TekDefense

hashMonitor

Description: While I love tools lke @DumpMon, I am generally only concerned with pulling hashes for enhancing wordlists or to practice cracking passwords. I am not interested in the email addresses associated with these accounts, or any other information like phone numbers, names, etc. hashMonitor allows me to gather hashes from these breeches without exposing myself to other data.

hashMonitor is a tool I created to monitor twitter accounts that link to data breaches like @Dumpmon and @PastebinDorks. hashMonitor will check each link that these accounts link to, to see if there are any MD5, SHA1, or SHA256 hashes. If hashes are found it will add them to a sqlite database. hashMonitor tracks what URLs and hashes it has already seen and skips them. Once hashes are in the database hashMonitor can output the hashes to screen or an output file for your cracking pleasures.

Current Versions is 0.2

Installation:

As this is a python script you will need to ensure you have the correct version of python, which for this script is python 2.7. I used mostly standard libraries, but just incase you don't have them, here are the libraries that are required: sqlite3, re, datetime, httplib2, argparse, sys.

The only non-standard dependency is python-twitter. You can download and get installation instructions for this library at https://github.com/bear/python-twitter

With python and the libraries out of the way, you can simply use git to clone the tekdefense code to your local machine.

git clone https://github.com/1aN0rmus/TekDefense-hashMonitor.git

If you don't have git installed you can simply download the script from https://github.com/1aN0rmus/TekDefense-hashMonitor/blob/master/hashMonitor.py

On linux, if you would like to run this as an executable (./) be sure to:

chmod +x hashMonitor.py 

Usage:

Like always let's start off with the help command:

From the help command you will notice we have a few options when running this program. None of the arguments are required though. Simply running the script will run the collection with default options.

To show you typical usage here are a few examples:

Run a default collection:

 

ian@tekDev:~/Workspace/Testing$ ./hashMonitor.py 

[*] Running hashMonitor.py

[*] Adding links to the DB if they have not been scanned previously.

[+] Adding http://t.co/EG5O5AlZr0 into the DB

[+] Adding http://t.co/gtUVt0mWdA into the DB

[+] Adding http://t.co/xM5HyI4pJD into the DB

[+] Adding http://t.co/YQ6chctxsA into the DB

[+] Adding http://t.co/UEpBuTG3aX into the DB

[+] Adding http://t.co/mnPs7Q2uGd into the DB

[+] Searching for hashes in the new URLs

[*] Inserting new hashes to the DB if any are found.

[+] Adding d34ca2550d2cd5fc126d707da6a33e20 to the DB

[+] Adding 98e9998057fca02319327948df2a224d to the DB

[+] Adding 08994891f58ae561754663a9d7fea363 to the DB

[+] Adding 739f110c1e699fb15a4960aef31411eb8791f3b5 to the DB

[+] Adding faddb6e906f13a7621fe2eb09b000d51 to the DB

[+] Adding 57b4891ba723993f9b4fb44a19bff9be to the DB

[+] Adding cf6ed5714bd7e7665004575dd54f43ee to the DB

[+] Adding a4f2a54552dc5f7e1fecb1a3e9c94a59 to the DB

[+] Adding 768d2a2972f9375f869f1911c5f0d8f9 to the DB

[+] Adding c623f26e29c90d3c5ece1343f7c959c6 to the DB

[+] Adding ede493ce25c7dec5a447841eed648287 to the DB

[+] Adding eb8b142109fce9151d9e99921f5be195 to the DB

[+] Adding 7856d1a4395905bdb7b0da88229e3593 to the DB

[+] Adding 5948757f193a2166f0f5d44a90ee2ffc to the DB

[+] Adding 0a0197f3e04d4cdbd9876a9306fa690a to the DB

[+] Adding f9a13a90d7a6ec24fb510eebc66d98a6cd34db16 to the DB

[+] Adding adf21245566ef99270eedbec2f473107 to the DB

[+] Adding e7e0bec5481b164dca775b1a019ca5fc9055fc48 to the DB

[+] Adding 7a4ea8317e2e8bd9217c23365cffbe1d to the DB

[+] Adding 44412cd4303b600371da4e32481fa57a to the DB

[+] Adding 07158a1ddc765dfc4dfd2730f41e71843054fff8 to the DB

[+] Adding a877418ade6a25032ff8bbc884b1cfe5 to the DB

 

