7MS #474: Password Cracking in the Cloud - Part 3

Hey friends! Today we're dusting off an old mini-series about password cracking in the cloud (check out part 1 and part 2) and sharing some awesome info on building a monster of a cracking rig in AWS!

One reason we haven't talked about password cracking in the cloud in a while is because back in winter of 2019 I built baby's first password cracking. Unfortunately, this week, Hashy (the name I gave to the rig) is overheating, and GPUs are impossible to find, so what's a pentester to do?

Well, in today's episode I talk about this article from Sevnx which walks you through building a virtual password-cracking beast in the cloud. The article (complemented by a sweet video) will get you running in short order.

WARNING: running this instance is super expensive (the author warns the instance would cost ~$9k/month if you left it run continuously).

The steps are pretty straightforward, but between reboots I found that hashcat acted all wonky. Luckily, the article addresses that with this great tip:

Pro tip: Save the Cuda download somewhere. If you ever turn your cracker off and get errors running hashcat when you turn it back on, re-run the install line. We think AWS sometimes refreshes the drivers or something and hashcat doesn't like it very much.

If you need help installing one of my fave tools, hatecrack check out my password cracking in the cloud gist. Also, our buddy Joe pointed me towards a utility called duplicut to help de-dupe large password-cracking wordlists.

Once the AWS instance is setup, what kind of stats do we get out of this demon? Here's the result of hashcat -b:

