Home / Security / Hacking / Hash Cracking with AWS EC2 P3 & Hashcat

Hash Cracking with AWS EC2 P3 & Hashcat

Password cracking is a mandatory activity when you perform a pentest. Having access to a GPU cracking machine would be nice from time to time however and the GPU systems that Amazon EC2 supports offers a decent compromise. In this howto, I’ll share with you a script that let you install all packages you need to use Hashcat on a P3 Instance & some tips to use hashcat.

1 / Some numbers

On a P3.16X Large, you can hope to crack the following hashes with the speed announced below :

  • Hashmode: 0 – MD5
    • Speed.#*………: 448.9 GH/s
  • Hashmode: 100 – SHA1
    • Speed.#*………: 141.8 GH/s
  • Hashmode: 1400 – SHA2-256
    • Speed.#*………: 61538.2 MH/s
  • Hashmode: 1700 – SHA2-512
    • Speed.#*………: 19210.1 MH/s
  • Hashmode: 22000 – WPA-PBKDF2-PMKID+EAPOL
    • Speed.#*………: 6935.3 kH/s
  • Hashmode: 1000 – NTLM
    • Speed.#*………: 818.0 GH/s
  • Hashmode: 3000 – LM
    • Speed.#*………: 328.5 GH/s
  • Hashmode: 5500 – NetNTLMv1 / NetNTLMv1+ESS
    • Speed.#*………: 448.5 GH/s
  • Hashmode: 5600 – NetNTLMv2
    • Speed.#*………: 30432.4 MH/s
  • Hashmode: 1500 – descrypt, DES (Unix), Traditional DES
    • Speed.#*………: 13490.4 MH/s
  • Hashmode: 500 – md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) (Iterations: 1000)
    • Speed.#*………: 199.1 MH/s
  • Hashmode: 3200 – bcrypt $2*$, Blowfish (Unix) (Iterations: 32)
    • Speed.#*………: 630.7 kH/s
  • Hashmode: 1800 – sha512crypt $6$, SHA512 (Unix) (Iterations: 5000)
    • Speed.#*………: 2963.5 kH/s
  • Hashmode: 7500 – Kerberos 5, etype 23, AS-REQ Pre-Auth
    • Speed.#*………: 8349.0 MH/s
  • Hashmode: 13100 – Kerberos 5, etype 23, TGS-REP
    • Speed.#*………: 8048.7 MH/s

2 / Setup the EC2 Instance

Start by logging into your AWS console. Find the EC2 section, and click “launch instance” to create your virtual machine. I suggest you to create a T2.Small, then, when you finish all the setup, switch to a P3.16X or a P3.8X. Each minute count to save some money x).

  1. Select the AMI (Amazon Machine Image) – For this tutorial I am going to use CentOs 7 , SSD Volume Type
  2. Choose Instance Type – As mentioned earlier, we’ll use a T2.Small, and switch after to a P3.16X Large
  3. Configure Instance Details – I will leave everything as it’s default setting
  4. Add storage – If you have very large word-lists you may want to modify the storage, be sure to read up on how this may effect your hourly cost. Start with 50GB
  5. Add Tags – Skip
  6. Configure Security Groups – You want to create a new security group with the following settings
    1. Type – SSH
    2. Protocol – TCP
    3. Port Range – 22
    4. Source – Your public IP
    5. Click “Review and Launch

3 / Installation

To install the Nvidia Drivers, cuda,Hashcat … , Just copy & paste the script and execute it :)

#!/bin/bash
# Update
sudo yum -y update
sudo bash -c "echo 'blacklist nouveau' > /etc/modprobe.d/blacklist-nvidia-nouveau.conf"
sudo bash -c "echo 'options nouveau modeset=0' >> /etc/modprobe.d/blacklist-nvidia-nouveau.conf"
# Install Prerequisites
sudo yum -y group install "Development Tools"
sudo yum -y install kernel-devel-$(uname -r) kernel-headers-$(uname -r)
sudo yum -y install epel-release
sudo yum-config-manager --add-repo http://developer.download.nvidia.com/compute/cuda/repos/rhel7/x86_64/cuda-rhel7.repo
sudo yum clean expire-cache
# Install Nvidia driver & enable it
sudo yum -y install nvidia-driver-latest-dkms
sudo yum -y install cuda
sudo yum -y install cuda-drivers
sudo setenforce 0
sudo systemctl enable nvidia-persistenced
# Install Hashcat
sudo yum -y install hashcat

3 / Hash cracking with hashcat

3.1 / Download the wordlists

3.2 / Use your own wordlist

Nothing better than a custom wordlist to perform a good pentest :) You can find a complete howto here : Create a custom cracking Wordlist

3.3 / Hashcat : Some tips

Dont use hashcat with a dummy dictionnary list, or “just” to perform a bruteforce … Use smart attack types :

  • Rule Based Attack : The rule-based attack is like a programming language designed for password candidate generation. It has functions to modify, cut or extend words and has conditional operators to skip some, etc. That makes it the most flexible, accurate and efficient attack.
  • Hybrid Attack : My favorite :) the hybrid attack is just a Combinator attack. One side is simply a dictionary, the other is the result of a Brute-Force attack. In other words, the full Brute-Force keyspace is either appended or prepended to each of the words from the dictionary. That’s why it’s called “hybrid”.

Command example of a Rule Based + Hybrid Attack :

  • hashcat -a 6 -m 9700 -w 3 hash.txt 7chars.txt ?d?d?d?d?d?d -j c -i –increment-min=1 –increment-max=6 –status -o found.txt –increment
    • ?d?d?d?d?d?d : Add num chars avec each word of the wordlist
    • -j c : Capitalize the first letter and lower the rest
    • This example is usefull if you think the password is a combination of First name + Birthdate ;)
  • hashcat -a 0 -m 9700 hash.txt 7chats.txt -r rules/best64.rule
    • -r rules/best64.rule : Use the best64.rule combined to 7chars.txt wordlist

4 / To go further

You can put the script in the EC2 creation process :

You can also add some wordlist links to be automatically downloaded. So, your instance will be ready immediately and you can start cracking.

:) Do not hesitate to comment or to make your remarks below

About Alexandre Nogard

Check Also

Forcepoint : Deploy the SMC on AWS | Part III

Learn how to deploy the Forcepoint SMC & Log Server on AWS behind a NGFW Firewall with a VPC, in a public & private subnet and an Elastic IP

Forcepoint : Deploy the SMC on AWS | Part II

In the first Howto Forcepoint : Deploy the SMC on AWS | Part I, we …

Forcepoint : Deploy the SMC on AWS | Part I

How to deploy Forcepoint SMC (Security Management Center) on AWS ? This is a good …

Leave a Reply

Your email address will not be published.