Skip to main content

Cracking password hashes on the cheap: How to rent online GPU resources for Hashcat

 

Summary In this post I will talk about how to make password cracking accessible to people who don't want to make the investment in video cards and GPU hardware resources. This post will mostly be a tutorial, geared toward people who are in a pinch and need to quickly standup a powerful hashcat environment.


The problem that led me down this path

I was recently working on an issue that required me to recover the password of a zip file. The zip file was created programmatically by a utility; which I had to the source code for. This meant I had the character set used and a fixed password length. I decided to fire up hashcat on my Mac Book Pro with my AMD Radeon Pro 560X. To my surprise, I was greeted with the error below;

Against the advice of the error message, I used the --force syntax to override the error. This yielded no usable results, it ended up making hashcat unstable and produced some false positives (I thought I had cracked the hash quickly).

After trying the to borrow some video hardware from a few co-workers (windows machines), I quickly determined I was going to need a lot more power!


Enter vast.ai

After some research online, I discovered Vast.ai. Vast.ai is a docker-based peer GPU rental market. The premise behind the business is they will rental you video cards of your choosing for an hourly rate. The video card resources are provided by users of their platform, and there is a large quantity of options to choose from.




Getting started

First you will need to create an account on vast.ai, and add some money. The payment information is handled via stripe, and you can add notification on when your balance gets below a certain point. I started off with a small balance for testing.



Generate an ssh key-pair for access

Access to your docker image will be handled over an SSH connection. I find it easiest to establish the ssh connection from a computer running linux or MacOS (You could use puttygen on a windows machine). We will need to generate an ssh key-pair from the computer you will connect with.

Open a terminal on a linux or macOS and issue the command below:

ssh-keygen -t rsa -b 4096 -C "vast.ai"

You will be prompted for a location and password. (hitting enter will use the default location):

Generating public/private rsa key pair.
Enter file in which to save the key (/Users/user/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/user/.ssh/id_rsa.
Your public key has been saved in /Users/user/.ssh/id_rsa.pub.

Copy the contents of the file /Users/user/.ssh/id_rsa.pub.

Log into your vast.ai account. On the left hand menu, navigate to Account -> Change SSH Key. Paste the contents of your /Users/user/.ssh/id_rsa.pub file here and click "Set SSH Key".



Find a docker image with hashcat configured

We need to search docker hub and find a docker image that has hashcat setup. In a web browser navigate to https://hub.docker.com/


In the search bar, type "hashcat". Select one of the images and copy the docker hub path name.



Configuring your vast.ai GPU to use your hashcat docker image 

Now that we have our ssh access credentials configured, and found a hashcat docker image, we need to point our vast.ai GPU resource pool to it. In your vast.ai account, on the left hand menu, navigate to Client -> Create. Then click on the "EDIT IMAGE & CONFIG" button.


On the "Select an OS Image" screen, scroll down to "Enter the name of the docker image. May be anything support by docker run". In the text area past the path to the docker hub image. Then click select. You instance configuration should now be updated to the hashcat docker image.




Select the GPU resource you'd like to rent and connect to you instance

On the https://vast.ai/console/create/  page, scroll through the available video cards and GPU resources and select one to rent.



After selecting the GPU resource to rent, you will see it appear in https://vast.ai/console/instances/ page. The resource should only take a few minutes to setup. Once it is finished, select the "connect" button and copy the ssh connection string presented.




Paste the ssh connection string into the terminal of the computer that you generated the ssh-key pair on. Hit the enter key key and enter the password you selected during the ssh-key pair generation.


You are now logged into the hashcat docker image.


Running hashcat

Now that you are logged into the docker image running hashcat, you can copy the hash to a file, and begin cracking. I found the quickest way was to echo the hash out to file (echo 'HASHSTRING' > hash.txt).

My hashcat execution string looked something like this (minus the increment info);
hashcat -m17220 hash.txt -o cracked.txt -a3 -1 CHARACTERSET LENGTH



Conclusion
I was really impressed with the performance of the GPU's I rented. For someone who was crunched for time, this was a really easy way to stand-up a machine for hashcat. My instance was processing 30 billion hashes a second! I initially added $50.00 (US) to do testing. This was enough money to run the the two nvidia RTX 3090's for 55 hours. 


Comments

Popular posts from this blog

Bypassing Windows Defender Antivirus in Windows Server 2016/2019

Summary In this post I will discuss a  Windows Defender Antivirus  bypass I discovered and reported to Microsoft on May 26th 2020. The bypass affects the current versions of Windows Defender deployed with Windows Server 2016/2019, where the Web Server role is installed. This post focuses on the road I took to get to the bypass as well, so for the TL;DR go to " Bypassing Windows Defender Antivirus 2016 using automatic exclusions"  section. Setting the stage I recently worked on a penetration test for an asp.net application. The setup was pretty standard for a small asp.net application, it was deployed in amazon AWS with a web tier and database tier. The web tier, where the application lived was configured on a Windows 2016 server with the Web Server role installed. This asp.net application integrated with a much larger suite of applications deployed in the same amazon AWS environment (14 other windows servers).  Below i've generated some screenshots from some test systems