7MS #474: Password Cracking in the Cloud - Part 3
7 Minute Security30 Kesä 2021

7MS #474: Password Cracking in the Cloud - Part 3

Hey friends! Today we're dusting off an old mini-series about password cracking in the cloud (check out part 1 and part 2) and sharing some awesome info on building a monster of a cracking rig in AWS!

One reason we haven't talked about password cracking in the cloud in a while is because back in winter of 2019 I built baby's first password cracking. Unfortunately, this week, Hashy (the name I gave to the rig) is overheating, and GPUs are impossible to find, so what's a pentester to do?

Well, in today's episode I talk about this article from Sevnx which walks you through building a virtual password-cracking beast in the cloud. The article (complemented by a sweet video) will get you running in short order.

WARNING: running this instance is super expensive (the author warns the instance would cost ~$9k/month if you left it run continuously).

The steps are pretty straightforward, but between reboots I found that hashcat acted all wonky. Luckily, the article addresses that with this great tip:

Pro tip: Save the Cuda download somewhere. If you ever turn your cracker off and get errors running hashcat when you turn it back on, re-run the install line. We think AWS sometimes refreshes the drivers or something and hashcat doesn't like it very much.

If you need help installing one of my fave tools, hatecrack check out my password cracking in the cloud gist. Also, our buddy Joe pointed me towards a utility called duplicut to help de-dupe large password-cracking wordlists.

Once the AWS instance is setup, what kind of stats do we get out of this demon? Here's the result of hashcat -b:

