Automate using GPU-accelerated hashcat in the cloud, for fast and inexpensive cracking
One day, poking around on AWS, I saw someone had uploaded a CUDA Hashcat AMI, I started up an instance and did a quick test. I confirmed that the hashing speed corresponded with the benchmarks I found here.
The problem with GPU instances is that they're expensive. However on the spot market, they tend to be reasonably inexpensive (< $.07 / hr)
Initially I just set out to see how far I could get automating a spin up of a node to crack a password. Eventually I'd like to enable parallelism for even faster cracking.
- Completely hands off on the AWS instance, with flexibility in hashcat options
- Hashcat runs in screen so if necessary you can connect to the instance and see the status/progress
- Runs all single Sha512 (unix crypt) hash against rockyou in ~21 minutes (~12000 H/s)
There's two critical scripts involved.
-
launch-spot.sh - Launches a spot instance, at this point, this is where most of the settings you care about are
-
run.sh - This gets pulled down and run by the instance after it spins up, this is where most of the actual automation/cracking takes place
However, there's some other components at play:
EC2
- We start a spot instance request
- We associate the runtime parameters with the spot instance request via Tags
- If/when the instance is launched successfully, it will need to reference these tags
S3
- We store the results of cracked passwords in an s3 bucket (/incoming/)
- We also store a copy of rockyou.txt and pull it down from S3 in launch-spot.sh (/assets/) [optional, but you'll want to look at run.sh]
- We enable versioning on the bucket, so that overwrites (unlikely) are preserved [optional]
- We enable a lifecycle policy on the bucket, so objects are automatically removed from /incoming/ after 2 days [optional]
IAM
- We create an IAM policy for the hashcat instances. They grant the following 4 permissions:
- Describe EC2 Instances (to find the spot instance request id)
- Get tags (to retrieve the transient data from the spot instance request tags)
- PutObject (on the /incoming/ folder of the S3 bucket)
- GetObject (on the /assets/ folder of the S3 bucket)
AWS CLI
- We use the AWS CLI on the instnace to access the various AWS components
- Automating parallelization
- Bake AWS CLI into the AMI
- Bake rockyou.txt into the AMI (?)
- Provide some scripts to configure the IAM policy and S3 bucket
- Maybe move more of the hardcoded configuration from run.sh to spot instance request tags (e.g., s3bucket, s3folder)
- Migrate to SQS (or something) to reduce run-time configuration
- Take better advantage of partial hours (if we only run for 20 minutes, use the other 40 minutes for something useful)
- Progress reporting