Cybersecurity
High-Power Hash Cracking with NPK
Password hashes are an everyday part of life in Coalfire Labs. Barring any other low-hanging fruit, it’s not uncommon for a penetration test to hinge on recovering a plaintext password from one of these hashes. Whether it’s NTLM hashes from Active Directory, NetNTLMv2 from Responder, WPA2 PMK from a wireless penetration test, or hundreds of other possible sources of hashes, recovering the original password has been a challenge for hackers for decades.
What Is Hash Cracking?
Unlike encryption, hashing isn’t reversible. The only way to “recover” the password from the hash is to make a guess as to what the password is, run it through the hashing algorithm, and see if the result matches the hash you have. As you’d expect with such a prolific and time-consuming challenge, the tooling available to attackers is very mature; John the Ripper and Hashcat collectively support a huge number of hash types with all sorts of fancy features and exceptional performance optimizations. At the end of the day though, the biggest challenge isn’t the software – it’s the hardware.
Hash Cracking Rigs
If you’ve ever spent more than five minutes researching password cracking, you’ve probably come across forum posts of folks bragging about their “cracking rigs”: several-thousand-dollar custom builds with the singular focus of cranking out hashes as fast as possible. The cool kids all seem to show up with eight GPUs and talk about the killer hash rates they’re capable of. After all, the more quickly you can test your guesses, the faster you’ll land on the right one!
The cost of running these rigs dissuades almost everyone from participating in the practice. We maintain a couple of dedicated cracking rigs here at Coalfire; sure, they were expensive to buy, but running that hardware isn’t cheap on electricity either. All told, the hardware, electricity, and maintenance run in the tens of thousands of dollars per year; definitely not a price within range of even the most passionate enthusiast.
Introducing NPK
NPK (named for “nitrogen, phosphorus, and potassium,” the components of fertilizer, since NPK will increase your crop of cracked credentials), is a mostly serverless, distributed hashing platform developed within Coalfire Labs. It leverages the exceptionally powerful GPU instances in AWS to bring staggering hash cracking performance to a price tier in reach of a weekend tinkerer.
Amazon Web Services (AWS) has three generations of GPU instances to choose from, and NPK lets you compare the price and performance of each at a glance. Simply pick your target hash type, and NPK will show you the price and performance of each instance generation for that specific hash type! NPK also uses spot instances for all campaigns to keep prices to a minimum. Here’s the actual price and performance of NTLM, for example:
Let’s do a price comparison between enthusiast- and professional-grade rigs, and the three GPU instance generations supported by NPK (all hash rates are NTLM at benchmark throughput):
| Price Comparison | ||||
Enthusiast Rig | 8x GTX 1070 | $3,600 Upfront | 240GH/s | |
Professional-Grade Rig | 8x 1080Ti | $11,000 Upfront | 416GH/s | |
NPK with 1x g3.16xlarge | 4x Tesla M60 | $1.37/hr | 73GH/s | |
NPK with 1x p2.16xlarge | 16x Tesla K80 | $4.32/hr | 136GH/s | |
NPK with 1x p3.16xlarge | 8x Tesla V100 | $7.34/hr | 632GH/s | |
A $7/hour entry point is considerably easier to overcome than even a $3,600 one. That’s not all though – NPK supports distributing your campaign over multiple instances to increase your bandwidth! Three instances would cost you $22/hour and could crunch through a staggering 1.89TH/s of NTLM. This is a huge benefit to us at Coalfire Labs, since this can do in two hours what would take our current rig almost four days!
This per-hour pricing might dissuade some, since even practical cracking campaigns often take days or weeks to crank through. NPK addresses this by letting you pick how many instances and for how long to run your campaign. It will even show you the coverage estimates based on the info you provided.
Armed with this insight, it’s easy to build a campaign that maximizes your chance of recovering credentials within your time or budget constraints.
Goodbye Runaway Instances
We’ve all heard horror stories of folks who spin up big instances and forget to take them down until they get a hefty bill from AWS. NPK was specifically designed to ensure that all instances it spins up will never stay up longer than intended. Even in the face of a catastrophic failure of the management plane, your GPU instances will come down precisely when they were configured to.
Check It Out
NPK is open-sourced at https://github.com/Coalfire-Research/npk and is deployed just for you, entirely within AWS. The management platform leverages multiple serverless technologies in AWS to keep costs to a minimum between campaigns, and even fits within the free tier. It’s packed with features that can’t all fit here, so head over to the repo and give it a shot!