Home / Security / Hacking / Hash Cracking with AWS EC2 P3 & Hashcat

Hash Cracking with AWS EC2 P3 & Hashcat

Password cracking is a mandatory activity when you perform a pentest. Having access to a GPU cracking machine would be nice from time to time however and the GPU systems that Amazon EC2 supports offers a decent compromise. In this howto, I’ll share with you a script that let you install all packages you need to use Hashcat on a P3 Instance & some tips to use hashcat.

1 / Some numbers

On a P3.16X Large, you can hope to crack the following hashes with the speed announced below :

  • Hashmode: 0 – MD5
    • Speed.#*………: 448.9 GH/s
  • Hashmode: 100 – SHA1
    • Speed.#*………: 141.8 GH/s
  • Hashmode: 1400 – SHA2-256
    • Speed.#*………: 61538.2 MH/s
  • Hashmode: 1700 – SHA2-512
    • Speed.#*………: 19210.1 MH/s
  • Hashmode: 22000 – WPA-PBKDF2-PMKID+EAPOL
    • Speed.#*………: 6935.3 kH/s
  • Hashmode: 1000 – NTLM
    • Speed.#*………: 818.0 GH/s
  • Hashmode: 3000 – LM
    • Speed.#*………: 328.5 GH/s
  • Hashmode: 5500 – NetNTLMv1 / NetNTLMv1+ESS
    • Speed.#*………: 448.5 GH/s
  • Hashmode: 5600 – NetNTLMv2
    • Speed.#*………: 30432.4 MH/s
  • Hashmode: 1500 – descrypt, DES (Unix), Traditional DES
    • Speed.#*………: 13490.4 MH/s
  • Hashmode: 500 – md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) (Iterations: 1000)
    • Speed.#*………: 199.1 MH/s
  • Hashmode: 3200 – bcrypt $2*$, Blowfish (Unix) (Iterations: 32)
    • Speed.#*………: 630.7 kH/s
  • Hashmode: 1800 – sha512crypt $6$, SHA512 (Unix) (Iterations: 5000)
    • Speed.#*………: 2963.5 kH/s
  • Hashmode: 7500 – Kerberos 5, etype 23, AS-REQ Pre-Auth
    • Speed.#*………: 8349.0 MH/s
  • Hashmode: 13100 – Kerberos 5, etype 23, TGS-REP
    • Speed.#*………: 8048.7 MH/s

2 / Setup the EC2 Instance

Start by logging into your AWS console. Find the EC2 section, and click “launch instance” to create your virtual machine. I suggest you to create a T2.Small, then, when you finish all the setup, switch to a P3.16X or a P3.8X. Each minute count to save some money x).

  1. Select the AMI (Amazon Machine Image) – For this tutorial I am going to use CentOs 7 , SSD Volume Type
  2. Choose Instance Type – As mentioned earlier, we’ll use a T2.Small, and switch after to a P3.16X Large
  3. Configure Instance Details – I will leave everything as it’s default setting
  4. Add storage – If you have very large word-lists you may want to modify the storage, be sure to read up on how this may effect your hourly cost. Start with 50GB
  5. Add Tags – Skip
  6. Configure Security Groups – You want to create a new security group with the following settings
    1. Type – SSH
    2. Protocol – TCP
    3. Port Range – 22
    4. Source – Your public IP
    5. Click “Review and Launch

3 / Installation

To install the Nvidia Drivers, cuda,Hashcat … , Just copy & paste the script and execute it :)

3 / Hash cracking with hashcat

3.1 / Download the wordlists

3.2 / Use your own wordlist

Nothing better than a custom wordlist to perform a good pentest :) You can find a complete howto here : Create a custom cracking Wordlist


3.3 / Hashcat : Some tips

Dont use hashcat with a dummy dictionnary list, or “just” to perform a bruteforce … Use smart attack types :

  • Rule Based Attack : The rule-based attack is like a programming language designed for password candidate generation. It has functions to modify, cut or extend words and has conditional operators to skip some, etc. That makes it the most flexible, accurate and efficient attack.
  • Hybrid Attack : My favorite :) the hybrid attack is just a Combinator attack. One side is simply a dictionary, the other is the result of a Brute-Force attack. In other words, the full Brute-Force keyspace is either appended or prepended to each of the words from the dictionary. That’s why it’s called “hybrid”.

Command example of a Rule Based + Hybrid Attack :

  • hashcat -a 6 -m 9700 -w 3 hash.txt 7chars.txt ?d?d?d?d?d?d -j c -i –increment-min=1 –increment-max=6 –status -o found.txt –increment
    • ?d?d?d?d?d?d : Add num chars avec each word of the wordlist
    • -j c : Capitalize the first letter and lower the rest
    • This example is usefull if you think the password is a combination of First name + Birthdate ;)
  • hashcat -a 0 -m 9700 hash.txt 7chats.txt -r rules/best64.rule
    • -r rules/best64.rule : Use the best64.rule combined to 7chars.txt wordlist

4 / To go further

You can put the script in the EC2 creation process :

You can also add some wordlist links to be automatically downloaded. So, your instance will be ready immediately and you can start cracking.

:) Do not hesitate to comment or to make your remarks below


About Alexandre Nogard

Check Also

Forcepoint : Deploy the SMC on AWS | Part II

In the first Howto Forcepoint : Deploy the SMC on AWS | Part I, we …

Forcepoint : Deploy the SMC on AWS | Part I

How to deploy Forcepoint SMC (Security Management Center) on AWS ? This is a good …

Investigate if your linux server has been hacked or not

We’re a lot to face intrusion attemps in our IS. There can be many interests …

Leave a Reply

Your email address will not be published. Required fields are marked *