Hashmode: 0 - MD5 Speed.#1.........: 55936.1 MH/s (47.79ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#2.........: 55771.4 MH/s (47.94ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#3.........: 55827.0 MH/s (47.88ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#4.........: 55957.7 MH/s (47.78ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#*.........: 223.5 GH/s Hashmode: 100 - SHA1 Speed.#1.........: 17830.1 MH/s (75.08ms) @ Accel:16 Loops:1024 Thr:1024 Vec:1 Speed.#2.........: 17774.0 MH/s (75.21ms) @ Accel:16 Loops:1024 Thr:1024 Vec:1 Speed.#3.........: 17780.9 MH/s (75.26ms) @ Accel:16 Loops:1024 Thr:1024 Vec:1 Speed.#4.........: 17795.6 MH/s (75.22ms) @ Accel:16 Loops:1024 Thr:1024 Vec:1 Speed.#*.........: 71180.6 MH/s Hashmode: 1400 - SHA2-256 Speed.#1.........: 7709.9 MH/s (86.84ms) @ Accel:8 Loops:1024 Thr:1024 Vec:1 Speed.#2.........: 7718.3 MH/s (86.75ms) @ Accel:8 Loops:1024 Thr:1024 Vec:1 Speed.#3.........: 7710.4 MH/s (86.75ms) @ Accel:8 Loops:1024 Thr:1024 Vec:1 Speed.#4.........: 7694.4 MH/s (87.02ms) @ Accel:8 Loops:1024 Thr:1024 Vec:1 Speed.#*.........: 30833.0 MH/s Hashmode: 1700 - SHA2-512 Speed.#1.........: 2399.8 MH/s (69.70ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#2.........: 2401.1 MH/s (69.68ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#3.........: 2397.3 MH/s (69.78ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#4.........: 2400.3 MH/s (69.70ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#*.........: 9598.5 MH/s Hashmode: 22000 - WPA-PBKDF2-PMKID+EAPOL (Iterations: 4095) Speed.#1.........: 866.5 kH/s (94.23ms) @ Accel:16 Loops:256 Thr:1024 Vec:1 Speed.#2.........: 866.7 kH/s (94.21ms) @ Accel:16 Loops:256 Thr:1024 Vec:1 Speed.#3.........: 865.6 kH/s (94.30ms) @ Accel:16 Loops:256 Thr:1024 Vec:1 Speed.#4.........: 866.7 kH/s (94.20ms) @ Accel:16 Loops:256 Thr:1024 Vec:1 Speed.#*.........: 3465.5 kH/s Hashmode: 1000 - NTLM Speed.#1.........: 102.2 GH/s (26.05ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#2.........: 102.3 GH/s (26.05ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#3.........: 102.2 GH/s (26.07ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#4.........: 102.3 GH/s (26.04ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#*.........: 409.0 GH/s Hashmode: 3000 - LM Speed.#1.........: 41104.7 MH/s (64.74ms) @ Accel:512 Loops:1024 Thr:64 Vec:1 Speed.#2.........: 40216.5 MH/s (66.11ms) @ Accel:512 Loops:1024 Thr:64 Vec:1 Speed.#3.........: 40507.3 MH/s (65.89ms) @ Accel:512 Loops:1024 Thr:64 Vec:1 Speed.#4.........: 39181.4 MH/s (68.13ms) @ Accel:512 Loops:1024 Thr:64 Vec:1 Speed.#*.........: 161.0 GH/s Hashmode: 5500 - NetNTLMv1 / NetNTLMv1+ESS Speed.#1.........: 55861.0 MH/s (47.87ms) @ Accel:32 Loops:1024 Thr:1024 Vec:2 Speed.#2.........: 55864.3 MH/s (47.87ms) @ Accel:32 Loops:1024 Thr:1024 Vec:2 Speed.#3.........: 55519.4 MH/s (47.98ms) @ Accel:32 Loops:1024 Thr:1024 Vec:2 Speed.#4.........: 55826.6 MH/s (47.89ms) @ Accel:32 Loops:1024 Thr:1024 Vec:2 Speed.#*.........: 223.1 GH/s Hashmode: 5600 - NetNTLMv2 Speed.#1.........: 3968.0 MH/s (84.37ms) @ Accel:4 Loops:1024 Thr:1024 Vec:1 Speed.#2.........: 3968.1 MH/s (84.38ms) @ Accel:4 Loops:1024 Thr:1024 Vec:1 Speed.