Ryan Kozak

Network Architect based in Vancouver, BC.

Posts

Links

Fingerprint

c6a1 8eb3 d0b2 4298 3afc 9279 feda 1ff5 75cc 1b01

Copyright (c) Ryan Kozak. Programs and code snippets licensed under the GNU GPL v3 license. Other content licensed under the CC BY-SA 4.0 license.

Powered by Jekyll — Theme by BDHU, modified by Ryan Kozak.

Python Script to Generate Password Hashes

Posted on September 21 2022 under networking, security, and python

Note

This has since been turned into a utility package on PyPI. Install it with pipx install passhash. Source for the package can be found on GitHub. The original script is included here for reference.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import sys

from argparse import ArgumentParser, SUPPRESS
from getpass import getpass

try:
    from passlib import pwd
    from passlib.exc import MissingBackendError
    from passlib.registry import get_crypt_handler
except ImportError:
    sys.stderr.write("Error: Unable to import passlib module, please install via 'pip install passlib'\n")
    sys.exit(1)


# Program metadata
PROG_NAME = "passhash"
PROG_VERS = "1.0.0"
PROG_COPY = "Copyright 2022, Ryan Kozak"
ALL_ALGORITHMS = [
    'bcrypt',
    'des_crypt',
    'md5_crypt',
    'pbkdf2_sha1',
    'pbkdf2_sha256',
    'pbkdf2_sha512',
    'scrypt',
    'sha1_crypt',
    'sha256_crypt',
    'sha512_crypt',
    'lmhash',
    'msdcc',
    'msdcc2',
    'nthash',
    'cisco_asa',
    'cisco_type7',
    'ldap_md5',
    'ldap_salted_md5',
    'ldap_sha1',
    'ldap_salted_sha1',
    'ldap_salted_sha256',
    'ldap_salted_sha512',
]

# Create an argument parser with global options
parser = ArgumentParser(prog=PROG_NAME, add_help=False,
                        usage=f"{PROG_NAME} [options]",
                        description="Generate password hashes based on various standards")

optional = parser.add_argument_group(title="Optional Arguments")
optional.add_argument('-a', '--all', action='store_true', help=SUPPRESS)
optional.add_argument('-g', '--generate', action='store_true',
                      help="Generate a random password")
optional.add_argument('-r', '--rounds', metavar='NUM', type=int,
                      help="Number of rounds to use, default varies by algorithm")
optional.add_argument('-s', '--salt', metavar='STR', type=str,
                      help="Salt to use, randomly generated if not provided")
optional.add_argument('--salt-size', metavar='NUM', type=int,
                      help="Size of the randomly-generated salt")
optional.add_argument('-u', '--username', metavar='STR', type=str,
                      help="Username for the account, required by some algorithms")
optional.add_argument('-h', '--help', action='help',
                      help="Show this help message and exit")
optional.add_argument('-v', '--version', action='version',
                      version=f"{PROG_NAME} v{PROG_VERS} {PROG_COPY}",
                      help="Show program's version number and exit")

# Supported Unix hash algorithms
unix = parser.add_argument_group(title="Unix Algorithms (crypt)")
unix.add_argument('--unix-bcrypt', action='append_const', dest='algorithms',
                  const='bcrypt', help="bcrypt")
unix.add_argument('--unix-des', action='append_const', dest='algorithms',
                  const='des_crypt', help="DES")
unix.add_argument('--unix-md5', action='append_const', dest='algorithms',
                  const='md5_crypt', help="MD5")
unix.add_argument('--unix-pbkdf2-sha1', action='append_const', dest='algorithms',
                  const='pbkdf2_sha1', help="PBKDF2 SHA1")
unix.add_argument('--unix-pbkdf2-sha256', action='append_const', dest='algorithms',
                  const='pbkdf2_sha256', help="PBKDF2 SHA2-256")
unix.add_argument('--unix-pbkdf2-sha512', action='append_const', dest='algorithms',
                  const='pbkdf2_sha512', help="PBKDF2 SHA2-512")
unix.add_argument('--unix-scrypt', action='append_const', dest='algorithms',
                  const='scrypt', help="scrypt")
unix.add_argument('--unix-sha1', action='append_const', dest='algorithms',
                  const='sha1_crypt', help="SHA1")
unix.add_argument('--unix-sha256', action='append_const', dest='algorithms',
                  const='sha256_crypt', help="SHA2-256")
unix.add_argument('--unix-sha512', action='append_const', dest='algorithms',
                  const='sha512_crypt', help="SHA2-512 (default)")