Hashmode: 0 - MD5 Speed.#1.........: 55936.1 MH/s (47.79ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#2.........: 55771.4 MH/s (47.94ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#3.........: 55827.0 MH/s (47.88ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#4.........: 55957.7 MH/s (47.78ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#*.........: 223.5 GH/s Hashmode: 100 - SHA1 Speed.#1.........: 17830.1 MH/s (75.08ms) @ Accel:16 Loops:1024 Thr:1024 Vec:1 Speed.#2.........: 17774.0 MH/s (75.21ms) @ Accel:16 Loops:1024 Thr:1024 Vec:1 Speed.#3.........: 17780.9 MH/s (75.26ms) @ Accel:16 Loops:1024 Thr:1024 Vec:1 Speed.#4.........: 17795.6 MH/s (75.22ms) @ Accel:16 Loops:1024 Thr:1024 Vec:1 Speed.#*.........: 71180.6 MH/s Hashmode: 1400 - SHA2-256 Speed.#1.........: 7709.9 MH/s (86.84ms) @ Accel:8 Loops:1024 Thr:1024 Vec:1 Speed.#2.........: 7718.3 MH/s (86.75ms) @ Accel:8 Loops:1024 Thr:1024 Vec:1 Speed.#3.........: 7710.4 MH/s (86.75ms) @ Accel:8 Loops:1024 Thr:1024 Vec:1 Speed.#4.........: 7694.4 MH/s (87.02ms) @ Accel:8 Loops:1024 Thr:1024 Vec:1 Speed.#*.........: 30833.0 MH/s Hashmode: 1700 - SHA2-512 Speed.#1.........: 2399.8 MH/s (69.70ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#2.........: 2401.1 MH/s (69.68ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#3.........: 2397.3 MH/s (69.78ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#4.........: 2400.3 MH/s (69.70ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#*.........: 9598.5 MH/s Hashmode: 22000 - WPA-PBKDF2-PMKID+EAPOL (Iterations: 4095) Speed.#1.........: 866.5 kH/s (94.23ms) @ Accel:16 Loops:256 Thr:1024 Vec:1 Speed.#2.........: 866.7 kH/s (94.21ms) @ Accel:16 Loops:256 Thr:1024 Vec:1 Speed.#3.........: 865.6 kH/s (94.30ms) @ Accel:16 Loops:256 Thr:1024 Vec:1 Speed.#4.........: 866.7 kH/s (94.20ms) @ Accel:16 Loops:256 Thr:1024 Vec:1 Speed.#*.........: 3465.5 kH/s Hashmode: 1000 - NTLM Speed.#1.........: 102.2 GH/s (26.05ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#2.........: 102.3 GH/s (26.05ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#3.........: 102.2 GH/s (26.07ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#4.........: 102.3 GH/s (26.04ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#*.........: 409.0 GH/s Hashmode: 3000 - LM Speed.#1.........: 41104.7 MH/s (64.74ms) @ Accel:512 Loops:1024 Thr:64 Vec:1 Speed.#2.........: 40216.5 MH/s (66.11ms) @ Accel:512 Loops:1024 Thr:64 Vec:1 Speed.#3.........: 40507.3 MH/s (65.89ms) @ Accel:512 Loops:1024 Thr:64 Vec:1 Speed.#4.........: 39181.4 MH/s (68.13ms) @ Accel:512 Loops:1024 Thr:64 Vec:1 Speed.#*.........: 161.0 GH/s Hashmode: 5500 - NetNTLMv1 / NetNTLMv1+ESS Speed.#1.........: 55861.0 MH/s (47.87ms) @ Accel:32 Loops:1024 Thr:1024 Vec:2 Speed.#2.........: 55864.3 MH/s (47.87ms) @ Accel:32 Loops:1024 Thr:1024 Vec:2 Speed.#3.........: 55519.4 MH/s (47.98ms) @ Accel:32 Loops:1024 Thr:1024 Vec:2 Speed.#4.........: 55826.6 MH/s (47.89ms) @ Accel:32 Loops:1024 Thr:1024 Vec:2 Speed.#*.........: 223.1 GH/s Hashmode: 5600 - NetNTLMv2 Speed.#1.........: 3968.0 MH/s (84.37ms) @ Accel:4 Loops:1024 Thr:1024 Vec:1 Speed.#2.........: 3968.1 MH/s (84.38ms) @ Accel:4 Loops:1024 Thr:1024 Vec:1 Speed.#3.........: 3965.6 MH/s (84.38ms) @ Accel:4 Loops:1024 Thr:1024 Vec:1 Speed.#4.........: 3967.8 MH/s (84.37ms) @ Accel:4 Loops:1024 Thr:1024 Vec:1 Speed.#*.........: 15869.5 MH/s Hashmode: 1500 - descrypt, DES (Unix), Traditional DES Speed.#1.........: 1752.8 MH/s (95.32ms) @ Accel:32 Loops:1024 Thr:64 Vec:1 Speed.#2.........: 1729.3 MH/s (96.65ms) @ Accel:32 Loops:1024 Thr:64 Vec:1 Speed.