BSides DC 2014 - Building and Using A GPU Password Cracker

welcome back from lunch my name is jonathan fallon uh today you're coming to learn to play with password crackers which is always fun um let me tell you a little about myself first once again i'm jonathan fallon i am a senior penetration tester with knowledge consulting group uh you can find me on twitter at shadywooshu if you really want to know the origin of that name you can come talk to me after class it's a little interesting story i am a pen tester i am a gaming nerd and i'm a general computer nerd which is kind of where this whole thing starts in 2010 three things happened number one i graduated from college and started out

in the security world number two i built the gaming machine that you see there with the proceeds from my new job and number three ocl hashcat got released for the first time so while i was sitting in my new job reading all my security blogs i came across this ocl hashcat and i figured hey i have this dual gpu gaming machine sitting at home and right now i'm not playing anything on it let me just see what i can do so i um went on to the computer at home downloaded all the hashes off of it popped them onto my machine and i cracked my wife's password in three minutes i told my wife to change her password

that evening that's kind of what got me all started on password cracking i want to give you a disclaimer first i do not design or work on any of the software that i say in this presentation nor do i work for with any gpu manufacturer if i tell you that something's great it's because i actually like using it i'm not getting paid to say this or anything like that if you've never had any experience with gpus why do you want to use those over just your regular old laptop for password cracking so cpus are great inventions they go and they're good at doing a bunch of instructions sequentially and skipping around to one program to

another and splitting their time up gpus are great doing the exact same calculation a thousand times all at the same time so hashing is doing the exact same calculation and in this case we can do it a thousand times all at the same time gpus have thousands of cores in fact today you're not going to find a gpu that's really got under a thousand cores in it most of them are going to have between 1 000 and 3 000 cores per gpu how many people in here are pen testers hackers just like to break stuff all right and how many of you are the group of people that are trying to stop the aforementioned group

great both of you need password crackers for pen tester it's kind of obvious we want to use it for all the hashes that we can't pass pass the hash is the greatest thing that has ever been invented since sliced bread thank you microsoft um but you can't pass every hash you can't pass hashes from shadow files if you're using the responder tool from spider labs you cannot pass a net ntlm hash so you're going to need to crack them or recent feature maybe in the course of your pen testing you come across a password-protected document on some ceo's machine well you can use hashcat now to crack open those password-protected documents it's a really nice feature

for the security folks in here you'll want a password cracker to do password auditing i guarantee you that probably five percent of your users right now are using their username or some variation of it as their password as well you would probably like to find that out long before i do you also can use it to generate password statistics for your training programs it's really easy to go to a group of users and say your password in order to be secure it has to be so many characters and have all these different characters in it and all that good stuff it's much different for you to go in there and say you guys need to start making better

passwords because we cracked 80 of all of your passwords in a week that'll make users perk their ears up when i started with kcg this is kind of like what our password cracker looked like um this is not an exact image this is off of the good old googles but uh it was pretty similar it was a dell motherboard with a old hard drive that who knows where it came from a processor an aftermarket power supply and a amd video card sat on top of a pizza box that sat in the corner of somebody's desk in an office and that was what we were using for our professional password or our professional penetration test services

when our team got a little bit more established we figured we needed a bit of an upgrade and i was fortunate to be able to uh perform that upgrade so this presentation is kind of based around my experiences with going out and figuring out how do we build a password cracker and then how do we use the damn thing so before you begin you're going to have a bunch of considerations before you can go out and start picking out hardware um obviously first what's your budget because that's going to determine everything that comes after that if you work for a corporate entity you're not probably going to have unlimited resources they're going to say keep it

under 10 grand keep it under 8 grand keep it under seven grand whatever um everything you do after that is going to be based around that budget you also kind of need to think about how fast do you need to go for a pen tester generally faster is better time is money and the faster you can crack a password the faster you can get into somebody's machine the faster you can demonstrate risk but if you are security personnel it may be acceptable that you crack 50 60 of the passwords in three weeks as opposed to two days so you might not need to spend quite as much money space is going to be a big issue