#3.........: 3965.6 MH/s (84.38ms) @ Accel:4 Loops:1024 Thr:1024 Vec:1 Speed.#4.........: 3967.8 MH/s (84.37ms) @ Accel:4 Loops:1024 Thr:1024 Vec:1 Speed.#*.........: 15869.5 MH/s Hashmode: 1500 - descrypt, DES (Unix), Traditional DES Speed.#1.........: 1752.8 MH/s (95.32ms) @ Accel:32 Loops:1024 Thr:64 Vec:1 Speed.#2.........: 1729.3 MH/s (96.65ms) @ Accel:32 Loops:1024 Thr:64 Vec:1 Speed.#3.........: 1749.5 MH/s (95.53ms) @ Accel:32 Loops:1024 Thr:64 Vec:1 Speed.#4.........: 1740.6 MH/s (96.01ms) @ Accel:32 Loops:1024 Thr:64 Vec:1 Speed.#*.........: 6972.3 MH/s Hashmode: 500 - md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) (Iterations: 1000) Speed.#1.........: 24882.8 kH/s (50.59ms) @ Accel:16 Loops:1000 Thr:1024 Vec:1 Speed.#2.........: 24828.0 kH/s (50.60ms) @ Accel:16 Loops:1000 Thr:1024 Vec:1 Speed.#3.........: 24865.7 kH/s (50.60ms) @ Accel:16 Loops:1000 Thr:1024 Vec:1 Speed.#4.........: 24849.6 kH/s (50.59ms) @ Accel:16 Loops:1000 Thr:1024 Vec:1 Speed.#*.........: 99426.0 kH/s Hashmode: 3200 - bcrypt $2*$, Blowfish (Unix) (Iterations: 32) Speed.#1.........: 69071 H/s (54.00ms) @ Accel:4 Loops:16 Thr:24 Vec:1 Speed.#2.........: 68818 H/s (54.25ms) @ Accel:4 Loops:16 Thr:24 Vec:1 Speed.#3.........: 68926 H/s (54.13ms) @ Accel:4 Loops:16 Thr:24 Vec:1 Speed.#4.........: 69013 H/s (54.04ms) @ Accel:4 Loops:16 Thr:24 Vec:1 Speed.#*.........: 275.8 kH/s Hashmode: 1800 - sha512crypt $6$, SHA512 (Unix) (Iterations: 5000) Speed.#1.........: 386.4 kH/s (84.04ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#2.........: 377.9 kH/s (85.68ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#3.........: 372.3 kH/s (86.76ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#4.........: 382.7 kH/s (84.51ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#*.........: 1519.3 kH/s Hashmode: 7500 - Kerberos 5, etype 23, AS-REQ Pre-Auth Speed.#1.........: 1177.0 MH/s (71.08ms) @ Accel:256 Loops:128 Thr:32 Vec:1 Speed.#2.........: 1175.4 MH/s (71.17ms) @ Accel:256 Loops:128 Thr:32 Vec:1 Speed.#3.........: 1171.5 MH/s (71.28ms) @ Accel:256 Loops:128 Thr:32 Vec:1 Speed.#4.........: 1177.4 MH/s (71.05ms) @ Accel:256 Loops:128 Thr:32 Vec:1 Speed.#*.........: 4701.3 MH/s Hashmode: 13100 - Kerberos 5, etype 23, TGS-REP Speed.#1.........: 1068.5 MH/s (78.29ms) @ Accel:32 Loops:1024 Thr:32 Vec:1 Speed.#2.........: 1069.4 MH/s (78.25ms) @ Accel:32 Loops:1024 Thr:32 Vec:1 Speed.#3.........: 1068.4 MH/s (78.32ms) @ Accel:32 Loops:1024 Thr:32 Vec:1 Speed.#4.........: 1068.6 MH/s (78.29ms) @ Accel:32 Loops:1024 Thr:32 Vec:1 Speed.#*.........: 4275.0 MH/s Hashmode: 15300 - DPAPI masterkey file v1 (Iterations: 23999) Speed.#1.........: 148.5 kH/s (93.95ms) @ Accel:8 Loops:512 Thr:1024 Vec:1 Speed.#2.........: 148.4 kH/s (93.99ms) @ Accel:8 Loops:512 Thr:1024 Vec:1 Speed.#3.........: 148.5 kH/s (93.96ms) @ Accel:8 Loops:512 Thr:1024 Vec:1 Speed.#4.........: 148.4 kH/s (93.95ms) @ Accel:8 Loops:512 Thr:1024 Vec:1 Speed.#*.........: 593.8 kH/s Hashmode: 15900 - DPAPI masterkey file v2 (Iterations: 12899) Speed.#1.........: 80610 H/s (80.47ms) @ Accel:4 Loops:256 Thr:1024 Vec:1 Speed.#2.........: 80606 H/s (80.47ms) @ Accel:4 Loops:256 Thr:1024 Vec:1 Speed.#3.........: 80596 H/s (80.48ms) @ Accel:4 Loops:256 Thr:1024 Vec:1 Speed.