Password Cracking With Amazon Web Services - 36 Cores
As part of a project recently I got the chance to play with a 36 core instance on AWS (c4.8xlarge) for some password cracking related activities. To get hashcat and john up and running with multi-core is a little fiddly (it’s not download and crack), so I thought I’d document the setup and show some benchmarks with hashcat and John the Ripper utilising 36 cores. In order to select the 36 core instance you’ll need to use a HVM (hardware virtual machine) enabled machine image. I used the Ubuntu Server 14.04 LTS image.
I’ll be assuming you can reach the point of setup where you are logging into your freshly set-up machine on AWS (if you’re following along to set this up yourself). If you need help setting up a box on AWS, there’s a getting started guide from amazon to get you going.
The bench marks from this will differ depending on attack type, rules, and what hash type is being attacked, so take these results with a pinch of salt. Both hashcat and john both have different benchmark outputs. John only shows the benchmarks of the algorithms it was compiled with (as far as i’m away).
hashcat
Usually the GPU version of hashcat is the tool of choice for me when it comes to password cracking. However, on this occasion I was interested in experimenting and benchmarking with CPU only.
Setup
The setup for multicore hashcat is pretty straight forward. Installing libgmp3-dev was required in order to run multicore. Multiple core support is provided by default. You’ll need to download p7zip-full to extract the download a bit further on (7z).
sudo apt-get update
sudo apt-get install -y libgmp3-dev p7zip-full
After this it was just a case of downloading and installing the latest version of hashcat.
wget http://hashcat.net/files/hashcat-0.49.7z
7z x hashcat-0.49.7z
The EULA needed to be accepted proceeding with using hashcat, here’s a quick copy paste way to get the prompt up, I guess:
./hashcat-cli64.bin -a 0 -m 0 examples/A0.M0.hash examples/A0.M0.word
‘OH NO! I got this!’
./hashcat-cli64.bin: error while loading shared libraries: libgmp.so.10: cannot open shared object file: No such file or directory
No you didn’t, because you did the apt-get install from earlier…
Benchmarks
Benchmarking is simple enough with hashcat using the --benchmark or -b option. Here’s the output (it’s a bit long):
./hashcat-cli64.bin
Initializing hashcat v0.49 with 36 threads and 32mb segment-size...
Device...........: Intel(R) Xeon(R) CPU E5-2666 v3 @ 2.90GHz
Instruction set..: x86_64
Number of threads: 36
Hash type: MD4
Speed/sec: 442.76M words
Hash type: MD5
Speed/sec: 380.02M words
Hash type: SHA1
Speed/sec: 218.86M words
Hash type: SHA256
Speed/sec: 110.37M words
Hash type: SHA512
Speed/sec: 43.28M words
Hash type: SHA-3(Keccak)
Speed/sec: 42.93M words
Hash type: GOST R 34.11-94
Speed/sec: 24.99M words
Hash type: SHA-1(Base64), nsldap, Netscape LDAP SHA
Speed/sec: 219.19M words
Hash type: SSHA-1(Base64), nsldaps, Netscape LDAP SSHA
Speed/sec: 197.88M words
Hash type: descrypt, DES(Unix), Traditional DES
Speed/sec: 10.54M words
Hash type: md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
Speed/sec: 407.68k words
Hash type: sha256crypt, SHA256(Unix)
Speed/sec: 21.27k words
Hash type: sha512crypt, SHA512(Unix)
Speed/sec: 8.49k words
Hash type: bcrypt, Blowfish(OpenBSD)
Speed/sec: 25.86k words
Hash type: Oracle 11g/12c
Speed/sec: 197.28M words
Hash type: NTLM
Speed/sec: 370.22M words
Hash type: DCC, mscash
Speed/sec: 221.91M words
Hash type: NetNTLMv1-VANILLA / NetNTLMv1+ESS
Speed/sec: 356.85M words
Hash type: NetNTLMv2
Speed/sec: 67.54M words
Hash type: EPiServer 6.x < v4
Speed/sec: 180.62M words
Hash type: EPiServer 6.x > v4
Speed/sec: 100.69M words
Hash type: MSSQL(2000)
Speed/sec: 177.41M words
Hash type: MSSQL(2005)
Speed/sec: 181.14M words
Hash type: MSSQL(2012)
Speed/sec: 41.34M words
Hash type: MySQL323
Speed/sec: 624.65M words
Hash type: MySQL4.1/MySQL5
Speed/sec: 120.88M words
Hash type: Oracle 11g/12c
Speed/sec: 197.77M words
Hash type: OSX v10.4, v10.5, v10.6
Speed/sec: 200.04M words
Hash type: OSX v10.7
Speed/sec: 42.08M words
Hash type: OSX v10.8 / v10.9
Speed/sec: 655 words
Hash type: Android PIN
Speed/sec: 204.72k words
Hash type: scrypt
Speed/sec: 979 words
Hash type: Cisco-PIX MD5
Speed/sec: 337.08M words
Hash type: Cisco-ASA MD5
Speed/sec: 311.25M words