if you go with a desktop you're going to be going with a large atx machine more likely you're going to be going with a server and most of the gpu based servers are for you servers that's a lot of space in a rack make sure you have enough space because you don't want to go and buy this thing and build it and then realize you need to buy an entire new rack and install it just to put this thing in always consider maintenance whenever you build any type of machine you're going to have to put new drivers on this thing probably pretty pretty uh often security patches new software versions adam does a fantastic job of updating hashcat

there's a new version of hashcat that comes out usually every couple months so you have to think about the maintenance of putting these new features onto there and who's going to do it and finally security always consider security this is a machine that's going to have probably thousands of passwords sitting on it at any one time you need to think of this thing like a domain controller it basically holds the exact same information don't just go slapping it in somebody's office that doesn't lock at night because you're handing away the keys to the kingdom in that case especially if you work for other people in fact other clients if you're a pen tester and you go into another company

and grab all of their password hashes you're suddenly responsible for protecting those just as much as they are so step one what are you gonna put it in you kind of have two kinds of different ways you can go your desktops are gonna be far less expensive i mean you can build a really hardcore gaming machine for about you know 1500 bucks it's easy to get parts run down to micro center use your corporate card you can have it built by the end of the day but you're not going to hold as many cards the best um atx motherboard you're going to find out there is going to hold three gpus max yes they may say you have

four slots but i guarantee you if you try to fit four cards into your average atx case you're just going to start ripping pci express slots off of the motherboard your servers on the other hand are very large for you cases normally but they hold lots more cards between four and eight usually depending on what manufacturer you get they're really expensive your bare bones uh high performance server chassis are going to cost you probably around four grand that's without anything but the motherboard the case and the fans but you get the added redundancy in them oftentimes they'll have two processors multiple fans multiple power supplies you get the fact that if something fails your entire

password cracking operation isn't going to go down tie in and super micro are going to be probably the two most common server cases that you're going to see out there today they make absolutely fantastic bare bones high performance computing servers next thing is just fill in all the general bits you don't need a really great processor hopefully it's not going to be doing too much of anything it's just going to be running the operating system and making sure everything works for memory you don't need that much either 8 to 16 gigabytes per processor it's your choice i'm running eight gigabytes per processor right now and hard drives you just need enough to hold all your word lists

now your word list could get very very big but i've been running this thing for about a year now and i've got one terabyte worth of space and i'm using probably about ten percent of that raid one is great to have because if something breaks on one of them you've got the other one as a backup you don't have to reinstall everything but it's not a necessity now for the most fun step your gpus what are you going to look at when you're trying to pick out gpus there are tons of these things out there today so uh most of you probably know that uh super computers and everything like that are usually measured in flops

floating point operations per second flops mean absolutely bubkas to password cracking because password because calculating the hash is not a floating point operation so everything out there that says oh my computer goes at this many flops giggle flops teraflops whatever really doesn't matter there are three things that are important to a password cracker one is the number of cores we have this is also a lot of times called a shader unit this is how many simultaneous calculations we can basically do at a time then there's your clock speed how fast does each core run how many instructions can we handle every second and finally your thermal design power tdp a lot of people have a misnomer of

what tdp is they think this is the amount of power that gets eaten up by the uh gpu it's actually not true thermal design power is how many watts of heat does the card produce under an average load that the computer needs to dissipate it can be used as a general reference to how much power it draws but that is it's it says it's a 240 watt tdp that doesn't mean it's going to draw 240 watts these really don't tell the whole story though the problem is cracking speed is based on the number of instructions it takes to calculate a hash right you'll see an md5 will take somewhere between 150 and 350 instructions to calculate

the problem is different cards and different drivers have different instruction sets available which means that it might take more or less instructions to calculate a hash depending on what instruction sets are available different versions of the software the drivers might even have different instruction sets tdp at the same time is the amount of power and heat that it creates at average load and each company decides differently what average load is so essentially everything i've shown you here on this slide is completely worthless none of this tells you what to actually pick right so let everybody else do the work for you there are tons of benchmarks already online if you go to the hashcat forums people

love showing off their hardware you can go and see how fast does a nvidia 770 run how fast does an amd 280 run somebody's posted a benchmark i guarantee already up there you can use that to calculate very quickly how many hashes am i on average going to be able to crack with certain cards and then the other thing to do is watch your budget and figure out how to maximize your your dollars basically um double the price doesn't mean double the cracking power as i know it may be that if you get two of a lower price card you'll actually be able to crack more passwords than one of the higher price so that's something to consider

