Hashcracking with Hashcat and AWS
Author: HollyGraceful Published: 15 December 2022 Last Updated: 16 December 2022
A couple of years ago I wrote an article about hashcracking with Hashcat and AWS; but that was back on Ubuntu 16.04 and it involved manually compiling the packages. So I thought I’d best update it for Ubuntu 22.04 and why not use the Nvidia ubuntu repos to make things easier too.
Password cracking is a very common step during penetration testing, and I’ve previously written about extracting NTLM hashes from compromised Windows boxes and NetNTLMv2 hashes you’ve grabbed through LLMNR spoofing. I’ve also previously written about how to capture WPA handshakes and crack those with Hashcat.
The main benefit of setting up for cloud password cracking is the ridiculous speeds that you can get through the GPU optimized instances that cloud providers offer – and since it’s a pay-as-you-go model, you’re not dropping thousands of points on hardware, you’re just renting it for a few bucks here and there.
In this article we’re just going to focus on the actual cracking part, and these steps will work for most hash types. We’re going to use AWS for this, but if you’re an Azure user the setup of the actual device will be pretty much the same. It’s also worth comparing the instances to see the price difference, since at the top end of prices you can save a little money by being cloud vendor agnostic.
Speaking of prices, there are instances for every budget but at the top end, some of them are seriously powerful multiple GPU devices. Here’s a quick price run down of some of your choices (these will vary slightly by region):
- g4dn.xlarge: $0.526 per hour
- g4dn.12xlarge: $3.912 per hour
- g5.12xlarge: $5.672 per hour
- g5.48xlarge: $16.288 per hour
- p3.16xlarge: $24.48 per hour (that’s about $18,000 per month)
- p4d.24xlarge: $32.77 per hour (that’s about $24,000 per month)
Whilst some of these are pricey, the idea is that you’d spin up an instance, perform the cracking required, and then immediately terminate it. I’ve quoted the per month price for no reason other than to warn you about leaving these instances running long term – something you absolutely shouldn’t need to do, but may accidentally do if you’re not careful.
I’ll also offer some common hash benchmarks for these instances at the bottom of this article to allow you to compare, so that you know if the jump between instance prices is worth it. Although it’s worth noting that the very high end instances may require a service limit increase on the AWS console. Also, the Pd4 instances are currently in “preview” so are not widely available yet.
GPU Instance Setup for Hashcat
1. Select a “Ubuntu Server 22.04 LTS (HVM), SSD Volume Type” AMI
The first step is of course to set up an AWS EC2; there's not much configuration that you need to do here other than set up an EC2 so that you can access it over SSH and of course select an appropriate Ubuntu AMI.
2. Select an appropriately sized boat:
Select your instance size of choice, even the cheapest instances like g4dn.xlarge offer far better cracking speeds than I get on my work laptop - but for a quick comparison of speeds, check the bottom of this article. Once you've got your EC2 up and running, you can connect over SSH and setup the required tooling in the next steps.
3. Add the Nvidia Repo and key to access the Nvidia Drivers:
sudo bash -c 'echo "deb http://developer.download.nvidia.com/compute/cuda/repos/ubuntu2204/x86_64 /" > /etc/apt/sources.list.d/cuda.list'
sudo apt-key adv --fetch-keys https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2204/x86_64/3bf863cc.pub
sudo apt update
4. Install the required drivers and tooling
sudo apt install -y cuda-12-0 cuda-runtime-12-0 cuda-drivers cuda-drivers-525 libnvidia-gl-525 nvidia-driver-525 libnvidia-extra-525 hashcat
5. Reboot to apply the driver (recommended during the Nvidia installer but not actually required)
6. check that the Nvidia driver is working correctly:
7. Benchmark Hashcat to check everything is installed correctly
hashcat -m 1000 --force -b
That's it! You've now got an EC2 instance set up with Hashcat and can crack those hashes.
Benchmark Results for Instances
1000 (NTLM): 36.6 GH/s
22000 (WPA-PBKDF2-PMKID+EAPOL): 364.6 kH/s
5600 (NetNTLMv2): 1614.7 MH/s
1000 (NTLM): 368.7 GH/s
22000 (WPA-PBKDF2-PMKID+EAPOL): 3612.1 kH/s
5600 (NetNTLMv2): 16407.9 MH/s
1000 (NTLM): 680.2 GH/s
2500 (WPA-EAPOL-PBKDF2): 3612.1 kH/s
5600 (NetNTLMv2): 31106.0 MH/s
* Whilst I was benchmarking these instance types, AWS was actually at capacity for p3.x16large instances in several regions, so these figures are my previous benchmarks - but are still representative of the difference between the instance types above. Short story, p3.x16large are not just fast, they're fast fast.