Cheap Hash cracking in the cloud

Posted: Friday October 10 2014 @ 11:04am  in Category: Software

As a penetration tester, sometimes you need to check the password strength of a few Hashes you gathered. Why not using AWS for testing your hashes instead of buying expensive hardware?

So, here's my recipie, it's very simple to set up. Follow one of the 'getting-started' tutorials available for Amazon Web Services to get your SSH keys, setup firewall rules, and run the following script to start a nice G2.2xlarge GPU instance:

#!/bin/bash -x

# aws-marketplace/amzn-ami-graphics-hvm-2013.09.1.x86_64-ebs
AMI=ami-1b597c72

ec2-run-instances $AMI -z us-east-1d -k yoursshkey -g yourfwrules -t g2.2xlarge > instances
sleep 10
while true; do
    ec2-describe-instances > instances
    grep running instances && break
    sleep 5
done
INST=`cat instances
grep running
sed -n 1p
cut -f 2`
IP=`cat instances
grep running
sed -n 1p
cut -f 4`

ssh -i yoursshkey.pem ec2-user@$IP "cd /tmp
wget http://rpmfind.net/linux/epel/6/x86_64/p7zip-9.20.1-2.el6.x86_64.rpm
wget http://hashcat.net/files/cudaHashcat-1.31.7z
sudo rpm -ivh p7zip*.rpm
7za x cudaHashcat-1.31.7z
ls
"

Now your virtual server is ready for oclHashcating :-) just run a few commands like this:

ssh -i yoursshkey.pem ec2-user@$IP "cd /tmp/XXXXX
./cudaHashcat-plus64.bin -a 3  20794edc2e5c77a6775f74a5d731fdb5"

What performance do you get for $0.65/hour? About 1.4GH/s for MD5 and 2GH/s for NTLM. Enough to brute force most 8 chars passwords in less than one hour.

Session.Name...: cudaHashcat-plus
Status.........: Running
Input.Mode.....: Mask (?1?2?2?2?2?2?2?3) [8]
Hash.Target....: 20794edc2e5c77a6775f74a5d731fdb5
Hash.Type......: MD5
Time.Started...: Thu Nov 28 19:58:53 2013 (5 secs)
Time.Estimated.: Thu Nov 28 21:06:09 2013 (1 hour, 5 mins)
Speed.GPU.#1...:  1465.6 MH/s
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 8053063680/5533380698112 (0.15%)
Rejected.......: 0/8053063680 (0.00%)
HWMon.GPU.#1...: 99% Util, 78c Temp, -1% Fan

...
...

Session.Name...: cudaHashcat-plus
Status.........: Running
Input.Mode.....: Mask (?1?2?2?2?2?2?2) [7]
Hash.Target....: b4b9b02e6f09a9bd760f388b67351e2c
Hash.Type......: NTLM
Time.Started...: Thu Nov 28 20:21:21 2013 (5 secs)
Time.Estimated.: Thu Nov 28 20:22:32 2013 (1 min, 2 secs)
Speed.GPU.#1...:  2039.2 MH/s
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 11408506880/134960504832 (8.45%)
Rejected.......: 0/11408506880 (0.00%)
HWMon.GPU.#1...: 99% Util, 66c Temp, -1% Fan

oclHashCat lite should be even faster but I had problems running it on AWS, and of course you can easily write a script to start a distributed hash brute force on multiple AWS instances.

Have fun!

OVH hosting and Facebook apps

Posted: Thursday June 07 2012 @ 1:18pm  in Category: Software

You have a cheap hosting at OVH, and you'd like to create apps or page tabs on Facebook? The main issue is that Facebook requires that your app is available on a HTTPS website, with a valid SSL certificate... Fortunately, there's a solution even if your app is on OVH !

First, follow the basic setup part in this excellent Hyperarts tutorial.

Then, the trick is on the "Page Tabs" settings. The "Page Tab URL" could be, as shown in the tutorial "http://www.mydomain.com/facebook/mytestapp/", but if you simply add 'https' for the "Secure Page Tab URL", it won't work because the SSL certificate is not valid.

So, you have the use this URL instead: https://sslXX.ovh.net/~myovhuserid/facebook/mytestapp/ , where:

  • 'sslXX' is your OVH SSL server name and number, you can find it in your 'OVH Manager'
  • 'myovhuserid' is the same as your FTP upload account name.