especially if you're on a budget if you'd asked me what my pick was about a month and a half ago i would have told you two things if you want reliability you go with the nvidia 700 series nvidia makes absolutely fantastic drivers they are fantastic they're great but they're not the fastest cards out there their instruction sets were not written with things like password cracking in mind i mean obviously the right net for gamers why do they want to care about us on the other hand amd wanted their cards to be used for a lot of scientific operations and they have a lot of instruction sets again they were much better for password cracking the only problem with those is

that their drivers are absolutely terrible you uh can spend half of your time just trying to maintain your password cracker because of a bad driver so i would have told you if you want to go with reliability go with your nvidia if you wanted to go for brute speed go for your amd that changed on about september 18th because nvidia released their 900 series of cards these are cards that run as fast as the amd's that are currently out there they handle large lists of passwords better most of the previous generations of cards ran with a tdp of about 260 watts these run the maximum card the 980 runs with a tdp of 160 watts

it draws about only two-thirds of the power and generates two-thirds of the heat and runs as fast as any amd car out there on the market plus you get the better parallelism plus you get the better drivers this is flat out now my favorite pick for card if you can go out there and get a 900 series card do it they're fantastic um just wait a month or so because literally everybody is out of stock of these things there are a few other items you might want to give a little bit of thought to cooling and reference design cards these two go together you actually don't have to put as much thought into cooling as you think

on a desktop yes desktops don't get cooled quite as well because of all the different crazy ways the airflow has to go uh on a server system though they usually for high performance computing are just loaded up with giant fans like you see here right at the front of the case you run these things about 60 percent of their capacity it sounds like a huey taken off but it will push more than enough air through your server the other trick is you get reference design cards reference design cards means that these are the designs that come straight from either nvidia or amd the manufacturers are not allowed to change any of the design of these things

the reason that these are great is because both companies generally design their fans to pull air in from the back of the video card mostly other manufacturers put giant fans on the outsides of their cards and suck air in through the case reference design cards since they pull in air from the back means that you can stack them really close together and not have to worry about the airflow going in between each card there's also no overclocking and reference design cards now normally you'd probably think but overclocking is great makes everything run faster that's true but it also makes everything wear out faster and considering that these cards are probably going to get run at 100 load for days at a time

you're already putting enough wear on them don't make it any worse for those cards and finally your power just go for the overkill this is the cheapest insurance that you can get for your password cracker if you get just enough power that you need it means that your power supplies are going to be drawing 90 load for most of their life if you spend the extra 7 500 200 bucks and get the biggest pass the biggest uh power supply you can get it means that maybe your power supply then is running at forty percent load for most of its life power supplies are the easiest thing to break on your computer if anybody in here has desktops that they've used

hardcore over the past few years you know probably the first thing to go is your power supply good power supply is the cheapest insurance you can have so i did all this work for you and the final thing that i needed to do was give it a name so we had a bunch of discussions inside what did we want to crack it or what do we want to call it our old one was called mccrackenstein given that it was something sitting on a pizza pizza box uh we put it all together and decided to name it the kraken although we changed the name a little bit it has a c in it i know all you're going

to say that's not how kraken is spelled well yes it's double entendre see crack kraken this is the kraken this is a four gpu monster that i have sitting in my server room right now like i said if you walk into the server room it sounds like there's a huey taking off there if it has the capacity to go up to eight gpus right now you'll see there are four in there that's because we blew most of the budget on having a tie-in case that could eventually get to eight gpus we decided that we wanted to have eventually all the eight gpus but couldn't afford at that time so we'd just upgrade later we gave ourselves the ability to upgrade

you'll also notice those are not reference design cards like i just told you all to get we simply couldn't get them that's that's the sheer reason why there's not there they didn't have any of them in stock and didn't expect to get them for four months this is only going to be in existence like this for probably another two months i've just got the budget approved and this picture will change here hopefully within a month to eight nvidia 980 carts so of course you've got to put a whole bunch of software on here now i'm going to say something that will probably get me stoned at this moment i like using windows i've always used

