s default directory

What this means, is that once Gladius is started, all one has to do is perform a smart_hashdump in metasploit or pipe the output from secretsdump.py into /usr/share/responder, and the resulting hashes are automatically passed to hashcat to begin cracking.

One other feature that is useful to clients is the ability to tell them how many credentials were cracked in what span of time. Given a hashdump, Gladius happily displays the following information:

  • Total time it took to crack the given hash
  • How many total hashes have been cracked thus far
  • Total number of hashes to crack
  • Percentage of hashes cracked

Quick example of this:

codeblock new credentials

Here we see that this credential was cracked in 1.5 seconds, was the 40/41 credential cracked, and that currently 97.56% of all credentials have been cracked.

Lastly, we can also quickly tell if multiple users are using the same password:

codeblock new creds

Get Gladius on GitHub →

icon-praetorian-

See Praetorian in Action

Request a 30-day free trial of our Managed Continuous Threat Exposure Management solution.

About the Authors

Catch the Latest

Catch our latest exploits, news, articles, and events.

Ready to Discuss Your Next Continuous Threat Exposure Management Initiative?

Praetorian’s Offense Security Experts are Ready to Answer Your Questions