List hashes of a certain type:

 

ian@tekDev:~/Workspace/Testing$ ./hashMonitor.py -l MD5

[*] Running hashMonitor.py

d34ca2550d2cd5fc126d707da6a33e20

98e9998057fca02319327948df2a224d

08994891f58ae561754663a9d7fea363

faddb6e906f13a7621fe2eb09b000d51

57b4891ba723993f9b4fb44a19bff9be

cf6ed5714bd7e7665004575dd54f43ee

a4f2a54552dc5f7e1fecb1a3e9c94a59

768d2a2972f9375f869f1911c5f0d8f9

c623f26e29c90d3c5ece1343f7c959c6

ede493ce25c7dec5a447841eed648287

eb8b142109fce9151d9e99921f5be195

7856d1a4395905bdb7b0da88229e3593

5948757f193a2166f0f5d44a90ee2ffc

0a0197f3e04d4cdbd9876a9306fa690a

adf21245566ef99270eedbec2f473107

7a4ea8317e2e8bd9217c23365cffbe1d

44412cd4303b600371da4e32481fa57a

a877418ade6a25032ff8bbc884b1cfe5

5063892295205285662883dae6543753

Output hashes to a file

ian@tekDev:~/Workspace/Testing$ ./hashMonitor.py -l ANY -o allhashes.out

[+] Printing results to file: allhashes.out

Specify a database name

ian@tekDev:~/Workspace/Testing$ ./hashMonitor.py -d test4.db

[*] Running hashMonitor.py

[*] Adding links to the DB if they have not been scanned previously.

