CrackLord: Maximizing Password Cracking Boxes

Presented at Black Hat USA 2015, Aug. 6, 2015, 9 a.m. (25 minutes).

Over the past several years the world of password cracking has exploded with new tools and techniques. These new techniques have made it easier than ever to reverse captured password hashes. Based on our experience, within the past few years passwords have often become the first step into compromising the entire network. New techniques such as LLMNR/NetBIOS response have reduced the efficacy of pass the hash techniques, again increasing the necessity of actually cracking the hashes. With the addition of powerful techniques, from GPGPU cracking to rainbow tables, it is easier than ever to access the plaintext for fun and profit.

Heavy utilization of GPUs has increased the power of these tools exponentially. Many organizations and individuals have built massive GPU password cracking rigs and cloud based services, such as AWS GPU instances, have also placed high performance cracking into the realm of affordability. Although the current tools do an amazing job providing heavy utilization for individual hardware, they have not kept pace with the need for distributed cracking services. Additionally, these tools can often make the sharing of expensive hardware difficult, requiring manual job tracking, GNU screen, or scripts put together to queue cracking jobs.

CrackLord attempts to change this by providing a scalable, pluggable, and distributed password cracking system. Better said, CrackLord is a way to load balance the resources, such as GPUs and CPUs, from multiple hardware systems into a single queuing service. CrackLord uses two primary services: the Resource and Queue. The Resource is a service that runs on individual systems, providing access to their underlying hardware. Resources utilize various tools, such as Hashcat, John the Ripper, rcrack, or others, to run jobs and use the local CPU or GPU to crack hashes. The Queue is a service that runs on a single system, providing an interface for users to submit cracking jobs. These jobs are then processed and sent to available Resources to perform the actual crack. Users are able to create, pause, resume, and delete jobs in the Queue which will communicate with the Resource to handle the results. Finally, the system is designed to be extensible providing standard interfaces and libraries allowing new tools, resource types, and management interfaces to be written and added as necessary.


Presenters:

  • Lucas Morris - Crowe Horwath LLP
    Lucas Morris is a manager responsible for leading application security assessments and penetration testing services to various clients at Crowe Horwath LLP. Lucas is responsible for developing the methodology for implementation services, penetration testing services and to aid clients in developing strategies for secure technologies within corporate environments. He generally focuses on being the nerd in the room, helping to developing new tools, resources, and research within the Crowe Technology Risk consulting group. For the past eight years, Lucas has been working on penetration testing, security program design, application security testing, and information security assessment testing annually.
  • Michael McAtee - Crowe Horwath
    Michael McAtee is a senior security consultant at Crowe Horwath and responsible for management of Crowe's Security Penetration & Forensics labs. With a passion for programming and security, Michael has been involved in developing security tools for automation and assessment needs at Crowe. Michael's experience includes enterprise Windows administration, enterprise network design, penetration testing, and security consulting and is part of over 35 security engagements annually.

Links:

Similar Presentations: