If you are doing CTFs (capture the flags) – so online hacking challenges – you probably have to deal with password cracking or hash cracking. If you work on a notebook, password cracking is not much fun. But, hey, there is the cloud! So, let’s use Microsoft Azure to crack passwords!
We just need to setup one or multiple VMs and use them! The beauty of the cloud is, that it is pay-per-use. So if it takes 5 hours to crack the password on a machine with 32 CPUs, then you only pay for those 5 hours. Besides that, you can even reduce your costs if you use reserved instances. But, lets start with the VM.
The virtual machine
For password cracking, we need:
- VM with powerful GPU or powerful CPU (depends on the hash that we want to crack)
- pay per use
- Linux OS
Looking at https://azure.microsoft.com/en-us/pricing/details/virtual-machines/linux/ and filtering for GPU or Compute optimized gives us:
- Fxs v2 (replace x with the size, e.g. F2s v2, F8s v2, …)
- N*-series VM (N stands for Nvidia)
I will use F32s v2 VM, which has 32 vCPUs for CPU optimized hash algorithms and NC6 Promo for GPU optimized hash algorithms.
Step 1: Create Azure VM
You can create it via UI, Powershell or Azure CLI. I’ll use Azure CLI because it works on every environment.
Install azure cli as described here https://docs.microsoft.com/en-us/cli/azure/install-azure-cli or via choclatey: choco install azure-cli -y
Then use Azure CLI to create the VM:
# login az login # switch azure subscription az account list --output table az account set --subscription "My Subscription" # set params for vm $vm_rg = "are-passcrack-vm-rg" # resource group $vm_n = "are-passcrack-vm" # vm name $admin = "passcrack-admin" # username of administrator # create new resource group az group create -n $vm_rg --location westeurope # list all vm images az vm image list -o table # list all vm sizes az vm list-sizes -l westeurope -o table # create gpu optimized vm az vm create -g $vm_rg -n $vm_n --image UbuntuLTS --admin-username $admin --size Standard_NC6_Promo --generate-ssh-keys # create cpu optimized vm # az vm create -g $vm_rg -n $vm_n--image UbuntuLTS --admin-username $admin --size Standard_F32s_v2 --generate-ssh-keys # read ip and store it in $ip $ip = (az vm show -d -g $vm_rg -n $vm_n --query publicIps -o tsv)
Step 2: Connect and Install updates
ssh $admin@$ip # get linux version uname -m && cat /etc/*release # update and upgrade sudo apt-get update sudo apt-get upgrade -y
Step 3: Install GPU driver (GPU VM only)
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/n-series-driver-setup
# if not ubuntu 18.04 - check correct urls at: http://developer.download.nvidia.com/compute/cuda/repos/
CUDA_REPO_PKG=cuda-repo-ubuntu1804_10.2.89-1_amd64.deb
wget -O /tmp/${CUDA_REPO_PKG} http://developer.download.nvidia.com/compute/cuda/repos/ubuntu1804/x86_64/${CUDA_REPO_PKG}
sudo dpkg -i /tmp/${CUDA_REPO_PKG}
sudo apt-key adv --fetch-keys http://developer.download.nvidia.com/compute/cuda/repos/ubuntu1804/x86_64/7fa2af80.pub
rm -f /tmp/${CUDA_REPO_PKG}
sudo apt-get update
sudo apt-get install cuda-drivers
sudo apt-get install nvidia-cuda-toolkit
# restart machine and verify installation
sudo reboot
# reconnect
ssh $admin@$ip
nvidia-smi