Then, the follow the rest of the tutorial. Of course, to add the tab to your page use the right URL:

https://www.facebook.com/dialog/pagetab?app_id=YOUR_APP_ID&
next=https://sslXX.ovh.net/~myovhuserid/facebook/mytestapp/

(In fact there was a bug today on Facebook so I had to use this link instead:)

https://www.facebook.com/add.php?api_key=YOUR_APP_ID&pages=1

You're now ready to enjoy making 'reveal tabs' on your FB page with simple PHP code like this:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<link rel="stylesheet" type="text/css" href="style.css" />
<style type="text/css">
 body {
 width:520px;
 margin:0; padding:0; border:0;
}
</style>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>
<body>
<div id="container">
<?
$signed_request = $_REQUEST["signed_request"];
list($encoded_sig, $payload) = explode('.', $signed_request, 2);
$data = base64_decode(strtr($payload, '-_', '+/'));
# Yes I could have used json_decode instead of a preg_match !
if (preg_match("/liked.?:true/", $data)) {
    print "You like my page, good!";
} else {
    print "Please click on the like button above, to unlock special content!";
}
?>
</div>
</body>
</html>

Have Fun!

www.aopensource.com

Posted: Tuesday May 25 2010 @ 5:40pm  in Category: Software

Ten years after palmopensource.com, the directory of open source applications for WebOS/PalmOS, I decided to start AOpenSource.com, which is a directory of open source apps for Android and Android programming links.

Contrary to PalmOpenSource, AOpenSource will be more "up-to-date" because most links will be automatically updated from the Android Market using their "package name". And what's nice with aopensource.com is that you don't need to be on the Android Market to be listed (contrary to most other Android apps sites).

If you developed Open Source Software for Android, feel free to submit your link to the aopensource.com database ! AOpenSource.com

New Android Page and DextRootFR mod

Posted: Monday March 15 2010 @ 8:38pm  in Category: Software

I've just set-up a new page about some Android experiments:

http://www.drolez.com/software/android/

One of my 1st contribution to the Android community is a new rooted ROM for French Dext Owners: DextRootFR I saw the Motoblur 1.3.20 update coming but none of the usual modders release a rooted version, so I released my own ! I'm building a framework to easily follow official updates, and all the modified source code will be available on Sourceforge, to comply with GPL licenses, or other ones.

Enjoy !

WebOS and the vitality of Android

Posted: Friday March 05 2010 @ 9:39pm  in Category: Software

This post is a follow-up to WebOS and the death of Android !

There's no contradiction, and I still think that WebOS is still the best designed OS for smartphones : their Javascript/HTML framework is amazing, and native development on WebOS is perfect with their support of libSDL and SDL/OpenGL. Incredible 3D games are being ported to WebOS.

But Palm marketing is lame (it has always been in the past 20 years), and nobody wants to buy a WebOS device. Their market share is ridiculous.

So...I just bought a Motorola Cliq/Dext running Android to replace my old Zaurus :-) There are now thousands of high quality apps on Android, and I bet that the iPhone will have a hard time soon (the lawsuit they brought is a sign of this !!!).

WebOS and the death of Android

Posted: Friday October 09 2009 @ 10:21pm  in Category: Software

webosThe battle of Linux based smartphones has begun, and I bet that WebOS, used for the new Palm Pre, will kill Android based phones.

Why ? Because Android is not so open as it seems, it's based on Linux but it has nothing to do with Linux. Apps cannot be ported easily to the Dalvik VM ( http://en.wikipedia.org/wiki/Dalvik_virtual_machine ).

WebOS applications are written in Javascript/CSS/HTML, and lots of people know Javascript ! Moreover, all standard WebOS applications (Contacts, Calendar, etc) are also written in Javascript, so people begun to customize them easily. Do you know lots of people which started to customize their KDE or Gnome desktop when they installed their first Linux distribution ? No. The entry fee is too high. Just take a look at unofficial Pre dev forums to see how people are excited about WebOS: http://forums.precentral.net/web-os-development/

WebOS is open source for the masses, and that's the first time I see such a revolution happening in the FOSS world.

Palm WebOS rootfs now available !

Posted: Tuesday June 30 2009 @ 10:56am  in Category: Software

As the webmaster of http://www.palmopensource.com , I try to find more details about the new Palm(tm) Linux based OS: WebOS. Right now, the WebOS SDK is not available to everybody, it should be available in a few weeks, but something interesting has happened: The Palm Pre root filesystem can be downloaded here: http://palm.cdnetworks.net/rom/pre_p100eww/webosdoctorp100ewwsprint.jar

An interesting thread about that has started here: http://forums.precentral.net/web-os-development/184378-ok-rom-comes.html

Now I think it's a matter of days before this rootfs can be booted with QEmu and free/open apps start to be written for WebOS !

NEWS: And now the Mojo SDK has leaked also ! http://forums.precentral.net/web-os-development/189062-mojo-sdk-download.html

ZK vs. GWT: Server-Centric Matters !

Posted: Thursday March 13 2008 @ 6:05pm  in Category: Software

ZK is my favorite Web 2.0 toolkit. In fact, it's so powerful that I'd call it, a Web 3.0 toolkit. A true Web 3.0 toolkit where you do not have to write a single line of Javascript, which is compatible with all major Web browsers, and which allows you to write glue code in major scripting languages (Ruby, Python, Groovy, etc) even if the framework is based on Java.

In this nice article, you'll find a nice comparison between GWT and ZK. It's worth a read !

P.S.: ZK is also in the Top 10 most active projects on Sourceforge since 18 months !

Bookmark and Share

RSS 2.0 Feed