windows i've used windows since i was four years old and it is great it really isn't but what are you gonna do for the love of god don't use windows on your password cracker use linux use ubuntu server it's free it works a whole lot faster now look i like this windows is great but password cracking on windows sucks because all the additional overhead means that you're basically cutting your cracking speeds like in third in half do yourself a favor you're building a machine that's entire purpose in life is speed go ahead and put a really basic install of ubuntu server on there throw on ssh because obviously you're gonna need a way to access it you really don't wanna

go to the console every time you wanna do this go get your video drivers talk about more of that in a minute and then your password cracking software i will recommend up down left right and sideways ocl it is in my opinion the best password cracking software out there right now and it is free and it is well maintained they also have a nice little package of things called hashcat utils which are a bunch of utilities that'll make your life easier as a password cracker and expand the types of tax that you are able to do highly recommend pulling that one down too and then finally all of your word lists and we'll talk more about wordless and

well while too when you're setting it all up install linux with minimal options you want the least overhead humanly possible running on this machine i've installed mine so i basically only have ssh running on there i have the basic package completely other than that no python or anything like that you're not using this to develop on ensure that the system is secured as i said before this is going to be roughly the equivalent of a domain controller you're going to have password hashes for your pen tester all of your clients or your internal company maybe multiple clients at a time make sure your root password is ridiculously long it'd be really embarrassing if somebody guessed

the password to your password cracker use public and private keys for ssh if you can sometimes in some corporations that's really difficult to do because you got people all over the place and some people need access and don't if you're going to go with password authentication just make sure all the passwords are ridiculously worn my password for for the kraken is 28 characters long do not use open source video drivers do not use the video drivers from apt download them straight from amd or nvidia i am a huge supporter of open source except when it comes to video drivers you might as well get the ones that are written by the people that are actually

putting the chips together they probably know their chipsets the best um don't even get them from app app never has the latest stuff on there go straight to the website as you can see in there using wget and just pull down the latest drivers and use those to install ocl hashcat and pretty much every other password cracker out there are going to be designed to work with the drivers that come straight from the company if you don't use those the kernels that they use to to give you access to the processing ability of the gpus will not work this is why i cannot stress enough only use the drivers to come straight from the company

my wife wanted me to include this slide in there what am i going to say so now you've got this great password cracker you probably spent quite a few grand on it it's at this big pretty spot right in the middle of your rack it's what you show off to clients when when you're going out and you're you're you know selling your pen testing services you got yeah we got this huge password cracker here's a picture of it it looks great if you don't know how to use it properly you've just built an eight thousand dollar paperweight there are lots of different strategies you can use to attack passwords tons there are entire cons developed to

cracking passwords passwords 14 happened around the same time as defcon and it was an entire convention of just cracking passwords i can't even begin to tell you how many different techniques there are there is no one right way there are more efficient ways but anything that you're going to do is going to crack something essentially but some with this much horsepower but i'm going to teach you my method the reason i'm going to teach you my method is because it's not difficult it's easy to learn it doesn't require a whole lot of time on your part while you're in the middle of a pen test you can usually throw some commands and a couple of files you know your your

downloaded hashes onto your password cracker click go and let it run and go do something else you don't have to spend a whole lot of time massaging and writing crazy scripts or anything like that using kind of my general framework since march of this year we have cracked 67 percent of all of the hashes we have captured within 48 hours

so when you're doing your password cracking begin with the fastest attacks the reason for this is they may not get you the most hashes but if they get you two three four five you can use those then while some of your longer attacks are going on even if they're really basic users if your pen tests are in here it's a privilege escalation it's practice go in with the least privilege and see how much privilege you can get with those accounts while all of the domain admins are still being cracked take advantage of the fact that most users are ignorant to what makes a strong password if you know that the company has an eight character minimum

i guarantee you that fifty percent of the domain is going to be eight characters long if the company only requires two types of characters i guarantee you most of the passwords are gonna only have two kinds of characters use that to your advantage to customize your attacks so they're only looking at that stuff first the other users are gonna make better passwords but go after the dumb ones first once you've already cracked a bunch of passwords use those to help you crack a bunch of others oftentimes companies follow similar patterns i'll give you one good example we were pen testing a auto parts supplier and we cracked i think probably about 20 percent of the domain on

