Distributed Password Hash Cracking with the Tower of Power
Sword & Shield was recently looking for a way to up its hash cracking game to help its penetration testers to get an edge on cracking passwords. This is one way the security analysts advise clients on building more secure systems. What is better than a singular hash cracking box? Multiple hash cracking boxes!
So I set out to build a distributed password hash cracking system. I grabbed some decommissioned computers at the office, stacked them up into a pyramid, built a super computer we named the “Tower of Power” and got to work.
Selecting a Tool to Facilitate Distributed Password Hash Cracking
After doing some research, I found a hash cracking tool offered on GitHub for connecting multiple computers to gain more power. The tool I chose describes itself as “a multi-platform client-server tool for distributing hashcat tasks among multiple computers.” This means whenever we have a hashlist we want to crack, we are able to flawlessly distribute the task across multiple computers. This enables the hashlist to be cracked faster than when the task was distributed to one box only.
The tool we chose uses a client-server architecture, meaning each computer is either a client or a server. For the servers, I installed Ubuntu Server 16.04 LTS and then the hash cracking software server installation on top of it. For the clients, I installed Ubuntu Desktop 16.04 and then the hash cracking software agent installation on top of it.
The installation went smoothly with only a few hiccups. For these, I created a couple issues on the tool’s GitHub page and they were all resolved in a couple hours. The hash cracking software team really seemed to be devoted to this project and were always willing to help. Their wiki, also found on their GitHub page, proved to be a great help in installing both the client and server. They even had links to YouTube where one of the developers of the project had made an install video for the server and agent installations on Ubuntu.
After getting everything installed, I navigated to the IP address of the software’s server where I was greeted by a nicely formatted login page.
Once logged in, I was presented with a host of tabs allowing me to upload wordlists, rules, and hashlists; add new agents, create new tasks and more.
When creating a new task, you still have the same capabilities you have with regular Hashcat such as different attack modes, adding wordlists and adding rules but you are able to simply checkmark the wordlists and rules as opposed to typing them in.
Once the task was created, I was able to prioritize it among the other tasks, assign certain agents to it, or throw all my hash cracking power at it.
Something to note after you create a task is that it does not automatically distribute the agents. You must first change the priority on the task page to a number that is above 0. A couple of the security analysts at Sword & Shield learned this lesson when they created tasks and lost valuable time before realizing that the task never actually started because the priority was set to 0.
One pitfall of the system is that, for a whole host of reasons such as entering a command incorrectly, the system will sometimes crash and you are unable to restart it via the web UI. This problem can be somewhat easily remedied by creating a watch dog script to auto restart the service after it crashes.
The team has gone the extra mile in creating a detailed wiki that is chocked-full of information, starting with the installation, proceeding all the way through to creating CLI commands in the task creation tab.
I added an agent installation to a Windows-based laptop to see how it would affect performance of day-to-day tasks on the laptop. After testing, I found the degradation in performance was negligible and we could theoretically install the hash cracking software on all of the computers across the office for even more password cracking power.
If you have some old or unused computers laying around, fire them up, throw this hash cracking software on them and let the passwords flow.
To learn about the new NIST password guidelines, download Sword & Shield’s “The Future of Passwords: Perspectives for Enterprises” white paper.
Tim Welles is a student at the University of Tennessee. He is majoring in computer science with a focus in cybersecurity. He plans to pursue a career in cybersecurity after graduation.
Sword & Shield specializes in security, risk and compliance assessment, managed security services, enterprise security consulting, security incident response and forensics, and technical solutions.