#4.........: 80378 H/s (80.46ms) @ Accel:4 Loops:256 Thr:1024 Vec:1 Speed.#*.........: 322.2 kH/s Hashmode: 7100 - macOS v10.8+ (PBKDF2-SHA512) (Iterations: 1023) Speed.#1.........: 1002.4 kH/s (78.60ms) @ Accel:32 Loops:31 Thr:1024 Vec:1 Speed.#2.........: 1002.4 kH/s (78.60ms) @ Accel:32 Loops:31 Thr:1024 Vec:1 Speed.#3.........: 1002.1 kH/s (78.62ms) @ Accel:32 Loops:31 Thr:1024 Vec:1 Speed.#4.........: 1002.7 kH/s (78.58ms) @ Accel:32 Loops:31 Thr:1024 Vec:1 Speed.#*.........: 4009.6 kH/s Hashmode: 11600 - 7-Zip (Iterations: 16384) Speed.#1.........: 897.6 kH/s (82.05ms) @ Accel:4 Loops:4096 Thr:1024 Vec:1 Speed.#2.........: 896.4 kH/s (82.09ms) @ Accel:4 Loops:4096 Thr:1024 Vec:1 Speed.#3.........: 893.3 kH/s (83.60ms) @ Accel:4 Loops:4096 Thr:1024 Vec:1 Speed.#4.........: 912.4 kH/s (81.95ms) @ Accel:4 Loops:4096 Thr:1024 Vec:1 Speed.#*.........: 3599.7 kH/s Hashmode: 12500 - RAR3-hp (Iterations: 262144) Speed.#1.........: 116.6 kH/s (60.91ms) @ Accel:16 Loops:16384 Thr:128 Vec:1 Speed.#2.........: 111.4 kH/s (63.61ms) @ Accel:16 Loops:16384 Thr:128 Vec:1 Speed.#3.........: 111.6 kH/s (63.63ms) @ Accel:16 Loops:16384 Thr:128 Vec:1 Speed.#4.........: 115.0 kH/s (61.81ms) @ Accel:16 Loops:16384 Thr:128 Vec:1 Speed.#*.........: 454.7 kH/s Hashmode: 13000 - RAR5 (Iterations: 32799) Speed.#1.........: 93248 H/s (54.69ms) @ Accel:16 Loops:128 Thr:1024 Vec:1 Speed.#2.........: 93202 H/s (54.72ms) @ Accel:16 Loops:128 Thr:1024 Vec:1 Speed.#3.........: 93009 H/s (54.70ms) @ Accel:16 Loops:128 Thr:1024 Vec:1 Speed.#4.........: 93241 H/s (54.69ms) @ Accel:16 Loops:128 Thr:1024 Vec:1 Speed.#*.........: 372.7 kH/s Hashmode: 6211 - TrueCrypt RIPEMD160 + XTS 512 bit (Iterations: 1999) Speed.#1.........: 672.2 kH/s (55.34ms) @ Accel:16 Loops:64 Thr:1024 Vec:1 Speed.#2.........: 672.1 kH/s (55.34ms) @ Accel:16 Loops:64 Thr:1024 Vec:1 Speed.#3.........: 671.4 kH/s (55.34ms) @ Accel:16 Loops:64 Thr:1024 Vec:1 Speed.#4.........: 672.2 kH/s (55.34ms) @ Accel:16 Loops:64 Thr:1024 Vec:1 Speed.#*.........: 2687.9 kH/s Hashmode: 13400 - KeePass 1 (AES/Twofish) and KeePass 2 (AES) (Iterations: 24569) Speed.#1.........: 111.2 kH/s (122.52ms) @ Accel:32 Loops:128 Thr:1024 Vec:1 Speed.#2.........: 111.1 kH/s (122.55ms) @ Accel:32 Loops:128 Thr:1024 Vec:1 Speed.#3.........: 111.2 kH/s (122.58ms) @ Accel:32 Loops:128 Thr:1024 Vec:1 Speed.#4.........: 111.2 kH/s (122.52ms) @ Accel:32 Loops:128 Thr:1024 Vec:1 Speed.#*.........: 444.7 kH/s Hashmode: 6800 - LastPass + LastPass sniffed (Iterations: 499) Speed.#1.........: 5944.3 kH/s (35.66ms) @ Accel:8 Loops:249 Thr:1024 Vec:1 Speed.#2.........: 5942.0 kH/s (35.66ms) @ Accel:8 Loops:249 Thr:1024 Vec:1 Speed.#3.........: 5939.0 kH/s (35.67ms) @ Accel:8 Loops:249 Thr:1024 Vec:1 Speed.#4.........: 5943.8 kH/s (35.66ms) @ Accel:8 Loops:249 Thr:1024 Vec:1 Speed.#*.........: 23769.0 kH/s Hashmode: 11300 - Bitcoin/Litecoin wallet.dat (Iterations: 200459) Speed.#1.........: 11370 H/s (73.48ms) @ Accel:2 Loops:1024 Thr:1024 Vec:1 Speed.#2.........: 11355 H/s (73.50ms) @ Accel:2 Loops:1024 Thr:1024 Vec:1 Speed.#3.........: 11369 H/s (73.49ms) @ Accel:2 Loops:1024 Thr:1024 Vec:1 Speed.#4.........: 11370 H/s (73.49ms) @ Accel:2 Loops:1024 Thr:1024 Vec:1 Speed.#*.........: 45464 H/s