on our first couple of attacks and i noticed that a whole bunch of passwords were the names of cars so i went out and created a password list of every single make a model of card that i could find that's been built since 1920. i cracked another sixty percent of the domain so the organizations often follow certain rules that makes all of the users passwords similar if they only require one special character for example i guarantee you that that one special character is going to be an exclamation point at the end of a password for most of the users once you even resort to doing brute force which is usually the last thing you want to do

you can configure rules masks and statistics to make your brute forcing more efficient so that you're more likely to get passwords at the beginning of your brute force than you are at the end of your brute force so step one as i said you usually just do brute forcing at the end but you've got all this horsepower you might as well take care of the brute force attacks and the really short passwords that uh will only take a few seconds this particular command you see right here is hashcat's command to brute force a every six character and fewer password the question mark a's are the mask for all characters there's also a question mark d question mark l question

mark u which stands for digit lowercase uppercase so you can actually customize what's being cracked in what position but in this case i want to do every single six character and viewer password the m1000 in this case is ntlm this is a really fast hash so i know after benchmarks and everything like that i can do on the kraken as it currently exists every six character ntlm and below in less than one minute i guarantee you that on most of your pen tests you will find one or two passwords that still get cracked by this shame on those companies step two most usernames many username or many users still include their usernames within their password

in some form or another yeah they might convert it to lead speak and add a couple of numbers and an exclamation point on the end but the username is still there when you're capturing your passwords chances are you're gonna capture the usernames as well use that to build a list and then throw that list as your dictionary in your password crack hashgat also has a great function it calls rules files rules files are collections of rules that modify your dictionaries in some method some of them have rules that say convert to lead speed or throw a number at the end or throw two numbers and an exclamation point at the end they have lots of pre-built rules files

that are available for you best 64 contains the best 64 rules this one here dead one is a list of many thousands of rules lists there's also a great one called generated two that just came out which is a list of randomly generated rules that don't appear in any other rule set that they have if you use a rules file with your crack you can actually take the username list and automatically do things like convert it to elite speak add numbers add characters and depending on what rule set you use you may not necessarily make your list that much better best 64 is generally good for your really slow algorithms things like uh bcrypt or sha 512

whereas dead one generated two are fantastic for fast algorithms md5s and tlms things of that nature and in this case all we're doing is once again we give our path path through our hash file but then our pass to our list of usernames this will probably get you another five or ten percent your biggest cracks are going to come when you use your dictionary files dictionary files are basically just word lists that you can get and build from anywhere word list can be anything the good old standard these days is rock you rocky was the list of passwords that were captured from the big old rock you password breach way back this still is going to net you tons of

passwords especially if you modify those with rules files but you can use english dictionaries they all exist out there use passphrases lists where do you get all your woo your your word list right there's this great invention it came out you know 15 years ago or something like that i think it's called google if you google a list of every wikipedia article out there you will get a word list of every wikipedia article that exists if you google a word list of geo names you will get a word list of billions of different locations rivers mountains stuff like that you can find lists of sports teams cars books movies actors actresses there are so many word lists out there

you can also build your own i told you about how i built a list of cars i also keep a list of every single password i have ever cracked in the course of the kraken's life now obviously i don't keep the hash with this or any reference to any company in there i also don't put it out for public consumption just because of that fact but that's the kind of thing you can do when you crack passwords save them go put them in a list somewhere protect that list but put it someplace and then finally use your rules files to extend your word lists to be make them even bigger you're probably going to get most of

your your crack passwords from using a dictionary

another fun little one is the fingerprint attack now you're going to get a little more complex what the fingerprint attack does is it uses the passwords you've already cracked to create every possible combination of characters up to seven characters out of what you've already cracked which you'll then combine together to make lists of two to 14 character long words the first thing you need to do is just take out all of your cracked passwords that command up there just pulls all of the ntlm plain text passwords that we've cracked and sticks them in an out file we're then going to use one of the tools that's located in hashcat utils called the expander the expander is what takes every word

