Password cracking is a mandatory activity when you perform a pentest. Having access to a GPU cracking machine would be nice from time to time however and the GPU systems that Amazon EC2 supports offers a decent compromise. In this howto, I’ll share with you a script that let you install all packages you need to use Hashcat on a P3 Instance & some tips to use hashcat.
1 / Some numbers
On a P3.16X Large, you can hope to crack the following hashes with the speed announced below :
- Hashmode: 0 – MD5
- Speed.#*………: 448.9 GH/s
- Hashmode: 100 – SHA1
- Speed.#*………: 141.8 GH/s
- Hashmode: 1400 – SHA2-256
- Speed.#*………: 61538.2 MH/s
- Hashmode: 1700 – SHA2-512
- Speed.#*………: 19210.1 MH/s
- Hashmode: 22000 – WPA-PBKDF2-PMKID+EAPOL
- Speed.#*………: 6935.3 kH/s
- Hashmode: 1000 – NTLM
- Speed.#*………: 818.0 GH/s
- Hashmode: 3000 – LM
- Speed.#*………: 328.5 GH/s
- Hashmode: 5500 – NetNTLMv1 / NetNTLMv1+ESS
- Speed.#*………: 448.5 GH/s
- Hashmode: 5600 – NetNTLMv2
- Speed.#*………: 30432.4 MH/s
- Hashmode: 1500 – descrypt, DES (Unix), Traditional DES
- Speed.#*………: 13490.4 MH/s
- Hashmode: 500 – md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) (Iterations: 1000)
- Speed.#*………: 199.1 MH/s
- Hashmode: 3200 – bcrypt $2*$, Blowfish (Unix) (Iterations: 32)
- Speed.#*………: 630.7 kH/s
- Hashmode: 1800 – sha512crypt $6$, SHA512 (Unix) (Iterations: 5000)
- Speed.#*………: 2963.5 kH/s
- Hashmode: 7500 – Kerberos 5, etype 23, AS-REQ Pre-Auth
- Speed.#*………: 8349.0 MH/s
- Hashmode: 13100 – Kerberos 5, etype 23, TGS-REP
- Speed.#*………: 8048.7 MH/s
2 / Setup the EC2 Instance
Start by logging into your AWS console. Find the EC2 section, and click “launch instance” to create your virtual machine. I suggest you to create a T2.Small, then, when you finish all the setup, switch to a P3.16X or a P3.8X. Each minute count to save some money x).
- Select the AMI (Amazon Machine Image) – For this tutorial I am going to use CentOs 7 , SSD Volume Type
- Choose Instance Type – As mentioned earlier, we’ll use a T2.Small, and switch after to a P3.16X Large
- Configure Instance Details – I will leave everything as it’s default setting
- Add storage – If you have very large word-lists you may want to modify the storage, be sure to read up on how this may effect your hourly cost. Start with 50GB
- Add Tags – Skip
- Configure Security Groups – You want to create a new security group with the following settings
- Type – SSH
- Protocol – TCP
- Port Range – 22
- Source – Your public IP
- Click “Review and Launch“
3 / Installation
To install the Nvidia Drivers, cuda,Hashcat … , Just copy & paste the script and execute it :)
#!/bin/bash # Update sudo yum -y update sudo bash -c "echo 'blacklist nouveau' > /etc/modprobe.d/blacklist-nvidia-nouveau.conf" sudo bash -c "echo 'options nouveau modeset=0' >> /etc/modprobe.d/blacklist-nvidia-nouveau.conf" # Install Prerequisites sudo yum -y group install "Development Tools" sudo yum -y install kernel-devel-$(uname -r) kernel-headers-$(uname -r) sudo yum -y install epel-release sudo yum-config-manager --add-repo http://developer.download.nvidia.com/compute/cuda/repos/rhel7/x86_64/cuda-rhel7.repo sudo yum clean expire-cache # Install Nvidia driver & enable it sudo yum -y install nvidia-driver-latest-dkms sudo yum -y install cuda sudo yum -y install cuda-drivers sudo setenforce 0 sudo systemctl enable nvidia-persistenced # Install Hashcat sudo yum -y install hashcat
3 / Hash cracking with hashcat
3.1 / Download the wordlists
3.2 / Use your own wordlist
Nothing better than a custom wordlist to perform a good pentest :) You can find a complete howto here : Create a custom cracking Wordlist
3.3 / Hashcat : Some tips
Dont use hashcat with a dummy dictionnary list, or “just” to perform a bruteforce … Use smart attack types :
- Rule Based Attack : The rule-based attack is like a programming language designed for password candidate generation. It has functions to modify, cut or extend words and has conditional operators to skip some, etc. That makes it the most flexible, accurate and efficient attack.
- Hybrid Attack : My favorite :) the hybrid attack is just a Combinator attack. One side is simply a dictionary, the other is the result of a Brute-Force attack. In other words, the full Brute-Force keyspace is either appended or prepended to each of the words from the dictionary. That’s why it’s called “hybrid”.
Command example of a Rule Based + Hybrid Attack :
- hashcat -a 6 -m 9700 -w 3 hash.txt 7chars.txt ?d?d?d?d?d?d -j c -i –increment-min=1 –increment-max=6 –status -o found.txt –increment
- ?d?d?d?d?d?d : Add num chars avec each word of the wordlist
- -j c : Capitalize the first letter and lower the rest
- This example is usefull if you think the password is a combination of First name + Birthdate ;)
- hashcat -a 0 -m 9700 hash.txt 7chats.txt -r rules/best64.rule
- -r rules/best64.rule : Use the best64.rule combined to 7chars.txt wordlist
4 / To go further
You can put the script in the EC2 creation process :
You can also add some wordlist links to be automatically downloaded. So, your instance will be ready immediately and you can start cracking.
:) Do not hesitate to comment or to make your remarks below
