Using Azure VM to Crack Passwords

If you are doing CTFs (capture the flags) – so online hacking challenges – you probably have to deal with password cracking or hash cracking. If you work on a notebook, password cracking is not much fun. But, hey, there is the cloud! So, let’s use Microsoft Azure to crack passwords!

We just need to setup one or multiple VMs and use them! The beauty of the cloud is, that it is pay-per-use. So if it takes 5 hours to crack the password on a machine with 32 CPUs, then you only pay for those 5 hours. Besides that, you can even reduce your costs if you use reserved instances. But, lets start with the VM.

The virtual machine

For password cracking, we need:

  • VM with powerful GPU or powerful CPU (depends on the hash that we want to crack)
  • pay per use
  • Linux OS

Looking at https://azure.microsoft.com/en-us/pricing/details/virtual-machines/linux/ and filtering for GPU or Compute optimized gives us:

  • Fxs v2 (replace x with the size, e.g. F2s v2, F8s v2, …)
  • N*-series VM (N stands for Nvidia)

I will use F32s v2 VM, which has 32 vCPUs for CPU optimized hash algorithms and NC6 Promo for GPU optimized hash algorithms.

Step 1: Create Azure VM

You can create it via UI, Powershell or Azure CLI. I’ll use Azure CLI because it works on every environment.
Install azure cli as described here https://docs.microsoft.com/en-us/cli/azure/install-azure-cli or via choclatey: choco install azure-cli -y

Then use Azure CLI to create the VM:

# login
az login

# switch azure subscription
az account list --output table
az account set --subscription "My Subscription"

# set params for vm
$vm_rg = "are-passcrack-vm-rg" # resource group
$vm_n = "are-passcrack-vm"     # vm name
$admin = "passcrack-admin"     # username of administrator

# create new resource group
az group create -n $vm_rg --location westeurope

# list all vm images
az vm image list -o table

# list all vm sizes
az vm list-sizes -l westeurope -o table

# create gpu optimized vm
az vm create -g $vm_rg -n $vm_n --image UbuntuLTS --admin-username $admin --size Standard_NC6_Promo --generate-ssh-keys

# create cpu optimized vm
# az vm create -g $vm_rg -n $vm_n--image UbuntuLTS --admin-username $admin --size Standard_F32s_v2 --generate-ssh-keys

# read ip and store it in $ip
$ip = (az vm show -d -g $vm_rg -n $vm_n --query publicIps -o tsv)

Step 2: Connect and Install updates

ssh [email protected]$ip

# get linux version
uname -m && cat /etc/*release

# update and upgrade
sudo apt-get update
sudo apt-get upgrade -y

Step 3: Install GPU driver (GPU VM only)

https://docs.microsoft.com/en-us/azure/virtual-machines/linux/n-series-driver-setup

# if not ubuntu 18.04 - check correct urls at: http://developer.download.nvidia.com/compute/cuda/repos/

CUDA_REPO_PKG=cuda-repo-ubuntu1804_10.2.89-1_amd64.deb
wget -O /tmp/${CUDA_REPO_PKG} http://developer.download.nvidia.com/compute/cuda/repos/ubuntu1804/x86_64/${CUDA_REPO_PKG}
sudo dpkg -i /tmp/${CUDA_REPO_PKG}
sudo apt-key adv --fetch-keys http://developer.download.nvidia.com/compute/cuda/repos/ubuntu1804/x86_64/7fa2af80.pub
rm -f /tmp/${CUDA_REPO_PKG}
sudo apt-get update
sudo apt-get install cuda-drivers
sudo apt-get install nvidia-cuda-toolkit

# restart machine and verify installation
sudo reboot

# reconnect
ssh [email protected]$ip
nvidia-smi

# output should be something like:
# +-----------------------------------------------------------------------------+
# | NVIDIA-SMI 455.38       Driver Version: 455.38       CUDA Version: 11.1     |
# |-------------------------------+----------------------+----------------------+
# | GPU  Name        Persistence-M| Bus-Id        Disp.A | Volatile Uncorr. ECC |
# | Fan  Temp  Perf  Pwr:Usage/Cap|         Memory-Usage | GPU-Util  Compute M. |
# |                               |                      |               MIG M. |
# |===============================+======================+======================|
# |   0  Tesla K80           Off  | 00006133:00:00.0 Off |                    0 |
# | N/A   43C    P0    56W / 149W |      0MiB / 11441MiB |      0%      Default |
# |                               |                      |                  N/A |
# +-------------------------------+----------------------+----------------------+
# 
# +-----------------------------------------------------------------------------+
# | Processes:                                                                  |
# |  GPU   GI   CI        PID   Type   Process name                  GPU Memory |
# |        ID   ID                                                   Usage      |
# |=============================================================================|
# |  No running processes found                                                 |
# +-----------------------------------------------------------------------------+