For a real world example, I had ~1,500 NTLM hashes to crack that I ran through some of the hatecrack methodology, and here's how the instance performed:

  • 100 LM hashes discovered, all cracked in 7 minutes (heh, 7 minutes :-)
  • Ran hatecrack's quick crackw ith no rules: done in 7 minutes, cracked 108 accounts
  • Quick crack against one rule to rule them all: ran in 25 minutes, got got 271 new passwords
  • Ran extensive hatecrack methodology, it ran for a little over 2 hours and got 88 new passwords.

All said and done, about 1/3 of the passwords cracked in about 3 hours. Not bad!

Don't forget, the second you're done with your cracking efforts, SHUT THE BOX DOWN! Otherwise you're in for a sour surprise come AWS billing day :-(

On a few personal notes:

  • Last Comic Standing was the show I couldn't think of during the episode :-)

  • After a toxic non-toxic foam pit incident a few years ago, my family and I had another injury this weekend with a rented waterslide - the fun ended in a concussion!

Jaksot(682)

7MS #683: What I'm Working on This Week - Part 4

7MS #683: What I'm Working on This Week - Part 4

This week I’m working on a mixed bag of fun security and marketing things: A pentest I’m stuck on My latest lab CTF obsession: Ninja Hacker Academy A cool “about 7MinSec” marketing video that was recorded in a pro studio!

12 Heinä 30min

7MS #682: Securing Your Family During and After a Disaster – Part 7

7MS #682: Securing Your Family During and After a Disaster – Part 7

Today’s episode is a downer! We talk about things you might want to have buttoned up for when you are eventually not alive anymore: Living will Buried vs. cremated? Funeral plans Funeral PHOTOS? I also talk about how my dad broke his ribs while trying to break a chimpmunk, and how a freak 4-wheeler accident also had my ribs in agony.

4 Heinä 30min

7MS #681: Pentesting GOAD – Part 3

7MS #681: Pentesting GOAD – Part 3

Today Joe “The Machine” Skeen and I pwn the third and final realm in the world of GOAD (Game of Active Directory): essos.local!  The way we go about it is to do a WinRM connection to our previously-pwned Kingslanding domain, coerce authentication out of MEEREEN (the DC for essos.local) and then capture/abuse the TGT with Rubeus!  Enjoy.

27 Kesä 18min

7MS #680: Tips for a Better Purple Team Experience

7MS #680: Tips for a Better Purple Team Experience

Today I share some tips on creating a better purple team experience for your customers, including: Setting up communication channels and cadence Giving a heads-up on highs/criticals during testing (not waiting until report time) Where appropriate, record videos of attacks to give them more context

20 Kesä 26min

7MS #679: Tales of Pentest Pwnage – Part 73

7MS #679: Tales of Pentest Pwnage – Part 73

In today’s tale of pentest pwnage I talk about a cool ADCS ESC3 attack – which I also did live on this week’s Tuesday TOOLSday.  I also talk about Exegol’s licensing plans (and how it might break your pentest deployments if you use ProxmoxRox).

13 Kesä 30min

7MS #678: How to Succeed in Business Without Really Crying – Part 22

7MS #678: How to Succeed in Business Without Really Crying – Part 22

Today I share some tips on presenting a wide variety of content to a wide variety of audiences, including: Knowing your audience before you touch PowerPoint Understanding your presentation physical hookups and presentation surfaces A different way to screen-share via Teams that makes resolution/smoothness way better!

6 Kesä 33min

7MS #677: That One Time I Was a Victim of a Supply Chain Attack

7MS #677: That One Time I Was a Victim of a Supply Chain Attack

Hi everybody. Today I take it easy (because my brain is friend from the short week) to tell you about the time I think my HP laptop was compromised at the factory!

30 Touko 13min

7MS #676: Tales of Pentest Pwnage – Part 72

7MS #676: Tales of Pentest Pwnage – Part 72

Today’s fun tale of pentest pwnage discuss an attack path that would, in my opinion, probably be impossible to detect…until it’s too late.

27 Touko 59min

Suosittua kategoriassa Politiikka ja uutiset

rss-podme-livebox
ootsa-kuullut-tasta-2
aikalisa
otetaan-yhdet
politiikan-puskaradio
et-sa-noin-voi-sanoo-esittaa
rss-vaalirankkurit-podcast
rikosmyytit
aihe
rss-mina-ukkola
the-ulkopolitist
rss-hyvaa-huomenta-bryssel
rss-raha-talous-ja-politiikka
rss-kyselytunti
rss-tasta-on-kyse-ivan-puopolo-verkkouutiset
rss-kalevi-sorsa-saation-podcast
rss-suoraan-asiaan
rss-kaikki-paskaksi-ystavat
rss-kaikki-uusiksi
rss-tyolinjalla-pekka-sauri