Building an AWS Password Cracker – Part 1

When performing a test, we often recover encrypted password hashes for users on our client’s domain. While some of these can be used in pass-the-hash attacks, we often need to crack these hashes in order to make use of the credentials. For example, we often retrieve NTLMv2 hashes and must crack them in order to use the credentials.

A physical cracking device requires a number of GPUs in order to efficiently attempt to crack the password password. This hardware can cost many thousands of dollars. Fortunately, AWS offers a number of instances that allocate GPUs to you, so you can crack passwords without the purchase of physical hardware.

In this first installment, I will walk through the process of setting up an AWS instance, and in future posts, I will cover installing Hashcat, finding wordlists for dictionary attacks, and finally cracking passwords.

It should be noted that I am assuming the reader has a basic understanding of AWS and how to configure instances.

Step 1: In the EC2 section of AWS, choose “Launch Instance” to begin the process.

Step 2: On the next page, name your instance so that you can find it later:

Step 3: Select the AMI that you want to install. In short, this is the pre-built operating system that your new instance will use. I recommend using Linux, specifically the Ubuntu Quick Start AMI, as configuring hashcat and the required GPU drivers is relatively simple.

Step 4: Under “Instance Type,” choose the type of AWS instance that you would like to use. The options with GPUs are “deep learning” and more details can be found here: https://docs.aws.amazon.com/dlami/latest/devguide/gpu.html.

Step 5: Select or create a security group. In essence, this is a firewall rule that protects your instance. I recommend having a group that only allows SSH from your IP.

Step 5 (optional): If you have an authentication key pair, you can use it to login by choosing it here, or you can create a new one.

Step 6: Set up the storage you need. I recommend at least 60 GB in order to store some very large wordlists for dictionary attacks:

Step 7: Click “Launch Instance” at the bottom of the screen. You will then get a second confirmation window, and you will choose “Launch Instance” again. After a few minutes, your new password cracking device will be ready.