that you've already cracked and expands it out to every character in there that you've already cracked so every possible combination of characters from the passwords you've actually you've already cracked up to seven characters then you go back into hashcat and you use an attack called the combinator that's that a1 there the combinator takes just two different dictionaries and combines every word in the first dictionary with every word in the section second dictionary so we basically put in our expanded.text twice and now we've created a list that is every single character basically that we've seen so far on one side and we combine that once again with every single character we've seen again on the other side

this is a really good way to crack some of those longer passwords since this basically guarantees that you will have a lot of passwords between 7 and 14 characters this attack is a really good way without having to brute force to grab those longer passwords those domain admins and everything like that and from there it's really up to you where you want to go it depends on kind of how much you've cracked already what the environment looks like what kind of passwords you've seen come out of it the markov attack is a statistically based brute force attack i would go into the math behind what makes up a markov chain but i'm really bad at math and i don't

really quite understand it myself but essentially what happens is that in a markov attack you statistically calculate based on the passwords you've already cracked the likelihood that a character will appear in a particular position in that password plus the statistical likelihood of what characters will be immediately around it so what you're basically doing is you're saying we're going to crack the statistically most likely passwords first and save the statistically least likely passwords for the end of the brute force attack you're basically ordering your brute force attack you can create custom word lists like i told you with the cars or you can just do straight up brute force sometimes this is best for hashes that are really

fast really easy to crack ntlm is a great example of this if you grab a domain the easiest thing might be just to crack every single eight character password possible the kraken currently can do every single eight character ntlm password in eight days once i upgrade it that'll bring it down to about three there's nothing that scares a company more than saying that you if they like most companies have that eight character minimum there's nothing that scares them more than saying you can crack every single one of those eight character passwords in three days time especially considering they probably have a 90-day time to change from one password to the other

i kind of want to show you that this kind of stuff works this is our statistics that we've uh we've had from the kraken since we started keeping records in march we actually built the thing in uh in december but we never really started keeping statistics until we figured that it's probably a good sales tool so we have so far since march this year captured 25 000 ntlm passwords that number is actually a lot greater we actually hit one organization where we got 300 000 ntlm passwords just out of one organization and they'd seen our password cracking statistics before and didn't want us to do it so far we've cracked 67.4 of all the ntlm passwords that we've

uh captured and that number is skewed by a government agency that has a 14 character minimum they screwed all of my statistics if we take them out of the equation it's actually closer to eighty percent we have cracked eighty percent of the ntlm password hashes that we've captured within a week we've captured a bunch of shah's net ntlm version twos these ones are very good we capture net ntl and version twos when we use the responder and we grab these passwords off the wire we don't even have to break into a machine to grab them and since they usually sit the pen testers when they come into the company somewhere near the admins well lo and

behold most of the passwords we sell off the wire are usually admin passwords so we've cracked 43.3 of those and those are a lot harder to crack than regular ntlms we managed to grab three blowfish bcrypts hashes off of some linux device and we cracked all three of them it doesn't matter how good your encryption is if you're using bad passwords we've cracked 23 of the ms cache version 2 hashes that we've captured these are a lot of times we break into a machine maybe the company is doing something right and not using the same local admin hash across all of their machines in that case we grab the cache ms caches are actually one of the few things that microsoft has

done really well ms cash version 2 is a really difficult algorithm to crack we still crack 23 percent of them and 23 of those were you know the domain admins so it still didn't work finally your ms version one that's just their older version of that we cracked all 100 of those all of this here with the ntlms we use to demonstrate the domain how it's a great demonstration using our password cracker to show how the adversaries can get most of your domain in a short period of time all the other types of hashes on there are how we actually do our job we go in and we capture these from shadow files from off the wire things

like that and then we use the password cracker to crack those patches within 48 hours and get into other systems and pivot from there without having the kraken in our arsenal we would not be nearly as successful as penetration tests as we are today i got to give a couple of thanks out for pushing me to do this one the first two guys i've never met in my life they have absolutely no idea i'm thanking them for this adam is the designer of hashcat the guy is absolutely brilliant and hashcat is a ridiculously stable thing for having like a three-person development team that's all a side project for everybody they don't make money off of this they

