You’ve heard about cloud, big data, server-less infrastructure, web scale, and other buzzwords that cause VCs to throw money at people - but how does this help you? If you’re getting bored going over the same checklist in your pentests then you’re missing out on what some of these new technologies can offer you. Using some of the newer cloud technologies not only can you automate all of your workflows, but you can do so with almost zero maintenance at a low cost with almost infinite scalability! This talk will show you how to blow conventional pentesters out of the water using some cool new technologies along with a little bit of trickery. Some of the topics we’ll go over include: * Cheap and scalable rainbow tables with BigQuery, 5TB in 10 seconds * SQS & Lambda, like Burp Intruder but 10K QPS * Scalable GPU Clusters on the cheap with Spot Instances and Elastic Beanstalk * Cloud exit nodes, rotating IPs via Elastic Beanstalk and nano instances * Cost effective fuzzing with Elastic Beanstalk and Spot Instances (This was originally presented on November 16, 2018 at Kiwicon 2038).

1. Getting buzzed
on Buzzwords
moloch
@littlejoetables
mandatory
@iammandatory

2. Hola!
I am Mandatory

3. Hola!
I am Mandatory
About
Security engineer, XSS Hunter, DNS, and more!

4. Hola!
I am Mandatory
About
Security engineer, XSS Hunter, DNS, and more!
Industry Certifications
High School Diploma

5. Hola!
I am Mandatory
About
Security engineer, XSS Hunter, DNS, and more!
Industry Certifications
High School Diploma
Blog Twitter
TheHackerBlog.com @iammandatory

6. EHLO
I am Moloch

7. EHLO
I am Moloch
About
I like computers.

8. EHLO
I am Moloch
About
I like computers.
Industry Certifications
High School Diploma

9. EHLO
I am Moloch
About
I like computers.
Industry Certifications
High School Diploma
Occupation Twitter
Senior Associate, Bishop Fox @littlejoetables

10. The Cloud

11. The Deep Cloud?

12. Distributed Cloud!

13. THE DARK CLOUD

14. Raise your hand if you’re an
AWS employee…

15. Raise your hand if you’re a
reverse engineer…

16. AWS Services

17. Let’s Get VC Funding

18. Let’s Get VC Funding
• Buy some eScooters off of
Amazon …

19. Let’s Get VC Funding

20. Let’s Get VC Funding
• “Burp Intruder” at ∞ QPS

21. Let’s Get VC Funding
• “Burp Intruder” at ∞ QPS
• Cloud Rainbow Tables

22. Let’s Get VC Funding
• “Burp Intruder” at ∞ QPS
• Cloud Rainbow Tables
• Cost effective GPU clusters

23. Let’s Get VC Funding
• “Burp Intruder” at ∞ QPS
• Cloud Rainbow Tables
• Cost effective GPU clusters
• …maybe more time
permitting

24. ”Burp Intruder” at
∞ QPS

25. Burp Intruder

26. Burp Intruder

27. Burp Limits
• Your laptop Internet speed
• Threaded model
• Single app, single computer

28. It’s not web scale!

29. Serverless “Burp Intruder”
• Do the same thing but with
Lambdas
• Scale up to ∞ QPS
• Store all the results in S3

30. Lambda Functions
• Lambdas are self-contained code
packages
• No “server” hence “serverless”
• Billed $0.20 per 1 million requests
and ~$0.17 per 10K GB seconds
• “Event based” executions

31. Chicken & Egg
• Invoking a Lambda is 1 API
call
• 10 API calls = 10 runs
• How we do quickly ramp up?

32. Serverless “Burp Intruder”
• Self-invocating Lambda
• Take work
• Split work
• Call self with both halves

33. Rama Lambda Ding Dong
Lambda
Function

34. Rama Lambda Ding Dong
Lambda
Function
Work
A
B
C
D
E
F

35. Rama Lambda Ding Dong
Lambda
Function
Work
A
B
C
D
E
F
Work
A
B
C
Work
D
E
F

36. Rama Lambda Ding Dong
Lambda
Function
Work
A
B
C
D
E
F
Lambda
Function
Lambda
Function
Work
A
B
C
Work
D
E
F

37. Rama Lambda Ding Dong
Lambda
Function
Work
A
B
C
D
E
F
Lambda
Function
Lambda
Function
Work
A
B
C
Work
D
E
F

38. Rama Lambda Ding Dong
Lambda
Function
Work
A
B
C
D
E
F
Lambda
Function
Lambda
Function
Work
A
B
C
Work
D
E
F
Lambda
Function
Work
A