[+] Adding http://t.co/hlY6dzNGUj into the DB

[+] Adding http://t.co/6jTvauHnfe into the DB

[-] http://t.co/EG5O5AlZr0 has already been seen

[-] http://t.co/gtUVt0mWdA has already been seen

[-] http://t.co/xM5HyI4pJD has already been seen

[-] http://t.co/YQ6chctxsA has already been seen

[-] http://t.co/UEpBuTG3aX has already been seen

[-] http://t.co/mnPs7Q2uGd has already been seen

[-] http://t.co/CNZ3ot1WLo has already been seen

[-] http://t.co/UPTPi6QJ14 has already been seen

[-] http://t.co/JWU42HguFx has already been seen

[-] http://t.co/Kug1rCLWIh has already been seen

[-] http://t.co/LhW6bxiBVU has already been seen

[-] http://t.co/ykZ4mcuqzI has already been seen

[-] http://t.co/YCsuuLRgur has already been seen

[-] http://t.co/Yqk3sMyK3v has already been seen

[-] http://t.co/2ZCY3yfw4Z has already been seen

[-] http://t.co/GEyaoWCru8 has already been seen

[-] http://t.co/dAwnJZCuYu has already been seen

[-] http://t.co/4ByfojUz4U has already been seen

[+] Adding http://t.co/jtfU7bL6dY into the DB

[-] http://t.co/43YDNGHApM has already been seen

[-] http://t.co/4qIkQBspJV has already been seen

[-] http://t.co/itx1GgsOd6 has already been seen

[-] http://t.co/1OvmPzBX1m has already been seen

[-] http://t.co/1Y3iUT8o1N has already been seen

[-] http://t.co/ZDH5Idway0 has already been seen

[-] http://t.co/G90WZ1cVTa has already been seen

[-] http://t.co/05BmzjiaSY has already been seen

[-] http://t.co/nPhlnQa0lx has already been seen

[-] http://t.co/P0oOBEufig has already been seen

[-] http://t.co/1Z5zQkkEM7 has already been seen

[-] http://t.co/XneWGVYEuy has already been seen

[-] http://t.co/gXo0ifA7vM has already been seen

[-] http://t.co/NmSzUTUwrD has already been seen

[-] http://t.co/q6ofbCj5zY has already been seen

[-] http://t.co/up729g4nr3 has already been seen

[-] http://t.co/bL0N9vdblk has already been seen

[-] http://t.co/AVRBOUre9f has already been seen

[-] http://t.co/EUmm98LkNu has already been seen

[-] http://t.co/EKlo4vrsbD has already been seen

[-] http://t.co/IwNR8TGRJV has already been seen

[-] http://t.co/zYjBSb2xkx has already been seen

[-] http://t.co/cJPfSlKTpr has already been seen

[+] Searching for hashes in the new URLs

[*] Inserting new hashes to the DB if any are found.

[+] Added 0 Hashes to the Database

Show a count of the hashes in the database:

ian@tekDev:~/Workspace/Testing$ ./hashMonitor.py -s

[*] Running hashMonitor.py

[+] MD5: 3797

[+] SHA1: 969

[+] You have collected a total of 4766 hashes in this database!

[+] You have scraped a total of 67 URLs listed in this database!

Remove hashes from the database:

ian@tekDev:~/Workspace/Testing$ ./hashMonitor.py -d test5.db -r hashcat.pot 

[*] Running hashMonitor.py

[*] Checking to see if there are any matches between the database and hashcat.pot. Any matches will be removed from the database!

[-] e807f1fcf82d132f9bb018ca6738a19fis being removed from the database

[-] 202cb962ac59075b964b07152d234b70is being removed from the database

[-] e10adc3949ba59abbe56e057f20f883eis being removed from the database

[-] 827ccb0eea8a706c4c34a16891f84e7bis being removed from the database

[-] 733d7be2196ff70efaf6913fc8bdcabfis being removed from the database

[-] c5fe25896e49ddfe996db7508cf00534is being removed from the database

[-] d41d8cd98f00b204e9800998ecf8427eis being removed from the database

[-] f5bb0c8de146c67b44babbf4e6584cc0is being removed from the database

[-] 8e3c82bbe74ba6ca39e4e9add7d8ba2ais being removed from the database

[-] d0970714757783e6cf17b26fb8e2298fis being removed from the database

[-] c4ca4238a0b923820dcc509a6f75849bis being removed from the database

[-] c8837b23ff8aaa8a2dde915473ce0991is being removed from the database

[-] b0baee9d279d34fa1dfd71aadb908c3fis being removed from the database

[-] 62026aaed5419a1ceaa229bf6886443eis being removed from the database

[-] 25f9e794323b453885f5181f1b624d0bis being removed from the database

[-] 39dcaf7a053dc372fbc391d4e6b5d693is being removed from the database

[-] fcea920f7412b5da7be0cf42b8c93759is being removed from the database

[-] 96e79218965eb72c92a549dd5a330112is being removed from the database

[-] 24500fa6ecaeb8300905727802af3081is being removed from the database

[-] 5583413443164b56500def9a533c7c70is being removed from the database

[-] f35364bc808b079853de5a1e343e7159is being removed from the database

[-] 4297f44b13955235245b2497399d7a93is being removed from the database

[-] 4a7d1ed414474e4033ac29ccb8653d9bis being removed from the database

[-] 6fb42da0e32e07b61c9f0251fe627a9cis being removed from the database

[-] 25d55ad283aa400af464c76d713c07adis being removed from the database

[-] dd4b21e9ef71e1291183a46b913ae6f2is being removed from the database

[-] 670b14728ad9902aecba32e22fa4f6bdis being removed from the database

[-] b2023820a60123ef4e6869bacaf7d90cis being removed from the database

[+] Removed 28 hashes from the database

If you have any suggestions for the tool please let me know.

@TekDefense