don't do it for a living jeremy ghazni is a member of team hashcat he's also a hardware guru he actually builds these things for a living when i was building the kraken i basically kept posting questions to him on the forum maybe answer him within 24 hours he probably hates me now because he's had to answer like 100 questions um great guy chris duffy a former member of our team aka funk and wagnall he pushed me to create this presentation and finally andrew whitaker aka the godfather he's the leader of kcg's uh team he was the one crazy enough to let me actually build the kraken in the first place so i kind of had to give him props there

anybody got any questions any at all yes

um that's actually a good question honestly because um in order to get up to the eight character space with the amount of storage that we'd have to have to have good rainbow tables and the amount of time it takes to actually generate those good rainbow tables you can't find the full eight character space rainbow tables out there unless you spend a decent amount of money and you have many terabytes worth of storage in the amount of time it would take us to generate them we could already crack five weeks worth of passwords i went and looked and i think i saw um my estimate was that would take me three months to build good well-formed rainbow tables um whereas in

three months i you know cracked 80 percent of hashes i had so i just haven't seen a need for it now

right and that's that's another excellent point is just it's the amount of processing power it takes to actually scroll through the rainbow tables you can do that all in parallel there are technically gpu-based rainbow table basically searchers but they're not pretty well optimized they haven't really been built and expanded on because once gpu computing power reached this level um nobody just really saw indeed for them anymore honestly anybody else

um there are a few the current list of basically hashes and everything that it supports is well up in the hundreds um i'm trying to think of some of the more obscure things that it can crack keepass um they just added one if you use the android encryption that's now coming standard on a lot of android phones yeah they got that supported and ocl now um joomla all of the of the like oracle specific uh algorithms that they've customized are all supported in there all the cisco specific algorithms are in there um there are only a few that we that i haven't seen before that are in and if you think that a algorithm needs

to be supported go write adam a message chances are he'll pop it in there yes

that's an absolutely fantastic question um for a normal user my recommendation personally is 12 character passwords and try to have at least two of every kind of character within the password two uppercase two lowercase two specials two numbers um that really expands the brute force capacity well above even what clusters of these things can calculate in a reasonable amount of time um you're once you get up to that level you're only talking nation-state resources they'll be able to do it but that's just for regular users if you have passwords for your domain admins for your root level passwords i default to the good old dod standard 16 character passwords two of every type no dictionary words

allowed and they have to be changed every 60 days the inhibiting factor to doing this is simply people remembering them and that's that's the honest truth i have a hard time sometimes remembering what password i've used for what site you obviously don't want to reuse the same password across everything but if you're using you know eight different 16 character passwords across everything they get really hard to remember you really need a password keeper honestly more companies need to push two-factor authentication that's that's all really going to be the only solution to this anybody else you got any more request oh right here

yep i mean gigabyte asus evga they all make the reference design cards get the reference design cards once you get anything beyond that like i said they're trying to pull air in through the case not through the back so cooling is going to start to become an issue the those coolers are also generally bigger and wider than the reference design cards and you start having problems trying to fit them all into the case and then finally they're all overclocked like i said you don't need to put any more stress on your card than you're doing these things will run i mean when i when i do my entire eight character ntlm space these cards are running at 100

load for eight days i mean that's something like 100 times what you'd be doing with a normal game you don't really need to do that i recommend always get the reference design cards and most of the guys that build these things for a living will tell you the same thing only use the reference design cards

that's four cores right there versus if you have so even if you have four cpus let's say those are 16 cores so what's 16 times four versus if i had eight 980s that is roughly that's something like 18 000 cores cores are everything that's how many hashes you can do in parallel so you'd be looking at doing 64 in parallel versus 18 000 parallel you're always going to be faster with gpus yeah okay one more i think

password vaults are fine as long as nobody gets into them i mean that's the simplest thing there they're they're great normally but we've found all it does is make our job harder as pen testers because somebody then leaves their master key or something like that lying around someplace for their password vault it's the exact same concept of trying to get into the domain controller you just have to have a different password to get into it so yeah they're great as long as you protect what's protecting the password

uh we found one where a uh domain admin was keeping all of his domain passwords in a key pass um and after we rooted around his email for 10 minutes we found the password to this keepass file so all right fan questions ask me afterwards thanks

everybody you