#3.........: 1749.5 MH/s (95.53ms) @ Accel:32 Loops:1024 Thr:64 Vec:1 Speed.#4.........: 1740.6 MH/s (96.01ms) @ Accel:32 Loops:1024 Thr:64 Vec:1 Speed.#*.........: 6972.3 MH/s Hashmode: 500 - md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) (Iterations: 1000) Speed.#1.........: 24882.8 kH/s (50.59ms) @ Accel:16 Loops:1000 Thr:1024 Vec:1 Speed.#2.........: 24828.0 kH/s (50.60ms) @ Accel:16 Loops:1000 Thr:1024 Vec:1 Speed.#3.........: 24865.7 kH/s (50.60ms) @ Accel:16 Loops:1000 Thr:1024 Vec:1 Speed.#4.........: 24849.6 kH/s (50.59ms) @ Accel:16 Loops:1000 Thr:1024 Vec:1 Speed.#*.........: 99426.0 kH/s Hashmode: 3200 - bcrypt $2*$, Blowfish (Unix) (Iterations: 32) Speed.#1.........: 69071 H/s (54.00ms) @ Accel:4 Loops:16 Thr:24 Vec:1 Speed.#2.........: 68818 H/s (54.25ms) @ Accel:4 Loops:16 Thr:24 Vec:1 Speed.#3.........: 68926 H/s (54.13ms) @ Accel:4 Loops:16 Thr:24 Vec:1 Speed.#4.........: 69013 H/s (54.04ms) @ Accel:4 Loops:16 Thr:24 Vec:1 Speed.#*.........: 275.8 kH/s Hashmode: 1800 - sha512crypt $6$, SHA512 (Unix) (Iterations: 5000) Speed.#1.........: 386.4 kH/s (84.04ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#2.........: 377.9 kH/s (85.68ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#3.........: 372.3 kH/s (86.76ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#4.........: 382.7 kH/s (84.51ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#*.........: 1519.3 kH/s Hashmode: 7500 - Kerberos 5, etype 23, AS-REQ Pre-Auth Speed.#1.........: 1177.0 MH/s (71.08ms) @ Accel:256 Loops:128 Thr:32 Vec:1 Speed.#2.........: 1175.4 MH/s (71.17ms) @ Accel:256 Loops:128 Thr:32 Vec:1 Speed.#3.........: 1171.5 MH/s (71.28ms) @ Accel:256 Loops:128 Thr:32 Vec:1 Speed.#4.........: 1177.4 MH/s (71.05ms) @ Accel:256 Loops:128 Thr:32 Vec:1 Speed.#*.........: 4701.3 MH/s Hashmode: 13100 - Kerberos 5, etype 23, TGS-REP Speed.#1.........: 1068.5 MH/s (78.29ms) @ Accel:32 Loops:1024 Thr:32 Vec:1 Speed.#2.........: 1069.4 MH/s (78.25ms) @ Accel:32 Loops:1024 Thr:32 Vec:1 Speed.#3.........: 1068.4 MH/s (78.32ms) @ Accel:32 Loops:1024 Thr:32 Vec:1 Speed.#4.........: 1068.6 MH/s (78.29ms) @ Accel:32 Loops:1024 Thr:32 Vec:1 Speed.#*.........: 4275.0 MH/s Hashmode: 15300 - DPAPI masterkey file v1 (Iterations: 23999) Speed.#1.........: 148.5 kH/s (93.95ms) @ Accel:8 Loops:512 Thr:1024 Vec:1 Speed.#2.........: 148.4 kH/s (93.99ms) @ Accel:8 Loops:512 Thr:1024 Vec:1 Speed.#3.........: 148.5 kH/s (93.96ms) @ Accel:8 Loops:512 Thr:1024 Vec:1 Speed.#4.........: 148.4 kH/s (93.95ms) @ Accel:8 Loops:512 Thr:1024 Vec:1 Speed.#*.........: 593.8 kH/s Hashmode: 15900 - DPAPI masterkey file v2 (Iterations: 12899) Speed.#1.........: 80610 H/s (80.47ms) @ Accel:4 Loops:256 Thr:1024 Vec:1 Speed.#2.........: 80606 H/s (80.47ms) @ Accel:4 Loops:256 Thr:1024 Vec:1 Speed.#3.........: 80596 H/s (80.48ms) @ Accel:4 Loops:256 Thr:1024 Vec:1 Speed.#4.........: 80378 H/s (80.46ms) @ Accel:4 Loops:256 Thr:1024 Vec:1 Speed.#*.........: 322.2 kH/s Hashmode: 7100 - macOS v10.8+ (PBKDF2-SHA512) (Iterations: 1023) Speed.#1.........: 1002.4 kH/s (78.60ms) @ Accel:32 Loops:31 Thr:1024 Vec:1 Speed.#2.........: 1002.4 kH/s (78.60ms) @ Accel:32 Loops:31 Thr:1024 Vec:1 Speed.#3.........: 1002.1 kH/s (78.62ms) @ Accel:32 Loops:31 Thr:1024 Vec:1 Speed.#4.........: 1002.7 kH/s (78.58ms) @ Accel:32 Loops:31 Thr:1024 Vec:1 Speed.#*.........: 4009.6 kH/s Hashmode: 11600 - 7-Zip (Iterations: 16384) Speed.#1.........: 897.6 kH/s (82.05ms) @ Accel:4 Loops:4096 Thr:1024 Vec:1 Speed.#2.........: 896.4 kH/s (82.09ms) @ Accel:4 Loops:4096 Thr:1024 Vec:1 Speed.