A few months ago I wanted to test out utilizing GCP resources for cracking passwords. The process was relatively straight forward: provision some GPUs, setup an instance with the correct cracking software, and use a lot of compute resources.
Note: You’ll need a GCP account and the Google Cloud SDK installed.
Repo for all the scripts in this post.
I really just need a few GPUs with a decent hashrate. Google has a bunch of GPUs to choose from. I went with the NVIDIA Tesla K80 which gets a hashrate of 15Mh/s when mining etherum. At this point its worth noting that Google has policies around mining using their cloud resources - and don’t use stolen credit cards to pay for cloud mining resources.
For setup, I wrote the following bash script that really just does the following create instance command:
It will create a standard instance running ubuntu with a configurable number of GPUs. Once the instance exists, SSH in with:
Before installing switch to root so you have sudo on the new instance:
I wrote an install script which handles the installation and configuration. It completes the following steps:
Install and Configure CUDA
wget https://hashcat.net/files/hashcat-18.104.22.168z p7zip -d hashcat-22.214.171.124z ls /usr/bin/ | grep -i hash sudo cp hashcat-5.1.0/hashcat64.bin /usr/bin/ sudo ln -s /usr/bin/hashcat64.bin /usr/bin/hashcat sudo cp -Rv hashcat-5.1.0/OpenCL/ /usr/bin/ sudo cp hashcat-5.1.0/hashcat.hcstat2 /usr/bin/ sudo cp hashcat-5.1.0/hashcat.hctune /usr/bin/
You can test that Hashcat is installed properly and is recognizing your GPU by running:
Potential solutions for OpenCL Runetime Issues
The following has installation instructions for OpenCL runetimes depending on your CPU: OpenCL install
Download Password Lists
Hashcat is configurable depending on how quick or thorough you are interested in cracking passwords.
You’ll need to know the hash type for all of the cracking bash scripts.
Heres some example MD5 hashes that I put in a file called
test_hashes.txt that I generated with the following script:
2ac9cb7dc02b3c0083eb70898e549b63 eb61eead90e3b899c6bcbe27ac581660 958152288f2d2303ae045cffc43a02cd 6d3875b42bba48c5f9be3a667ad817a1 2c9341ca4cf3d87b9e4eb905d6a3ec45 75b71aa6842e450f12aca00fdf54c51d
A basic run involves just using the
rockyou.txt password list.
Heres the script for the basic run:
This will crack some of the 5/6 hashes and put them in
The hash that the basic attack missed was
6d3875b42bba48c5f9be3a667ad817a1 which is the MD5 of
mYSECRET. This is the same characters as the password it did crack,
MYSECRET but the first character is lowercased
and the rest are uppercased.
Using a ruleset we can permutate the wordlist in
rockyou.txt to contain more variations of the existing wordset. For example, the above rule
C is something that
Hob0rules will try. More on rule based cracking
and the statistics behind it can be found here.
For a step up from just using
rockyou.txt, we can additional use
Heres the script for the rule based attack which runs the following:
Now the output should show all 6/6 hashes cracked.
Theres a lot of conversation on making password cracking run faster with hashcat. Enabling more GPUs and other magic will speed up cracking.
Additionally, password cracking is related to an array of other subjects like analyzing writing style, and codex analysis.