Step 4: Install Hashcat/John/…

Install latest Version of Hashcat:

# Install latest version of Hashcat (check https://hashcat.net/hashcat/ to get latest version number)

wget https://hashcat.net/files/hashcat-6.1.1.7z
sudo apt-get install p7zip-full -y
7z x hashcat-6.1.1.7z
rm hashcat-6.1.1.7z

Install John the Ripper
latest version at: https://www.openwall.com/john/

sudo apt-get install build-essential libssl-dev -y
wget https://www.openwall.com/john/k/john-1.9.0-jumbo-1.tar.gz
tar xfz john-1.9.0-jumbo-1.tar.gz
cd john-1.9.0-jumbo-1/src
./configure
# output will show you some infos - please check if OpenCL is set to true, if not, try:
# ./configure && make clean && make -sj4

cd ../run
./john --list=opencl-devices

# output should be something like:
# Platform #0 name: NVIDIA CUDA, version: OpenCL 1.2 CUDA 11.1.102
#     Device #0 (1) name:     Tesla K80
#     Device vendor:          NVIDIA Corporation
#     Device type:            GPU (LE)
#     Device version:         OpenCL 1.2 CUDA
#     Driver version:         455.32.00 [recommended]
#     Native vector widths:   char 1, short 1, int 1, long 1
#     Preferred vector width: char 1, short 1, int 1, long 1
#     Global Memory:          11441 MB (ECC)
#     Global Memory Cache:    208 KB
#     Local Memory:           48 KB (Local)
#     Constant Buffer size:   64 KB
#     Max memory alloc. size: 2860 MB
#     Max clock (MHz):        823
#     Profiling timer res.:   1000 ns
#     Max Work Group Size:    1024
#     Parallel compute cores: 13
#     CUDA cores:             2496  (13 x 192)
#     Speed index:            2054208
#     Warp size:              32
#     Max. GPRs/work-group:   65536
#     Compute capability:     3.7 (sm_37)
#     Kernel exec. timeout:   no
#     PCI device topology:    00:00.0

./john --list=formats --format=opencl

Install fcrackzip

sudo apt-get install fcrrackzip

Step 5: Download Wordlists

cd ~
mkdir wordlists
cd wordlists
wget https://crackstation.net/files/crackstation-human-only.txt.gz
gzip -d crackstation-human-only.txt.gz

wget https://crackstation.net/files/crackstation.txt.gz
gzip -d crackstation.txt.gz

wget https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/darkweb2017-top1000.txt
wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/darkweb2017-top10000.txt
wget https://github.com/FlameOfIgnis/Pwdb-Public/raw/master/wordlists/ignis-10M.txt

Step 6: Start Cracking

try to crack the following hashes:

5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
7c4a8d09ca3762af61e59520943dc26494f8941b
d2bf02e60ed38af96751c5a78a8ffbe32f4598f9
d033e22ae348aeb5660fc2140aec35850c4da997
21298df8a3277357ee55b01df9530b535cf08ec1
6defcdce4d06b8518640f0fe5f692b639bf31a4a
7288edd0fc3ffcbe93a0cf06e3568e28521687bc

or:

