2. Introductions
• Who are we?
‒Karl Fosaaen
‒Eric Gruber
• What do we do?
‒Pen Test
‒Crack Passwords
‒Blog
3. GPU Cracking on the Cheap
• Defining Terms
‒Science Project
‒GPU
‒Bitcoin
‒Hashes
4. GPU Cracking on the Cheap
•Hashes
‒ Password123 =
58A478135A93AC3BF058A5EA0E8FDB71
‒ Password1234 =
8C3EFC486704D2EE71EEBE71AF14D86C
58A478135A93AC3BF058A5EA0E8FDB71
≠
8C3EFC486704D2EE71EEBE71AF14D86C
5. GPU Cracking on the Cheap
• Overview
‒Why do we want to GPU crack
‒Ideal Setup
‒Hardware Selection
‒Construction
‒Operating System
‒Methodology
6. GPU Cracking on the Cheap
• Why do we want to crack?
‒Pen Testing
‒Password Auditing
•Why do we want to use GPUs?
‒CPU versus GPU
‒Trade Offs
‒The Cloud?
7. Performance: Brute Force (6 Characters)
0
100
200
300
400
500
600
Minutes for Six Character Brute Force
CPU GPU
9. Performance
• Brute Force Power (8 Characters)
Hash Type Speed
NetNTLMv2 1,877.8 MH/s
SHA1 9,515.4 MH/s
descrypt 11,060.1 kH/s
MD5 19,834.3 MH/s
NTLM 32,930.2 MH/s
10. GPU Cracking: The Ideal Set Up
• The Ideal Set Up
‒ If Money is no object
11. GPU Cracking: The Ideal
• Buy one of these
‒ Case, Motherboard, and Power ($3,599.99)
• TYAN B7015F72V2R
‒ Case, Motherboard, and Power ($ 4,649.99)
• Tyan FT77AB7059 (B7059F77AV6R-2T)
12. GPU Cracking: The Practical Option
• But I’m more like this shadow guy…
15. GPU Cracking: The Hardware
• GPU Selection
‒ What do we want?
• Reference card versus non-reference
• Stream Processors
• Card Cores
• Processor Speed
• Overclocking
• AMD versus NVIDIA
• Crossfire and SLI – Doesn’t matter here
• These are the Most Important Part of the Rig
‒ So spend some money
16. GPU Cracking: The Hardware
• 7970 Option
‒ MSI Radeon HD 7970 Twin Frozr ($529.99*)
• Core Clock: 1000MHz
• Stream Processors: 2048 Stream Processors
• Memory Size: 3GB GDDR5
• 7950 Option
‒ XFX Double D Radeon HD 7950 ($419.99*)
• Core Clock: 925MHz
• Stream Processors: 1792 Stream Processors
• Memory Size: 3GB GDDR5
*Newegg prices as of February 2014
17. GPU Cracking: The Hardware
• Motherboard
‒What to look for
• PCI Express slots
• 16x versus 1x
• Power to the board
• Some have additional power for cards
• Onboard power switch
• Handy for open air cases
18. GPU Cracking: The Hardware
• Motherboard
‒ ASRock H81 Pro BTC ($130-190*)
*Amazon price variance during January 2014
19. GPU Cracking: The Hardware
• Risers
‒ Ribbon cable versus USB 3
‒ Preferred: USB 3 risers
• The ribbons are not as reliable
21. GPU Cracking: The Hardware
• Power Supply
‒ 1500W is ideal for a couple of cards
‒ Could probably get closer to 1000W
• Just not recommended, or get two
‒ Modular is the easiest to manage
22. GPU Cracking: The Hardware
• Other Hardware Selection
‒ Processor
• A reasonably powered Intel (i3,i5,i7)
‒ Hard Drive
• SSD for OS
• Non-SSD for cold storage (Dictionaries, etc.)
‒ RAM
• What ever you can afford to put in
• These can all be relatively generic
23. GPU Cracking: The Case
• Case
‒ This can be pretty open ended
‒ Start with server rack shelving
‒ Check out your local hardware store
• Wire shelving cubes
• Aluminum Rails
‒ Zip ties, bailing wire, bits of string
31. GPU Cracking: Final Costs
• Parts list:
Parts Est. Cost
Motherboard $160
Processor (Intel Celeron) $50
RAM (4 GB) $40
Hard Drives $150
Risers (4) $160
Power Supply (1500 W) $360
Video Cards (4) $2,116
Case Materials $20
Total $3,056
32. GPU Cracking: Final Costs
• Parts list:
Parts Est. Cost
Motherboard $160
Processor (Intel Celeron) $50
RAM (4 GB) $40
Hard Drives $150
Risers (4) $160
Power Supply (1500 W) $360
Video Cards (4) $2,116
Case Materials $20
Total $3,056
35. Driver support
• Windows support is generally good for both
AMD and Nvidia
• Linux support is getting better
• Both are good options, unless you’re Linus…
36. Server Setup
• Windows and Linux work very well for server setups
• Both can be setup as a headless server
• We prefer Linux
‒ Easy to manage
‒ Lightweight
‒ Free
37. Cracking Software
• We want something free
‒ John
‒ oclHashcat
• John/oclHashcat support GPU cracking with
CUDA/OpenCL
• We use oclHashcat
‒ Frequently updated
‒ Best performance
‒ Supports large number of hash types
39. Methodology
• Dictionary Attacks
‒ Add in some mangling rules
• Leet Speak
• Password => P@$$vv0rd
• Append Numbers
• Password => Password2014
‒ Double up on dictionaries
• PasswordPassword
‒ Sources
• Wikipedia
• Urban Dictionary
• Alexa Domain Lists
• Crackstation, SkullSecurity, etc.
40. Methodology
• Masking Attacks
‒ Commonly Used Patterns
‒ Netspi1234 = ?u?l?l?l?l?l?d?d?d?d
• One Upper
• Five Lower
• Four Digits
• Ten characters total, meets complexity
‒ Easy to generate
• Based off of previous cracks, leaks, etc.