41. Do NOT DoS the server!

42. The Design
• Payloads decoupled from
requester
• Stateless
• Scales up infinitely ( with $ )

43. Available Now!
github.com/mandatoryprogrammer/
lambda-intruder

44. Rainbow Tables

45. What’s a Rainbow Table?

46. What’s a Rainbow Table?
• Pre-computation attacks against
password hashes

47. What’s a Password Hash?
“P@ssw0rd” HASH
FUNCTION
74b873374542…

48. What’s a Password Hash?
“Password” HASH
FUNCTION
74b873374542…

49. What’s a Password Hash?
“Password” HASH
FUNCTION
74b873374542…

50. What’s a Password Hash?
“P@ssw0rd” HASH
FUNCTION
74b873374542…
Expensive

51. What’s a Rainbow Table?
• Pre-computation attacks against
password hashes

52. What’s a Rainbow Table?
• Pre-computation attacks against
password hashes
74b873374542… -> password
fbac02ff7509… -> Password
…
346829f0a01c… -> P@ssw0rd

53. What’s a Rainbow Table?
• Pre-computation attacks against
password hashes
What’s a Rainbow Table?
• Pre-computation attacks against
password hashes
74b873374542… -> password
fbac02ff7509… -> Password
…
346829f0a01c… -> P@ssw0rd
74b873374542… -> password
fbac02ff7509… -> Password
…
346829f0a01c… -> P@ssw0rd
346829f0a01c…

54. What’s a Rainbow Table?
• Pre-computation attacks against
password hashes
What’s a Rainbow Table?
• Pre-computation attacks against
password hashes
74b873374542… -> password
fbac02ff7509… -> Password
…
346829f0a01c… -> P@ssw0rd
74b873374542… -> password
fbac02ff7509… -> Password
…
346829f0a01c… -> P@ssw0rd
346829f0a01c…

55. What’s a Rainbow Table?
• Pre-computation attacks against
password hashes
What’s a Rainbow Table?
• Pre-computation attacks against
password hashes
74b873374542… -> password
fbac02ff7509… -> Password
…
346829f0a01c… -> P@ssw0rd
74b873374542… -> password
fbac02ff7509… -> Password
…
346829f0a01c… -> P@ssw0rd
346829f0a01c…

56. What’s a Rainbow Table?
• Pre-computation attacks against
password hashes
What’s a Rainbow Table?
• Pre-computation attacks against
password hashes
74b873374542… -> password
fbac02ff7509… -> Password
…
346829f0a01c… -> P@ssw0rd
74b873374542… -> password
fbac02ff7509… -> Password
…
346829f0a01c… -> P@ssw0rd
346829f0a01c…

57. What’s a Rainbow Table?
• Pre-computation attacks against
password hashes
What’s a Rainbow Table?
• Pre-computation attacks against
password hashes
74b873374542… -> password
fbac02ff7509… -> Password
…
346829f0a01c… -> P@ssw0rd
74b873374542… -> password
fbac02ff7509… -> Password
…
346829f0a01c… -> P@ssw0rd
346829f0a01c…

58. What’s a Rainbow Table?
16354d904b4b… -> password
346829f0a01c… -> P@ssw0rd
74b873374542… -> password
8eecf9616354… -> pAssword
a3fc41333f50… -> paSsword
fbac02ff7509… -> Password
346829f0a01c…

59. What’s a Rainbow Table?
16354d904b4b… -> password
346829f0a01c… -> P@ssw0rd
74b873374542… -> password
8eecf9616354… -> pAssword
a3fc41333f50… -> paSsword
fbac02ff7509… -> Password
346829f0a01c…

60. What’s a Rainbow Table?

61. Team Logistics
• Large file sizes ( hundreds of GBs )
• Remote access ( servers )
• Server maintenance, hard drive
failures, redundancy

62. Why not use a database?
Rainbow Tables
?
Database Tables

63. Why not use a database?

64. Why not use a database?

65. Google Big Query

66. What is Big Query?

67. What is Big Query?
BigQuery is Google's serverless,
highly scalable, enterprise data
warehouse designed to make all
your data analysts productive at an
unmatched price-performance.