# Supported Windows hash algorithms
windows = parser.add_argument_group(title="Windows Algorithms")
windows.add_argument('--windows-lmhash', action='append_const', dest='algorithms',
                     const='lmhash', help="LanManager Hash")
windows.add_argument('--windows-msdcc', action='append_const', dest='algorithms',
                     const='msdcc', help="Microsoft Domain Cached Credentials")
windows.add_argument('--windows-msdcc2', action='append_const', dest='algorithms',
                     const='msdcc2', help="Microsoft Domain Cached Credentials v2")
windows.add_argument('--windows-nthash', action='append_const', dest='algorithms',
                     const='nthash', help="NT Hash")

# Supported Cisco hash algorithms
cisco = parser.add_argument_group(title="Cisco Algorithms")
cisco.add_argument('--cisco-asa', action='append_const', dest='algorithms',
                   const='cisco_asa', help="Cisco ASA")
cisco.add_argument('--cisco-type-5', action='append_const', dest='algorithms',
                   const='md5_crypt', help="Cisco type 5 (MD5)")
cisco.add_argument('--cisco-type-7', action='append_const', dest='algorithms',
                   const='cisco_type7', help="Cisco type 7")

# Supported LDAP hash algorithms
ldap = parser.add_argument_group(title="LDAP Algorithms")
ldap.add_argument('--ldap-md5', action='append_const', dest='algorithms',
                  const='ldap_md5', help="LDAP MD5")
ldap.add_argument('--ldap-salted-md5', action='append_const', dest='algorithms',
                  const='ldap_salted_md5', help="LDAP Salted MD5")
ldap.add_argument('--ldap-sha1', action='append_const', dest='algorithms',
                  const='ldap_sha1', help="LDAP SHA1")
ldap.add_argument('--ldap-salted-sha1', action='append_const', dest='algorithms',
                  const='ldap_salted_sha1', help="LDAP Salted SHA1")
ldap.add_argument('--ldap-salted-sha256', action='append_const', dest='algorithms',
                  const='ldap_salted_sha256', help="LDAP Salted SHA2-256")
ldap.add_argument('--ldap-salted-sha512', action='append_const', dest='algorithms',
                  const='ldap_salted_sha512', help="LDAP Salted SHA2-512")

# Parse arguments and prepare the algorithm list
args = parser.parse_args()
if args.all:
    algorithms = ALL_ALGORITHMS
elif args.algorithms is None or len(args.algorithms) < 1:
    algorithms = ['sha512_crypt']  # Default if no algorithms are specified
else:
    algorithms = args.algorithms

# Set up the parameters to pass to the crypt module, if any
params = {}
if args.salt is not None:
    params['salt'] = args.salt
if args.salt_size is not None:
    params['salt_size'] = args.salt_size
if args.rounds is not None:
    params['rounds'] = args.rounds

# Prepare the password to hash
if args.generate:
    password = pwd.genword(entropy='secure', charset='ascii_50')
    sys.stdout.write(f"Generated Password: {password}\n\n")
else:
    password = getpass()

# Hash using each selected algorithm and print
for algorithm in algorithms:
    # Load the correct crypt handler
    try:
        handler = get_crypt_handler(algorithm)
    except KeyError:
        sys.stderr.write(f"{algorithm}: ERROR loading algorithm handler\n")
        continue

    # Load the relevant parameters
    handler_params = {k: params[k] for k in params.keys() if k in handler.setting_kwds}

    # Try to load the configured crypt handler
    try:
        try:
            crypt = handler.using(**handler_params)
        except TypeError:  # Attempt to convert the salt to bytes
            handler_params['salt'] = handler_params['salt'].encode('utf-8')
            try:
                crypt = handler.using(**handler_params)
            except TypeError as e:
                sys.stderr.write(f"{algorithm}: ERROR invalid parameter - {e}\n")
                continue
    except ValueError as e:
        sys.stderr.write(f"{algorithm}: ERROR invalid parameter - {e}\n")
        continue

    # Create the password hash and print
    try:
        if algorithm in ['msdcc', 'msdcc2'] and args.username is not None:
            password_hash = crypt.hash(password, user=args.username)
        else:
            password_hash = crypt.hash(password)
    except TypeError as e:
        sys.stderr.write(f"{algorithm}: ERROR invalid parameter - {e}\n")
        continue
    except MissingBackendError as e:
        sys.stderr.write(f"{algorithm}: ERROR missing backend - {e}\n")
        continue

    # Output the password hash
    sys.stdout.write(f"{algorithm}: {password_hash}\n")

# Done
sys.exit(0)