$2a$10$z580SUOJrDVim.KmT4wKpOw891M7pbAsvM2NsbdIPn.B00IX.hbP6
$2a$10$llqj/yYA0JFdZ0jU.x8Fs.srlQNYZg8v08p0WyeUqyKeGA0xqMP4C
$2a$10$sejozbYMR5KmiAqKsnPWv.riS5TiQwEDrOB2fgS9ERxYp4t52YxRu
$2a$10$31TyVw44TzVL9JWjkj.Nn.IDEZKJmK7JAQXxiB3dYhqkWX1n9GHxS
$2a$10$hdO/G606lyYmAvJ0.G0mTOGuSMiQu7CaFFVyXTiJVcXkEISpQcK/i
$2a$10$2uVS4Rpts2yAb5rc0qJBZ.0RstK1wDBl3BopgL.5L8n3t9bxc7NjC
$2a$10$kZp.cIRemnjM452mA.4C0u15iS.olx9HQaeDYLxGstkAS5rnDoVM2
$2a$10$XQeAEopVPVGb4SOHaj.Yzur7BB.XqkzsOMMj1MW/vvC3RA.qIFhvW
$2a$10$OkB1by5f1KZ.l90nOqL/Ye0SKf.V4rImMd//T.brZiHyk0CnBbI/u

Some samples:

### paramters ###
# file with hashes
CRACK=~/crackme.txt
# wordlists
WL_CSHO=~/wordlists/crackstation-human-only.txt
WL_CS=~/wordlists/crackstation.txt
WL_RY=~/wordlists/rockyou.txt
WL_DWT=~/wordlists/darkweb2017-top1000.txt
WL_DWTT=~/wordlists/darkweb2017-top10000.txt
WL_IG=~/wordlists/ignis-10M.txt

### john the ripper ###

cd ~/john-1.9.0-jumbo-1/run/

./john --wordlist=$WL_CSHO $CRACK
./john --wordlist=$WL_CSHO $CRACK --fork=6
./john --wordlist=$WL_CSHO $CRACK --fork=6 --format=raw-md5
./john --wordlist=$WL_CSHO $CRACK --fork=6 --format=bcrypt 
./john --wordlist=$WL_CSHO $CRACK --format=raw-MD5-opencl
./john --wordlist=$WL_CSHO $CRACK --format=raw-SHA1-opencl

./john --increment $CRACK --format=raw-SHA1-opencl
./john --increment $CRACK --fork=16 --format=raw-sha1
./john --increment $CRACK --fork=16 --format=bcrypt

### hashcat ###

cd ~/hashcat-6.1.1

# -a 0 => dictionary, 3 => bruteforce
./hashcat.bin -a 0 -m 100 $CRACK $WL_CSHO
./hashcat.bin -a 3 -m 100 b8c0a6c50e24eccba706932a5a03fc6c7cc34ab7
./hashcat.bin -a 0 -m 4700 90b9aa7e25f80cf4f64e990b78a9fc5ebd6cecad $WL_CSHO # m 4700 = sha1(md5($pass))

### hashcat - excel ###

wget https://raw.githubusercontent.com/stricture/hashstack-server-plugin-oclhashcat/master/scrapers/office2hashcat.py
HASH=$(python office2hashcat.py secure.xlsx)
./hashcat.bin -a 3 -m 9600 $HASH ?d?d?d?d?d?d
./hashcat.bin -a 0 -m 9600 $HASH $WL_CSHO

### fcrackzip ###

fcrackzip -u -v -l 6 -c 1 -b crackme.zip
# -u => unzip 
# -v => verbose
# -l => length
# -c => character set, 1 = numeric
# -b => bruteforce

Step 7. a.: Shutdown VM

$vm_rg = "are-passcrack-vm-rg" # resource group
$vm_n = "are-passcrack-vm"     # vm name

az vm deallocate -n $vm_n -g $vm_rg

Step 7. b.: Start and Connect to VM

az login
az account set --subscription "My Subscription"

$vm_rg = "are-passcrack-vm-rg" # resource group
$vm_n = "are-passcrack-vm"     # vm name
$admin = "passcrack-admin"     # username of administrator

az vm start -g $vm_rg -n $vm_n
$ip = (az vm show -d -g $vm_rg -n $vm_n --query publicIps -o tsv)

ssh [email protected]$ip

Step 7. c.: Shutdown and Delete VM

$vm_rg = "are-passcrack-vm-rg" # resource group
$vm_n = "are-passcrack-vm"     # vm name

az vm deallocate -n $vm_n -g $vm_rg
az group delete -g $vm_rg

# verify
az vm list -o table
az group list -o table

Categories:

No responses yet

    Leave a Reply

    Your email address will not be published. Required fields are marked *