Password Cracking in GCP (FOR FUN)

May 16th, 2020

A few months ago I wanted to test out utilizing GCP resources for cracking passwords. The process was relatively straight forward: provision some GPUs, setup an instance with the correct cracking software, and use a lot of compute resources.

Note: You’ll need a GCP account and the Google Cloud SDK installed.

Repo for all the scripts in this post.

Google Cloud

I really just need a few GPUs with a decent hashrate. Google has a bunch of GPUs to choose from. I went with the NVIDIA Tesla K80 which gets a hashrate of 15Mh/s when mining etherum. At this point its worth noting that Google has policies around mining using their cloud resources - and don’t use stolen credit cards to pay for cloud mining resources.

For setup, I wrote the following bash script that really just does the following create instance command:

gcloud compute instances create <INSTANCE_NAME> \
        --machine-type n1-standard-4 \
        --zone europe-west1-b \
        --accelerator type=nvidia-tesla-k80,count=1 \
        --image-family ubuntu-1604-lts \
        --image-project ubuntu-os-cloud \
        --maintenance-policy TERMINATE \
        --restart-on-failure

It will create a standard instance running ubuntu with a configurable number of GPUs. Once the instance exists, SSH in with:

gcloud compute ssh <INSTANCE_NAME>

Installation

Before installing switch to root so you have sudo on the new instance:

sudo su - 

I wrote an install script which handles the installation and configuration. It completes the following steps:

Install and Configure CUDA

sudo apt install ocl-icd-libopencl1 nvidia-cuda-toolkit -y
nvidia-smi
sudo add-apt-repository ppa:graphics-drivers/ppa
sudo apt-get update
sudo apt-get install mesa-common-dev freeglut3-dev -y

CUDA installation

Install Hashcat

wget https://hashcat.net/files/hashcat-5.1.0.7z
p7zip -d hashcat-5.1.0.7z

ls /usr/bin/ | grep -i hash
sudo cp hashcat-5.1.0/hashcat64.bin /usr/bin/
sudo ln -s /usr/bin/hashcat64.bin /usr/bin/hashcat
sudo cp -Rv hashcat-5.1.0/OpenCL/ /usr/bin/
sudo cp hashcat-5.1.0/hashcat.hcstat2 /usr/bin/
sudo cp hashcat-5.1.0/hashcat.hctune /usr/bin/

You can test that Hashcat is installed properly and is recognizing your GPU by running:

hashcat --benchmark
Hashcat GPU configuration
Hashcat GPU configuration

Potential solutions for OpenCL Runetime Issues

The following has installation instructions for OpenCL runetimes depending on your CPU: OpenCL install

Download Password Lists

git clone https://github.com/praetorian-inc/Hob0Rules
wget https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

Cracking

Hashcat is configurable depending on how quick or thorough you are interested in cracking passwords.

You’ll need to know the hash type for all of the cracking bash scripts.

Heres some example MD5 hashes that I put in a file called test_hashes.txt that I generated with the following script:

2ac9cb7dc02b3c0083eb70898e549b63
eb61eead90e3b899c6bcbe27ac581660
958152288f2d2303ae045cffc43a02cd
6d3875b42bba48c5f9be3a667ad817a1
2c9341ca4cf3d87b9e4eb905d6a3ec45
75b71aa6842e450f12aca00fdf54c51d
Hashcat completed job output
Hashcat completed job output

Basic

A basic run involves just using the rockyou.txt password list.

Heres the script for the basic run:

sudo hashcat -m 0 -o cracked_basic.txt test_hashes.txt rockyou.txt

This will crack some of the 5/6 hashes and put them in cracked_basic.txt.

Rule

The hash that the basic attack missed was 6d3875b42bba48c5f9be3a667ad817a1 which is the MD5 of mYSECRET. This is the same characters as the password it did crack, MYSECRET but the first character is lowercased and the rest are uppercased.

Using a ruleset we can permutate the wordlist in rockyou.txt to contain more variations of the existing wordset. For example, the above rule C is something that Hob0rules will try. More on rule based cracking and the statistics behind it can be found here.

For a step up from just using rockyou.txt, we can additional use Hob0Rules.

Heres the script for the rule based attack which runs the following:

hashcat -m 0 -o cracked_rule.txt -r Hob0Rules/hob064.rule test_hashes.txt rockyou.txt

Now the output should show all 6/6 hashes cracked.

Future

Theres a lot of conversation on making password cracking run faster with hashcat. Enabling more GPUs and other magic will speed up cracking.

Additionally, password cracking is related to an array of other subjects like analyzing writing style, and codex analysis.

Resources