How to Crack Passwords in the Cloud with GPU Acceleration (Kali 2017)
ADVISORY: The techniques and tools referenced within this blog post may be outdated and do not apply to current situations. However, there is still potential for this blog entry to be used as an opportunity to learn and to possibly update or integrate into modern tools and techniques.
How does password cracking in the cloud compare to down here on earth? Maybe not as heavenly as imagined. I saw this on the web and got excited:
“You can get up and running with a Kali GPU instance in less than 30 seconds. All you need to do is choose a P2 instance, and you’re ready to start cracking!” https://www.kali.org/news/cloud-cracking-with-cuda-gpu/
It’s true (mostly!) The first time you attempt to launch the instance you will find that, by default, you are not allowed to launch the P2 Kali instances on Amazon as shown in the error message below.
The message contains the following text with a link to request more instances.
You have requested more instances (1) than your current instance limit of 0 allows for the specified instance type. Please visit http://aws.amazon.com/contact-us/ec2-request to request an adjustment to this limit.
I submitted the form and was easily approved within a day.
Use this link to find and launch your desired instance: https://aws.amazon.com/marketplace/pp/B01M26MMTT
The image below shows the process of launching a single GPU cloud instance.
So let’s do some cracking speed comparisons using Hashcat’s benchmarking option. The table below summarizes the results with supporting images at the end of this post. The “on earth” system is the one detailed in this blog post: https://www.blackhillsinfosec.com/?p=5995
Note that I did get a CUDA compatibility message from the cloud crackers saying that performance was degraded but I did not find a workaround for that issue. If you know of one, please let me know and I will update this post.
The conclusion I came to is that the 16 GPU cloud instance at $15/hr would be an OK solution for a quick password crack at a CTF event, for example, but that hourly price adds up to over ten thousand dollars a month!!! I recommend biting the bullet and building your own password cracker here on earth before you burn up all your money in the cloud.
_____
*Carrie Roberts no longer works with us (*sob) but we are proud to have her brilliant guest posts!
You can learn more from Carrie in her classes!
Check them out here:
Attack Emulation Tools: Atomic Red Team, CALDERA and More
Available live/virtual and on-demand!