# output should be something like:
# +-----------------------------------------------------------------------------+
# | NVIDIA-SMI 455.38 Driver Version: 455.38 CUDA Version: 11.1 |
# |-------------------------------+----------------------+----------------------+
# | GPU Name Persistence-M| Bus-Id Disp.A | Volatile Uncorr. ECC |
# | Fan Temp Perf Pwr:Usage/Cap| Memory-Usage | GPU-Util Compute M. |
# | | | MIG M. |
# |===============================+======================+======================|
# | 0 Tesla K80 Off | 00006133:00:00.0 Off | 0 |
# | N/A 43C P0 56W / 149W | 0MiB / 11441MiB | 0% Default |
# | | | N/A |
# +-------------------------------+----------------------+----------------------+
#
# +-----------------------------------------------------------------------------+
# | Processes: |
# | GPU GI CI PID Type Process name GPU Memory |
# | ID ID Usage |
# |=============================================================================|
# | No running processes found |
# +-----------------------------------------------------------------------------+
Step 4: Install Hashcat/John/…
Install latest Version of Hashcat:
# Install latest version of Hashcat (check https://hashcat.net/hashcat/ to get latest version number) wget https://hashcat.net/files/hashcat-6.1.1.7z sudo apt-get install p7zip-full -y 7z x hashcat-6.1.1.7z rm hashcat-6.1.1.7z
Install John the Ripper
latest version at: https://www.openwall.com/john/
sudo apt-get install build-essential libssl-dev -y wget https://www.openwall.com/john/k/john-1.9.0-jumbo-1.tar.gz tar xfz john-1.9.0-jumbo-1.tar.gz cd john-1.9.0-jumbo-1/src ./configure # output will show you some infos - please check if OpenCL is set to true, if not, try: # ./configure && make clean && make -sj4 cd ../run ./john --list=opencl-devices # output should be something like: # Platform #0 name: NVIDIA CUDA, version: OpenCL 1.2 CUDA 11.1.102 # Device #0 (1) name: Tesla K80 # Device vendor: NVIDIA Corporation # Device type: GPU (LE) # Device version: OpenCL 1.2 CUDA # Driver version: 455.32.00 [recommended] # Native vector widths: char 1, short 1, int 1, long 1 # Preferred vector width: char 1, short 1, int 1, long 1 # Global Memory: 11441 MB (ECC) # Global Memory Cache: 208 KB # Local Memory: 48 KB (Local) # Constant Buffer size: 64 KB # Max memory alloc. size: 2860 MB # Max clock (MHz): 823 # Profiling timer res.: 1000 ns # Max Work Group Size: 1024 # Parallel compute cores: 13 # CUDA cores: 2496 (13 x 192) # Speed index: 2054208 # Warp size: 32 # Max. GPRs/work-group: 65536 # Compute capability: 3.7 (sm_37) # Kernel exec. timeout: no # PCI device topology: 00:00.0 ./john --list=formats --format=opencl
Install fcrackzip
sudo apt-get install fcrrackzip
Step 5: Download Wordlists
cd ~ mkdir wordlists cd wordlists wget https://crackstation.net/files/crackstation-human-only.txt.gz gzip -d crackstation-human-only.txt.gz wget https://crackstation.net/files/crackstation.txt.gz gzip -d crackstation.txt.gz wget https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/darkweb2017-top1000.txt wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/darkweb2017-top10000.txt wget https://github.com/FlameOfIgnis/Pwdb-Public/raw/master/wordlists/ignis-10M.txt
Step 6: Start Cracking
try to crack the following hashes:
5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 a94a8fe5ccb19ba61c4c0873d391e987982fbbd3 7c4a8d09ca3762af61e59520943dc26494f8941b d2bf02e60ed38af96751c5a78a8ffbe32f4598f9 d033e22ae348aeb5660fc2140aec35850c4da997 21298df8a3277357ee55b01df9530b535cf08ec1 6defcdce4d06b8518640f0fe5f692b639bf31a4a 7288edd0fc3ffcbe93a0cf06e3568e28521687bc
or:
$2a$10$z580SUOJrDVim.KmT4wKpOw891M7pbAsvM2NsbdIPn.B00IX.hbP6 $2a$10$llqj/yYA0JFdZ0jU.x8Fs.srlQNYZg8v08p0WyeUqyKeGA0xqMP4C $2a$10$sejozbYMR5KmiAqKsnPWv.riS5TiQwEDrOB2fgS9ERxYp4t52YxRu $2a$10$31TyVw44TzVL9JWjkj.Nn.IDEZKJmK7JAQXxiB3dYhqkWX1n9GHxS $2a$10$hdO/G606lyYmAvJ0.G0mTOGuSMiQu7CaFFVyXTiJVcXkEISpQcK/i $2a$10$2uVS4Rpts2yAb5rc0qJBZ.0RstK1wDBl3BopgL.5L8n3t9bxc7NjC $2a$10$kZp.cIRemnjM452mA.4C0u15iS.olx9HQaeDYLxGstkAS5rnDoVM2 $2a$10$XQeAEopVPVGb4SOHaj.Yzur7BB.XqkzsOMMj1MW/vvC3RA.qIFhvW $2a$10$OkB1by5f1KZ.l90nOqL/Ye0SKf.V4rImMd//T.brZiHyk0CnBbI/u
Some samples:
### paramters ### # file with hashes CRACK=~/crackme.txt # wordlists WL_CSHO=~/wordlists/crackstation-human-only.txt WL_CS=~/wordlists/crackstation.txt WL_RY=~/wordlists/rockyou.txt WL_DWT=~/wordlists/darkweb2017-top1000.txt WL_DWTT=~/wordlists/darkweb2017-top10000.txt WL_IG=~/wordlists/ignis-10M.txt ### john the ripper ### cd ~/john-1.9.0-jumbo-1/run/ ./john --wordlist=$WL_CSHO $CRACK ./john --wordlist=$WL_CSHO $CRACK --fork=6 ./john --wordlist=$WL_CSHO $CRACK --fork=6 --format=raw-md5 ./john --wordlist=$WL_CSHO $CRACK --fork=6 --format=bcrypt ./john --wordlist=$WL_CSHO $CRACK --format=raw-MD5-opencl ./john --wordlist=$WL_CSHO $CRACK --format=raw-SHA1-opencl ./john --increment $CRACK --format=raw-SHA1-opencl ./john --increment $CRACK --fork=16 --format=raw-sha1 ./john --increment $CRACK --fork=16 --format=bcrypt ### hashcat ### cd ~/hashcat-6.1.1 # -a 0 => dictionary, 3 => bruteforce ./hashcat.bin -a 0 -m 100 $CRACK $WL_CSHO ./hashcat.bin -a 3 -m 100 b8c0a6c50e24eccba706932a5a03fc6c7cc34ab7 ./hashcat.bin -a 0 -m 4700 90b9aa7e25f80cf4f64e990b78a9fc5ebd6cecad $WL_CSHO # m 4700 = sha1(md5($pass)) ### hashcat - excel ### wget https://raw.githubusercontent.com/stricture/hashstack-server-plugin-oclhashcat/master/scrapers/office2hashcat.py HASH=$(python office2hashcat.py secure.xlsx) ./hashcat.bin -a 3 -m 9600 $HASH ?d?d?d?d?d?d ./hashcat.bin -a 0 -m 9600 $HASH $WL_CSHO ### fcrackzip ### fcrackzip -u -v -l 6 -c 1 -b crackme.zip # -u => unzip # -v => verbose # -l => length # -c => character set, 1 = numeric # -b => bruteforce
Step 7. a.: Shutdown VM
$vm_rg = "are-passcrack-vm-rg" # resource group $vm_n = "are-passcrack-vm" # vm name az vm deallocate -n $vm_n -g $vm_rg
Step 7. b.: Start and Connect to VM
az login az account set --subscription "My Subscription" $vm_rg = "are-passcrack-vm-rg" # resource group $vm_n = "are-passcrack-vm" # vm name $admin = "passcrack-admin" # username of administrator az vm start -g $vm_rg -n $vm_n $ip = (az vm show -d -g $vm_rg -n $vm_n --query publicIps -o tsv) ssh $admin@$ip
Step 7. c.: Shutdown and Delete VM
$vm_rg = "are-passcrack-vm-rg" # resource group $vm_n = "are-passcrack-vm" # vm name az vm deallocate -n $vm_n -g $vm_rg az group delete -g $vm_rg # verify az vm list -o table az group list -o table
One response
this looks interesting… i would like to try http://www.crark.net
on such a VM