Hash Cracking with AWS
Published: 09 March 2020
In a previous post, I showed the steps to capture a WPA handshake and crack it using Hashcat. On my tiny travel laptop I achieved 416H/s, which is…slow.
AWS offers “GPU Optimized” EC2 instances:
- g4dn.xlarge – $0.53 per hour
- g3s.xlarge – $0.75 per hour
- p3.16xlarge – $24.48 per hour (that’s ~$18,000 per month!)
These can be used with Hashcat and whichever your budget allows, the setup is the same – except the p3.16xlarge will require a service limit increase on the AWS console.
GPU Instance Setup
1. Select a “Ubuntu Server 16.04 LTS (HVM), SSD Volume Type” AMI or a “Ubuntu Server 18.04 LTS (HVM), SSD Volume Type”. I’ll be using 18.04 here but I’ve used Hashcat on both.
2. Update the system and install the necessary packages:
sudo apt-get update sudo apt-get install -y linux-image-extra-virtual build-essential linux-headers-$(uname -r) p7zip-full
3. Once you’re logged in to your new instance, add the following lines to /etc/modprobe.d/blacklist-nouveau.conf :
options nouveau modeset=0
alias nouveau off
alias lbm-nouveau off
4. Add the following to /etc/modprobe.d/nouveau-kms.conf :
options nouveau modeset=0
5. Update the boot process and reboot:
sudo update-initramfs -u
6. Download and install the NVIDIA package:
sudo /bin/bash NVIDIA-Linux-x86_64-440.33.01.run --ui=none --no-questions --silent -X
7. Test the installation:
This command shows that the drivers are working, and which card is currently in use. Here’s what it looks like on the smaller instances:
8. Download and extract Hashcat:
7za x hashcat-22.214.171.124z
At this stage you can run a benchmark to test everything is working. Here’s the benchmarks for the smaller instance types:
Now you can supply the hash to Hashcat, as described in the last part, and start cracking hashes!
A Bigger Boat
344.8 KH/s is pretty quick. However, as we mentioned at the top of the post if you increase your vCPU limit through a support request you can get access to p3.16xlarge instances. These instances are fast.
Building these instances follows exactly the same steps as previously mentioned, however the benchmark results are significantly higher. To highlight how powerful these instances are, here’s a side-by-side with my laptop, an i5-6500U running a Kali VM, next to a p3.16xlarge:
Results for WPA-EAPOL-PBKDF2 hashes:
p3.16xlarge: 6519.9 KH/s
This shows that the p3.16xlarge instances are incredibly quick; for the curious a full benchmark of the p3.16xlarge is below:
0 - MD5 - 425.0 GH/s
100 - SHA1 - 142.8 GH/s
1400 - SHA2-256 - 60925.7 MH/s
1700 - SHA2-512 - 18995.9 MH/s
2500 - WPA-EAPOL-PBKDF2 - 6514.3 kH/s
1000 - NTLM - 680.2 GH/s
3000 - LM - 371.1 GH/s
5500 - NetNTLMv1 / NetNTLMv1+ESS - 417.6 GH/s
5600 - NetNTLMv2 - 31106.0 MH/s
1500 - descrypt, DES (Unix), Traditional DES - 15021.2 MH/s
500 - md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) - 129.7 MH/s
3200 - bcrypt $2*$, Blowfish (Unix) - 433.4 kH/s
1800 - sha512crypt $6$, SHA512 (Unix) - 2920.8 kH/s
7500 - Kerberos 5 AS-REQ Pre-Auth etype 23 - 8177.1 MH/s
13100 - Kerberos 5 TGS-REP etype 23 - 7993.5 MH/s
15300 - DPAPI masterkey file v1 - 1156.7 kH/s
15900 - DPAPI masterkey file v2 - 961.4 kH/s
7100 - macOS v10.8+ (PBKDF2-SHA512) - 216.2 kH/s
11600 - 7-Zip - 158.2 kH/s
12500 - RAR3-hp - 842.8 kH/s
13000 - RAR5 - 707.6 kH/s
6211 - TrueCrypt - 4825.3 kH/s
13400 - KeePass 1 and KeePass 2 - 2645.3 kH/s
6800 - LastPass + LastPass sniffed - 40336.6 kH/s
11300 - Bitcoin/Litecoin wallet.dat - 85976 H/s
Posts broken down by category
Articles concentrating on network and operating system level attacks.
Articles covering attacks against web applications and their associated APIS.
Articles concentrating on past data breaches, looking for lessons learned.
Articles covering breaking into wireless networks and how to keep them safe.