Password Cracking for Fun and Profit

Dec 27, 2014 by admin in Security

[SecurePlanet Wiki][SecurePlanet RSS Feed][SecurePlanet RSS Vulnerabilities]

With the huge drops in GPUs lately, I decided to revisit my password cracking box and update a couple of the GPUs cards.  In doing so, I ended up putting a whole machine together.  What I bought might be a little overkill for just password cracking, as cracking relies mostly on GPUs, but I wanted something that could also be used for other purposes (and not make me deaf).  I could have gone down the route of building out a 6 GPU case, but it wasn’t reasonable in this setting.

When originally building this new computer, I focused on the GPUs and went with the R9 295×2, which are just two ATI R9 290X GPUs.  This is pretty much the best money can buy and due to the heat of two GPUs, also comes already water-cooled.

My setup:

outside inside

Here are the exact hardware specs:

  • Cooler Master Hyper 212 EVO – CPU Cooler with 120mm
  • Sapphire Radeon R9 295X2 8GB GDDR5 DVI-D
  • THM COMPOUND ARCTIC COOLING AC-MX4
  • Corsair Vengeance Series C70 Arctic White Steel ATX Mid
  • BLU-RAY BURNER LG
  • CORSAIR Vengeance Pro 16GB (2 x 8GB) 240-Pin DDR3 SDRAM DDR3 1600
  • SAMSUNG 840 EVO MZ-7TE500BW 2.5″ 500GB SATA III TLC Internal Solid State Drive (SSD)
  • Intel Core i7-4790K Haswell Quad-Core 4.0GHz LGA 1150 Desktop Processor
  • SILVERSTONE ST1500 1500W ATX 12V 2.3 & EPS 12V SLI Ready 80 PLUS SILVER Certified
  • ASUS MAXIMUS VII FORMULA/WATCH DOGS LGA 1150

It took about an hour to put together and it luckily booted up on the first run.  Just for kicks, I ran Microsoft’s performance rating software and it rated 7.8 out of 7.9.  So close to a perfect score…


79

But what really matters is how it will perform for password cracking.  I downloaded oclHashcat (oclHashcat-1.31) and ran some of the baseline password checks.   Here are the checks that really matter to me:

Hashtype: WPA/WPA2
Workload: 4096 loops, 32 accelSpeed.GPU.#1.: 181.9 kH/s
Speed.GPU.#2.: 189.4 kH/s
Speed.GPU.#*.: 371.2 kH/s

Hashtype: MD5
Workload: 1024 loops, 256 accel

Speed.GPU.#1.: 10563.8 MH/s
Speed.GPU.#2.: 10563.4 MH/s
Speed.GPU.#*.: 21127.2 MH/s

Hashtype: SHA1
Workload: 1024 loops, 256 accel

Speed.GPU.#1.: 3653.6 MH/s
Speed.GPU.#2.: 3811.5 MH/s
Speed.GPU.#*.: 7465.1 MH/s

Hashtype: SHA256
Workload: 512 loops, 256 accel

Speed.GPU.#1.: 1468.0 MH/s
Speed.GPU.#2.: 1470.4 MH/s
Speed.GPU.#*.: 2938.4 MH/s

Hashtype: NTLM
Workload: 1024 loops, 256 accel

Speed.GPU.#1.: 19479.6 MH/s
Speed.GPU.#2.: 21894.3 MH/s
Speed.GPU.#*.: 41373.9 MH/s

Hashtype: NetNTLMv2
Workload: 512 loops, 256 accelSpeed.GPU.#1.: 810.0 MH/s
Speed.GPU.#2.: 811.7 MH/s
Speed.GPU.#*.: 1621.7 MH/s

Hashtype: Kerberos 5 AS-REQ Pre-Auth etype 23
Workload: 128 loops, 32 accel

Speed.GPU.#1.: 55167.2 kH/s
Speed.GPU.#2.: 55643.2 kH/s
Speed.GPU.#*.: 110.8 MH/s

Hashtype: Office 2013
Workload: 100000 loops, 4 accel

Speed.GPU.#1.: 4240 H/s
Speed.GPU.#2.: 4240 H/s
Speed.GPU.#*.: 8480 H/s

Hashtype: MSSQL(2005)
Workload: 1024 loops, 256 accel

Speed.GPU.#1.: 3597.0 MH/s
Speed.GPU.#2.: 3794.0 MH/s
Speed.GPU.#*.: 7391.1 MH/s

Hashtype: MSSQL(2012)
Workload: 256 loops, 256 accel

Speed.GPU.#1.: 571.8 MH/s
Speed.GPU.#2.: 571.7 MH/s
Speed.GPU.#*.: 1143.4 MH/s

Hashtype: PostgreSQL
Workload: 1024 loops, 256 accel

Speed.GPU.#1.: 10501.3 MH/s
Speed.GPU.#2.: 10501.8 MH/s
Speed.GPU.#*.: 21003.1 MH/s

 

For example, we can crack NTLM (Windows hashes) at 41373.9 million hashes a second. The ATI 7970, which had been my favorite these past few years, only ran 15261.7 MH/s. We are looking at almost 3 times the power of that card. My biggest worry of course is heat, as I have heard that the 295×2 cards will stop at 75C. Running different tests and baselines, my GPUs stayed between 50 to 65 degrees. I’ll have to do a little further testing on this.


ex

One hiccup I had with this card was that some hashes caused the GPU drivers to crash. For example, if I tried to baseline SHA-3(Keccak), my driver for this card consistently crashed. More to come on this.

So what’s next? I’m going to take some of the really large hashdumps I’ve done and run them against certain wordlists and investigate the benefits of the PRINCE (http://hashcat.net/tools/princeprocessor/prince-attack.pdf) attack. Stay tuned and don’t forget to pickup The Hacker Playbook: http://www.amazon.com/dp/1494932636/.

Happy Hacking,
Peter



Recently

The Hacker Playbook

Mar 26, 2014 by cheetz in Security

Drop Box on the Cheap

Oct 27, 2013 by cheetz in Security

Hiding Your Shells

Aug 19, 2012 by cheetz in Security

DEFCON XX

Jul 30, 2012 by cheetz in Security