Last week we started down the path of password cracking with an introduction to Hashcat. The unfortunate thing is that Hashcat is limited to the capabilities of your own machine. Rather than stick with one machine for a cracking run, we want to leverage multiple boxes. The open source Hashtopolis project allows us to do just that by splitting Hashcat operations across as many machines as you want!

Basic Setup

Hashtopolis is easily installed on any Linux machine, but I happen to prefer Ubuntu when working in the cloud, so we'll start there. The first step is to provision a server somewhere and make sure you have access to it. For my purposes, I set up a t2.micro EC2 instance on Amazon and configured it with an Elastic IP so I could keep track of things. I also pointed a vanity subdomain[ref]From one of my other, private top-level domains I use for experimentation...[/ref] at it so I can log in and use the machine easily.

I won't go into basic server provisioning here - that's an exercise left for some other time.

Once the machine is available, connect via SSH and start setting things up:

sudo apt update && sudo apt upgrade
sudo apt install mysql-server apache2 libapache2-mod-php php-mysql php php-gd php-pear php-curl git phpmyadmin

The above installations will get almost everything set up. You'll also want to execute mysql_secure_installation to ensure MySQL is set up securely. Remove anonymous users, disallow remote root login, and remove the test database. Then you're ready for Hashtopolis.

Installing Hashtopolis

Hashtopolis itself is installed by cloning the project from GitHub and moving it to the appropriate location.

git clone
sudo mkdir /var/www/hashtopolis
sudo cp -r hashtopolis/src/* /var/www/hashtopolis
sudo chown -R www-data:www-data /var/www/hashtopolis

Then, create a dedicated MySQL database for Hashtopolis to use:

sudo mysql -uroot -e "create database hashtopolis;"
sudo mysql -uroot -e "GRANT ALL ON hashtopolis.* TO 'hashtopolis'@'localhost' identified by 'securePassword';"
sudo mysql -uroot -e "flush privileges;"

Finally, create a configuration file for the site you're building out (for example in /etc/apache2/sites-available/ with the appropriate configuration[ref]It's a good idea to enable TLS encryption for your site as well. Apache is fairly easy to set up with a completely free certificate from LetsEncrypt.[/ref]:

 DocumentRoot /var/www/hashtopolis
 ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined

Enabling this site and disabling the default Apache web demo.

sudo a2dissite 000-default
sudo a2ensite
sudo systemctl reload apache2

It's a good idea to tweak your PHP settings as well to increase the memory limit and maximum upload sizes (as some of our wordlists are quite large). I also changed my Apache configuration to keep requests open as long as possible. Make any tweaks or customizations you want, then restart Apache before moving on with the installation.

Run the Installer

The first time you load your newly created site, Hashtopolis will kick off an installation automatically. Fill in your database details (using your local MySQL server on port 3306). Then set up an administrator account with a strong password.[ref]Your administrator account will have full access to jobs, configuration, and the eventual results of your cracking attempts. Keep this account safe![/ref]

Once you've set things up and logged in to verify your credentials, it's a good idea to remove the install directory from your server. This way no one can attempt to overwrite your installation and corrupt your data:

sudo rm -rf /var/www/hashtopolis/install

Divide and Conquer

Now that your command server is set up, it's time to boot up a fleet of cracking machines and get started with cracking. But that configuration will come next week.