#3.........: 893.3 kH/s (83.60ms) @ Accel:4 Loops:4096 Thr:1024 Vec:1 Speed.#4.........: 912.4 kH/s (81.95ms) @ Accel:4 Loops:4096 Thr:1024 Vec:1 Speed.#*.........: 3599.7 kH/s Hashmode: 12500 - RAR3-hp (Iterations: 262144) Speed.#1.........: 116.6 kH/s (60.91ms) @ Accel:16 Loops:16384 Thr:128 Vec:1 Speed.#2.........: 111.4 kH/s (63.61ms) @ Accel:16 Loops:16384 Thr:128 Vec:1 Speed.#3.........: 111.6 kH/s (63.63ms) @ Accel:16 Loops:16384 Thr:128 Vec:1 Speed.#4.........: 115.0 kH/s (61.81ms) @ Accel:16 Loops:16384 Thr:128 Vec:1 Speed.#*.........: 454.7 kH/s Hashmode: 13000 - RAR5 (Iterations: 32799) Speed.#1.........: 93248 H/s (54.69ms) @ Accel:16 Loops:128 Thr:1024 Vec:1 Speed.#2.........: 93202 H/s (54.72ms) @ Accel:16 Loops:128 Thr:1024 Vec:1 Speed.#3.........: 93009 H/s (54.70ms) @ Accel:16 Loops:128 Thr:1024 Vec:1 Speed.#4.........: 93241 H/s (54.69ms) @ Accel:16 Loops:128 Thr:1024 Vec:1 Speed.#*.........: 372.7 kH/s Hashmode: 6211 - TrueCrypt RIPEMD160 + XTS 512 bit (Iterations: 1999) Speed.#1.........: 672.2 kH/s (55.34ms) @ Accel:16 Loops:64 Thr:1024 Vec:1 Speed.#2.........: 672.1 kH/s (55.34ms) @ Accel:16 Loops:64 Thr:1024 Vec:1 Speed.#3.........: 671.4 kH/s (55.34ms) @ Accel:16 Loops:64 Thr:1024 Vec:1 Speed.#4.........: 672.2 kH/s (55.34ms) @ Accel:16 Loops:64 Thr:1024 Vec:1 Speed.#*.........: 2687.9 kH/s Hashmode: 13400 - KeePass 1 (AES/Twofish) and KeePass 2 (AES) (Iterations: 24569) Speed.#1.........: 111.2 kH/s (122.52ms) @ Accel:32 Loops:128 Thr:1024 Vec:1 Speed.#2.........: 111.1 kH/s (122.55ms) @ Accel:32 Loops:128 Thr:1024 Vec:1 Speed.#3.........: 111.2 kH/s (122.58ms) @ Accel:32 Loops:128 Thr:1024 Vec:1 Speed.#4.........: 111.2 kH/s (122.52ms) @ Accel:32 Loops:128 Thr:1024 Vec:1 Speed.#*.........: 444.7 kH/s Hashmode: 6800 - LastPass + LastPass sniffed (Iterations: 499) Speed.#1.........: 5944.3 kH/s (35.66ms) @ Accel:8 Loops:249 Thr:1024 Vec:1 Speed.#2.........: 5942.0 kH/s (35.66ms) @ Accel:8 Loops:249 Thr:1024 Vec:1 Speed.#3.........: 5939.0 kH/s (35.67ms) @ Accel:8 Loops:249 Thr:1024 Vec:1 Speed.#4.........: 5943.8 kH/s (35.66ms) @ Accel:8 Loops:249 Thr:1024 Vec:1 Speed.#*.........: 23769.0 kH/s Hashmode: 11300 - Bitcoin/Litecoin wallet.dat (Iterations: 200459) Speed.#1.........: 11370 H/s (73.48ms) @ Accel:2 Loops:1024 Thr:1024 Vec:1 Speed.#2.........: 11355 H/s (73.50ms) @ Accel:2 Loops:1024 Thr:1024 Vec:1 Speed.#3.........: 11369 H/s (73.49ms) @ Accel:2 Loops:1024 Thr:1024 Vec:1 Speed.#4.........: 11370 H/s (73.49ms) @ Accel:2 Loops:1024 Thr:1024 Vec:1 Speed.#*.........: 45464 H/s

For a real world example, I had ~1,500 NTLM hashes to crack that I ran through some of the hatecrack methodology, and here's how the instance performed:

• 100 LM hashes discovered, all cracked in 7 minutes (heh, 7 minutes :-)
• Ran hatecrack's quick crackw ith no rules: done in 7 minutes, cracked 108 accounts
• Quick crack against one rule to rule them all: ran in 25 minutes, got got 271 new passwords
• Ran extensive hatecrack methodology, it ran for a little over 2 hours and got 88 new passwords.

All said and done, about 1/3 of the passwords cracked in about 3 hours. Not bad!

Don't forget, the second you're done with your cracking efforts, SHUT THE BOX DOWN! Otherwise you're in for a sour surprise come AWS billing day :-(

On a few personal notes:

• Last Comic Standing was the show I couldn't think of during the episode :-)

• After a toxic non-toxic foam pit incident a few years ago, my family and I had another injury this weekend with a rented waterslide - the fun ended in a concussion!