Using Cloud for Password Cracking

Posted on

Let’s crack some hashes!…

If you’re a penetration tester or red teamer, you will want to crack some found hashes. These hashes may be Kerberos, MD5, etc. There is one common point, they exist to cracking. This time I will not talk about tools, who cares. I want to explain the cloud’s pros for penetration testing/red teaming.

We use test computers or we may buy a high-value CPU/GPU for cracking hashes sometimes. When we use our computer, this progress uses many sources. And some problems come like heating, freezing, etc. If you want to buy a CPU/GPU for cracking, this will be expensive for you. Why don’t we use cloud? Use and pay, if you haven’t a job delete it and don’t pay extra money. Save your own sources. You can perform penetration tests much better while the cloud trying to crack hashes. Maybe we can write a script for this later. When hashes cracked send me a message or mail, why not 🙂

There are lots of platforms for this usage case. DigitalOcean, Google Cloud Services, Amazon aws, Linode, datacrunch.io, etc. I will use DigitalOcean now.

Let’s create a droplet.

Choose your plan and configure your droplet.

Creation is simple, you know. You can use simple keys or ssh keys, if you want to use this machine on your mobile phone or tablet via ssh, I recommend to you simple keys.

Time to download tools:

apt-get install hashcat

git clone https://github.com/danielmiessler/SecLists

apt-get install john

Done! Your cracking droplet created and weaponized. If you want to create special lists you can download “cewl” and “crunch” too.

Some benchmarks (5$ plan):

And Google Cloud. You may use GPUs on this service, especially using hashcat will be powerful with these GPUs. You can talk with Google Cloud Support for increase GPU usage.

But ı dont use GPU now, ı will try only CPU power on Debian host.

Google benchmark (8vCPU):

Briefly, you can customize your cloud machines. If you want more power, you can buy more powerful CPUs or GPUs. If your budget is limited, you can do a more efficient configuration for you. Use it as you wish 🙂 Create your own cloud machine for hacking, use it everywhere (computers, mobile phones, tablets…).

Thanks for your time. I hope this post helped to you.

Berk KIRAS | PwC – Cyber Security Specialist