Penetration tester develops AWS-based automated cracking rig

Building a custom cracking rig for research can be expensive, so penetration tester Max Ahartz built one on AWS. In this Help Net Security interview, he takes us through the process and unveils the details of his creation.

automated cracking rig

What motivated you to undertake this project, and what were your objectives in creating the automated cracking rig?

I embarked on this project with a dual motivation: my interest in automation and my recent exploration of AWS Cloud Penetration testing through Rhino Security’s Cloudgoat project. Combining these passions, I aimed to create an automated cracking rig to delve deeper into hash cracking.

What potential ethical considerations arise when working on a project like this? How do you approach the responsible use of the technology you’ve developed?

While the tools I utilized for this project have been well-established in the security community for over a decade, addressing the ethical considerations is crucial. I would say that responsible use is paramount. I have included a disclaimer emphasizing that the rig is intended solely for research. Users should ensure that the hashes used are either their own or self-generated.

Additionally, when working with clients to test their password security policies, obtaining explicit permission is essential to comply with legal and ethical obligations.

How did you approach the automation process to ensure the rig creates itself, downloads the results, and terminates to keep costs low?

The automation process demanded meticulous attention to detail. Initially, I explored existing solutions on platforms like Google and GitHub, but they proved outdated or incomplete. Thus, I delved into the AWS documentation, conducting extensive research and employing trial and error. Error codes became valuable allies throughout the process. While the automation process could not be delegated entirely to OpenGPT, it played a helpful role in debugging and inspiring new ideas for optimizing certain functions.

Could you elaborate on the tools and technologies you used to automate the cracking rig and achieve rapid deployment?

The core of the automated cracking rig is a bash script that loads settings from a configuration file. Leveraging the aws-cli tool via SSH, the rig remotely constructs an Ubuntu server, installs CUDA drivers and Hashcat, and swiftly downloads a 66-million-word Seclist password dictionary from an S3 bucket within AWS’s cloud network, benefiting from remarkable transfer speeds.

Upon completion, Hashcat’s results are downloaded to the local machine, and the instance is terminated. Remarkably, the roundtrip time for a sha512crypt hash was consistently under 8 minutes, showcasing the efficiency of the process from initialization to completion.

The affordability of this cutting-edge technology is truly noteworthy, with the specific EC2 Spot Instance I configured costing just $0.52 per hour.

automated cracking rig

What challenges did you encounter while building and automating the rig, and how did you overcome them?

The journey of building and automating the rig was not without its challenges. Among the significant hurdles was refining the timing, for instance, connectivity via SSH to avoid unnecessary delays and overcome first-time connection prompts. Additionally, achieving the correct syntax for remotely loading AWS configure settings onto the remote server via SSH, while automating the ‘Enter’ key for each user prompt, required careful attention.

Furthermore, orchestrating the proper loading sequence of software updates, drivers, and Hashcat was crucial to prevent Ubuntu’s packagekit.service daemon from triggering user prompts for service restarts. Finally, encountering a laggy backend server during the project’s final stages necessitated finding alternate paths to bypass extended download times of nearly 75 minutes. Diligent Google searching and resourcefulness ultimately saved the day.

Can you share insights into your learning process regarding AWS and its security layers? What permissions did you need to obtain to ensure everything works effectively?

My journey into AWS and its security layers revealed a zero-trust environment where authorization extends to the minutest details. Analogously, if one’s kitchen followed this model, authorization would be required not only to enter but for every appliance’s use, even down to the toaster and spatula.

Initially, setting up an AWS Web Services account as Root was necessary, followed by accessing the account solely through an IAM account for heightened security. AWS provided access and secret keys, a region, and a PEM file for secure storage and retrieval. Additionally, setting up a security group ID enabled the specification of inbound and outbound rules, further restricting access to only essential ports.

Finally, requesting a Quota increase, typically taking 24 hours for approval, was vital to acquire at least 4 vCPUs on the g-family of EC2 instances, enabling the utilization of Nvidia’s Tesla T4 GPU.

What are your plans with the cracking rig?

I intend to keep the cracking rig readily available for upcoming Capture The Flag (CTF) events and penetration testing assignments that may require its capabilities. Continual refinement and optimization are part of the plan, as I strive to enhance its speed and performance. Exploring opportunities to access AWS’s Super Fast Multi-GPU offerings represents a key objective, though their strict policy on access has limited me to single-GPU machines thus far.

Additionally, I am making the rig available as a downloadable kit, complete with a comprehensive how-to guide and accompanying scripts. The proceeds generated from this initiative will be donated to St. Jude Cancer Research for Children, contributing to a worthy cause. For further details, please visit this link.

Don't miss