How to crack password hashes in the cloud on the cheap

Published: Fri 10 October 2014 by Ludo In Soft

As a penetration tester, sometimes you need to check the password strength of a few Hashes you gathered. Why not using AWS for testing your hashes instead of buying expensive hardware?

So, here's my recipie, it's very simple to set up. Follow one of the 'getting-started' tutorials available for Amazon Web Services to get your SSH keys, setup firewall rules, and run the following script to start a nice G2.2xlarge GPU instance:

#!/bin/bash -x

# aws-marketplace/amzn-ami-graphics-hvm-2013.09.1.x86_64-ebs
AMI=ami-1b597c72

INST=$(aws ec2 run-instances --region us-east-1 --key ludstestkey 
    --instance-type g2.2xlarge --image-id $AMI --security-groups ssh 
    --output text --query 'Instances[*].InstanceId')
while state=$(aws ec2 describe-instances --instance-ids $INST --output 
text --query 'Reservations[*].Instances[*].State.Name'); test "$state" = "pending"; do
  sleep 2; echo -n '.'
  done; echo " $state"

IP=$(aws ec2 describe-instances --instance-ids $INST --output text 
--query 'Reservations[*].Instances[*].PublicIpAddress')

ssh -i yoursshkey.pem ec2-user@$IP "cd /tmp
wget http://rpmfind.net/linux/epel/6/x86_64/p7zip-9.20.1-2.el6.x86_64.rpm
wget http://hashcat.net/files/oclHashcat-plus-0.15.7z
wget http://hashcat.net/files/oclHashcat-lite-0.15.7z
sudo rpm -ivh p7zip*.rpm
7za x oclHashcat-plus-0.15.7z
7za x oclHashcat-lite-0.15.7z
ls
"

Now your virtual server is ready for oclHashcating :-) just run a few commands like this:

ssh -i yoursshkey.pem ec2-user@$IP "cd /tmp/XXXXX
./oclHashcat-plus64.bin -a 3  20794edc2e5c77a6775f74a5d731fdb5"

What performance do you get for $0.65/hour? About 1.4GH/s for MD5 and 2GH/s for NTLM. Enough to brute force most 8 chars passwords in less than one hour.

Session.Name...: cudaHashcat-plus
Status.........: Running
Input.Mode.....: Mask (?1?2?2?2?2?2?2?3) [8]
Hash.Target....: 20794edc2e5c77a6775f74a5d731fdb5
Hash.Type......: <b>MD5</b>
Time.Started...: Thu Nov 28 19:58:53 2013 (5 secs)
Time.Estimated.: Thu Nov 28 21:06:09 2013 (1 hour, 5 mins)
Speed.GPU.#1...:  1465.6 MH/s
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 8053063680/5533380698112 (0.15%)
Rejected.......: 0/8053063680 (0.00%)
HWMon.GPU.#1...: 99% Util, 78c Temp, -1% Fan

...
...

Session.Name...: cudaHashcat-plus
Status.........: Running
Input.Mode.....: Mask (?1?2?2?2?2?2?2) [7]
Hash.Target....: b4b9b02e6f09a9bd760f388b67351e2c
Hash.Type......: <b>NTLM</b>
Time.Started...: Thu Nov 28 20:21:21 2013 (5 secs)
Time.Estimated.: Thu Nov 28 20:22:32 2013 (1 min, 2 secs)
Speed.GPU.#1...:  2039.2 MH/s
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 11408506880/134960504832 (8.45%)
Rejected.......: 0/11408506880 (0.00%)
HWMon.GPU.#1...: 99% Util, 66c Temp, -1% Fan

oclHashCat lite should be even faster but I had problems running it on AWS, and of course you can easily write a script to start a distributed hash brute force on multiple AWS instances.

Have fun!

LD. --

Similar posts for you:

Speak your mind: