Using Azure VM to Crack Passwords

If you are doing CTFs (capture the flags) – so online hacking challenges – you probably have to deal with password cracking or hash cracking. If you work on a notebook, password cracking is not much fun. But, hey, there is the cloud! So, let’s use Microsoft Azure to crack passwords!

We just need to setup one or multiple VMs and use them! The beauty of the cloud is, that it is pay-per-use. So if it takes 5 hours to crack the password on a machine with 32 CPUs, then you only pay for those 5 hours. Besides that, you can even reduce your costs if you use reserved instances. But, lets start with the VM.

The virtual machine

For password cracking, we need:

  • VM with powerful GPU or powerful CPU (depends on the hash that we want to crack)
  • pay per use
  • Linux OS

Looking at and filtering for GPU or Compute optimized gives us:

  • Fxs v2 (replace x with the size, e.g. F2s v2, F8s v2, …)
  • N*-series VM (N stands for Nvidia)

I will use F32s v2 VM, which has 32 vCPUs for CPU optimized hash algorithms and NC6 Promo for GPU optimized hash algorithms.

Step 1: Create Azure VM

You can create it via UI, Powershell or Azure CLI. I’ll use Azure CLI because it works on every environment.
Install azure cli as described here or via choclatey: choco install azure-cli -y

Then use Azure CLI to create the VM:

# login
az login

# switch azure subscription
az account list --output table
az account set --subscription "My Subscription"

# set params for vm
$vm_rg = "are-passcrack-vm-rg" # resource group
$vm_n = "are-passcrack-vm"     # vm name
$admin = "passcrack-admin"     # username of administrator

# create new resource group
az group create -n $vm_rg --location westeurope

# list all vm images
az vm image list -o table

# list all vm sizes
az vm list-sizes -l westeurope -o table

# create gpu optimized vm
az vm create -g $vm_rg -n $vm_n --image UbuntuLTS --admin-username $admin --size Standard_NC6_Promo --generate-ssh-keys

# create cpu optimized vm
# az vm create -g $vm_rg -n $vm_n--image UbuntuLTS --admin-username $admin --size Standard_F32s_v2 --generate-ssh-keys

# read ip and store it in $ip
$ip = (az vm show -d -g $vm_rg -n $vm_n --query publicIps -o tsv)

Step 2: Connect and Install updates

ssh [email protected]$ip

# get linux version
uname -m && cat /etc/*release

# update and upgrade
sudo apt-get update
sudo apt-get upgrade -y

Step 3: Install GPU driver (GPU VM only)

# if not ubuntu 18.04 - check correct urls at:

sudo dpkg -i /tmp/${CUDA_REPO_PKG}
sudo apt-key adv --fetch-keys
rm -f /tmp/${CUDA_REPO_PKG}
sudo apt-get update
sudo apt-get install cuda-drivers
sudo apt-get install nvidia-cuda-toolkit

# restart machine and verify installation
sudo reboot

# reconnect
ssh [email protected]$ip

# output should be something like:
# +-----------------------------------------------------------------------------+
# | NVIDIA-SMI 455.38       Driver Version: 455.38       CUDA Version: 11.1     |
# |-------------------------------+----------------------+----------------------+
# | GPU  Name        Persistence-M| Bus-Id        Disp.A | Volatile Uncorr. ECC |
# | Fan  Temp  Perf  Pwr:Usage/Cap|         Memory-Usage | GPU-Util  Compute M. |
# |                               |                      |               MIG M. |
# |===============================+======================+======================|
# |   0  Tesla K80           Off  | 00006133:00:00.0 Off |                    0 |
# | N/A   43C    P0    56W / 149W |      0MiB / 11441MiB |      0%      Default |
# |                               |                      |                  N/A |
# +-------------------------------+----------------------+----------------------+
# +-----------------------------------------------------------------------------+
# | Processes:                                                                  |
# |  GPU   GI   CI        PID   Type   Process name                  GPU Memory |
# |        ID   ID                                                   Usage      |
# |=============================================================================|
# |  No running processes found                                                 |
# +-----------------------------------------------------------------------------+

Step 4: Install Hashcat/John/…

Install latest Version of Hashcat:

# Install latest version of Hashcat (check to get latest version number)

sudo apt-get install p7zip-full -y
7z x hashcat-
rm hashcat-

Install John the Ripper
latest version at:

sudo apt-get install build-essential libssl-dev -y
tar xfz john-1.9.0-jumbo-1.tar.gz
cd john-1.9.0-jumbo-1/src
# output will show you some infos - please check if OpenCL is set to true, if not, try:
# ./configure && make clean && make -sj4

cd ../run
./john --list=opencl-devices

# output should be something like:
# Platform #0 name: NVIDIA CUDA, version: OpenCL 1.2 CUDA 11.1.102
#     Device #0 (1) name:     Tesla K80
#     Device vendor:          NVIDIA Corporation
#     Device type:            GPU (LE)
#     Device version:         OpenCL 1.2 CUDA
#     Driver version:         455.32.00 [recommended]
#     Native vector widths:   char 1, short 1, int 1, long 1
#     Preferred vector width: char 1, short 1, int 1, long 1
#     Global Memory:          11441 MB (ECC)
#     Global Memory Cache:    208 KB
#     Local Memory:           48 KB (Local)
#     Constant Buffer size:   64 KB
#     Max memory alloc. size: 2860 MB
#     Max clock (MHz):        823
#     Profiling timer res.:   1000 ns
#     Max Work Group Size:    1024
#     Parallel compute cores: 13
#     CUDA cores:             2496  (13 x 192)
#     Speed index:            2054208
#     Warp size:              32
#     Max. GPRs/work-group:   65536
#     Compute capability:     3.7 (sm_37)
#     Kernel exec. timeout:   no
#     PCI device topology:    00:00.0

./john --list=formats --format=opencl

Install fcrackzip

sudo apt-get install fcrrackzip

Step 5: Download Wordlists

cd ~
mkdir wordlists
cd wordlists
gzip -d crackstation-human-only.txt.gz

gzip -d crackstation.txt.gz


Step 6: Start Cracking

try to crack the following hashes:




Some samples:

### paramters ###
# file with hashes
# wordlists

### john the ripper ###

cd ~/john-1.9.0-jumbo-1/run/

./john --wordlist=$WL_CSHO $CRACK
./john --wordlist=$WL_CSHO $CRACK --fork=6
./john --wordlist=$WL_CSHO $CRACK --fork=6 --format=raw-md5
./john --wordlist=$WL_CSHO $CRACK --fork=6 --format=bcrypt 
./john --wordlist=$WL_CSHO $CRACK --format=raw-MD5-opencl
./john --wordlist=$WL_CSHO $CRACK --format=raw-SHA1-opencl

./john --increment $CRACK --format=raw-SHA1-opencl
./john --increment $CRACK --fork=16 --format=raw-sha1
./john --increment $CRACK --fork=16 --format=bcrypt

### hashcat ###

cd ~/hashcat-6.1.1

# -a 0 => dictionary, 3 => bruteforce
./hashcat.bin -a 0 -m 100 $CRACK $WL_CSHO
./hashcat.bin -a 3 -m 100 b8c0a6c50e24eccba706932a5a03fc6c7cc34ab7
./hashcat.bin -a 0 -m 4700 90b9aa7e25f80cf4f64e990b78a9fc5ebd6cecad $WL_CSHO # m 4700 = sha1(md5($pass))

### hashcat - excel ###

HASH=$(python secure.xlsx)
./hashcat.bin -a 3 -m 9600 $HASH ?d?d?d?d?d?d
./hashcat.bin -a 0 -m 9600 $HASH $WL_CSHO

### fcrackzip ###

fcrackzip -u -v -l 6 -c 1 -b
# -u => unzip 
# -v => verbose
# -l => length
# -c => character set, 1 = numeric
# -b => bruteforce

Step 7. a.: Shutdown VM

$vm_rg = "are-passcrack-vm-rg" # resource group
$vm_n = "are-passcrack-vm"     # vm name

az vm deallocate -n $vm_n -g $vm_rg

Step 7. b.: Start and Connect to VM

az login
az account set --subscription "My Subscription"

$vm_rg = "are-passcrack-vm-rg" # resource group
$vm_n = "are-passcrack-vm"     # vm name
$admin = "passcrack-admin"     # username of administrator

az vm start -g $vm_rg -n $vm_n
$ip = (az vm show -d -g $vm_rg -n $vm_n --query publicIps -o tsv)

ssh [email protected]$ip

Step 7. c.: Shutdown and Delete VM

$vm_rg = "are-passcrack-vm-rg" # resource group
$vm_n = "are-passcrack-vm"     # vm name

az vm deallocate -n $vm_n -g $vm_rg
az group delete -g $vm_rg

# verify
az vm list -o table
az group list -o table


No responses yet

    Leave a Reply

    Your email address will not be published. Required fields are marked *