Hash type: Cisco-IOS SHA256
Speed/sec: 110.45M words
Hash type: Cisco $9$
Speed/sec: 6.95k words
Hash type: WPA/WPA2
Speed/sec: 18.01k words
Hash type: IKE-PSK MD5
Speed/sec: 75.24M words
Hash type: IKE-PSK SHA1
Speed/sec: 34.08M words
Hash type: Password Safe v3
Speed/sec: 58.87k words
Hash type: AIX {ssha1}
Speed/sec: 2.27M words
Hash type: Radmin2
Speed/sec: 180.72M words
Hash type: HMAC-MD5 (key = $pass)
Speed/sec: 135.34M words
Hash type: HMAC-MD5 (key = $salt)
Speed/sec: 233.42M words
Hash type: HMAC-SHA1 (key = $pass)
Speed/sec: 66.68M words
Hash type: HMAC-SHA1 (key = $salt)
Speed/sec: 112.10M words
Hash type: HMAC-SHA256 (key = $pass)
Speed/sec: 30.67M words
Hash type: HMAC-SHA256 (key = $salt)
Speed/sec: 58.05M words
Hash type: HMAC-SHA512 (key = $pass)
Speed/sec: 11.45M words
Hash type: HMAC-SHA512 (key = $salt)
Speed/sec: 22.37M words
Hash type: IPMI2 RAKP HMAC-SHA1
Speed/sec: 68.25M words
Hash type: Half MD5
Speed/sec: 309.78M words
Hash type: Double MD5
Speed/sec: 170.11M words
Hash type: GRUB 2
Speed/sec: 2.33k words
Hash type: phpass, MD5(Wordpress), MD5(phpBB3), MD5(Joomla)
Speed/sec: 292.59k words
Hash type: Joomla < 2.5.18
Speed/sec: 313.02M words
Hash type: osCommerce, xt:Commerce
Speed/sec: 318.75M words
Hash type: IPB2+, MyBB1.2+
Speed/sec: 142.57M words
Hash type: vBulletin < v3.8.5
Speed/sec: 162.44M words
Hash type: SMF > v1.1
Speed/sec: 200.07M words
John the Ripper
I compiled John from source so there were a few extra steps involved. If I try this again at some point i’ll try and setup the community edition of John for some of the added functionality.
Setup
Since there’s some compiling to do I grabbed build-essentail. libssl-dev is required for john.
apt-get update
apt-get install build-essential make libssl-dev
Next I pulled down the latest release of john the ripper (1.8.0 at the time or writing) and extracted. If you’re using these notes in the future you might have to change the URL below (or at least check to see if there’s a newer version out).
wget http://www.openwall.com/john/j/john-1.8.0.tar.gz
tar xvfz john*.tar.gz
Time to compile. The OMPFLAGS need to be uncommented in the make file.
cd john*/src/
vi Makefile
The following lines needed changing…
# gcc with OpenMP
#OMPFLAGS = -fopenmp
# gcc with OpenMP on 32-bit x86 with SSE2
#OMPFLAGS = -fopenmp -msse2
..to (lines uncommented):
# gcc with OpenMP
OMPFLAGS = -fopenmp
# gcc with OpenMP on 32-bit x86 with SSE2
OMPFLAGS = -fopenmp -msse2
After changing I saved the file then ran the following to compile.
make clean linux-x86-64
With any luck the john binary will be in the run folder ready to be played with.
Benchmarks
John comes with a --test option for benchmarking.
./john --test
Will run 36 OpenMP threads
Benchmarking: descrypt, traditional crypt(3) [DES 128/128 SSE2-16]... DONE
Many salts: 38810K c/s real, 1081K c/s virtual
Only one salt: 28225K c/s real, 785700 c/s virtual
Benchmarking: bsdicrypt, BSDI crypt(3) ("_J9..", 725 iterations) [DES 128/128 SSE2-16]... DONE
Many salts: 1358K c/s real, 37751 c/s virtual
Only one salt: 958464 c/s real, 27775 c/s virtual
Benchmarking: md5crypt [MD5 32/64 X2]... DONE
Raw: 318237 c/s real, 8881 c/s virtual
Benchmarking: bcrypt ("$2a$05", 32 iterations) [Blowfish 32/64 X2]... DONE
Raw: 25488 c/s real, 708 c/s virtual
Benchmarking: LM [DES 128/128 SSE2-16]... DONE
Raw: 88090K c/s real, 2462K c/s virtual
Benchmarking: AFS, Kerberos AFS [DES 48/64 4K]... DONE
Short: 520345 c/s real, 520345 c/s virtual
Long: 1702K c/s real, 1702K c/s virtual
Benchmarking: tripcode [DES 128/128 SSE2-16]... DONE
Raw: 16540K c/s real, 527567 c/s virtual
Benchmarking: dummy [N/A]... DONE
Raw: 81656K c/s real, 81008K c/s virtual
Benchmarking: crypt, generic crypt(3) [?/64]... DONE
Many salts: 3939K c/s real, 109467 c/s virtual
Only one salt: 3305K c/s real, 92308 c/s virtual
Thoughts on AWS
Some of the speeds reported aren’t bad, but not great. Most decent GPUs will do much better against some of the easy algorithms such as MD5, NTLM etc.
Looking into spot instances on AWS (instances run at cheaper rates when available) could be an option for those automating a password cracking business in the cloud.
This was really just a close look at using a high core count on AWS. Maybe in the future i’ll get around to delving a bit deeper into this approach to password cracking.
The glory of htop