68. What is Big Query?
It’s a big database you can crap
terabytes of JSON into and query it.

69. Big Query
{
"preimage": "0000",
"md4": "+f1Xv3XKVdu0kX2fFp/Luw==",
"md5": "Sn0e1BRHTkAzrCnMuGU9mw==",
"sha1": "Od+lUoMxjTGv5aP/Sg4yU+IEXkM=",
…}n

70. Big Query
{
"preimage": "0000",
"md4": "+f1Xv3XKVdu0kX2fFp/Luw==",
"md5": "Sn0e1BRHTkAzrCnMuGU9mw==",
"sha1": "Od+lUoMxjTGv5aP/Sg4yU+IEXkM=",
…}n

71. Big Query
{
"preimage": "0000",
"md4": "+f1Xv3XKVdu0kX2fFp/Luw==",
"md5": "Sn0e1BRHTkAzrCnMuGU9mw==",
"sha1": "Od+lUoMxjTGv5aP/Sg4yU+IEXkM=",
…}n

72. Big Query
{
"preimage": "0000",
"md4": "+f1Xv3XKVdu0kX2fFp/Luw==",
"md5": "Sn0e1BRHTkAzrCnMuGU9mw==",
"sha1": "Od+lUoMxjTGv5aP/Sg4yU+IEXkM=",
…}n

73. Big Query
{
"preimage": "0000",
"md4": "+f1Xv3XKVdu0kX2fFp/Luw==",
"md5": "Sn0e1BRHTkAzrCnMuGU9mw==",
"sha1": "Od+lUoMxjTGv5aP/Sg4yU+IEXkM=",
…}n

74. Big Query
( Repeat a few hundred
million times )

75. Big Query

76. Big Query

77. Big Query

78. Big Query
You’re done!

80. No Specialized Software

81. Big Query Optimization Tips
• Pay for storage $0.02/GB
• Pay per query $5/TB
• Base64 encoding or better
• Truncate hashes at 48-bits

82. Big Query De-Duplication

83. Big Query De-Duplication
The Capitalist
Algorithm
( Who cares? )

84. Big Rainbow

85. Big Rainbow
AWS Lambda Big Query
RESTHTTP“Consultant”

87. Big Rainbow
• lm
• md4
• md5
• msdcc
• msdcc2
• mssql41
• mysql323
• ntlm
• oracle10g-sys
• oracle10g-system
• whirlpool

88. Big Rainbow
• lm
• md4
• md5
• msdcc
• msdcc2
• mssql41
• mysql323
• ntlm
• oracle10g-sys
• oracle10g-system
• whirlpool
• ripemd160
• sha1
• sha2-224
• sha2-256
• sha2-384
• sha2-512
• sha3-224
• sha3-256
• sha3-384
• sha3-512

89. Available Now!
github.com/moloch--/big-rainbow

90. Auto-Scaling GPU
Clusters

91. Traditional GPU Clusters
• High upfront costs ( $2-3k+ )
• Server maintenance
• User & resource management
• Hardware failures are expensive
• Power consumption

92. Let’s Design a Serverless-ish
Password Cracking Cluster

93. AWS Services
• Spot Instances
• Elastic Beanstalk
• Lambda Functions
• API Gateway
• Simple Queue Service ( SQS )
• Simple Storage Service ( S3 )

94. AWS Services
• Spot Instances
• Elastic Beanstalk
• Lambda Functions
• API Gateway
• Simple Queue Service ( SQS )
• Simple Storage Service ( S3 )

95. AWS Spot Instances
• It’s EC2 but at up to 90% off the
regular pricing
• You set a bid price, if the current
price is below yours then
instances are started, if they’re
above then they are killed ( 2
minute warning )

96. AWS Spot Instances

97. AWS Services
• Spot Instances
• Elastic Beanstalk
• Lambda Functions
• API Gateway
• Simple Queue Service ( SQS )
• Simple Storage Service ( S3 )

98. Elastic Beanstalk
• Manages AWS EC2 instances
• Load balances inbound requests or
SQS messages
• No additional charge
• Pretty graphs & stuffs

99. Elastic Beanstalk

100. Auto-Scale Spot
Resources:
AWSEBAutoScalingLaunchConfiguration:
Type: "AWS::AutoScaling::LaunchConfiguration"
Properties:
SpotPrice:
"Fn::GetOptionSetting":
Namespace: "aws:elasticbeanstalk:application:environment"
OptionName: "EC2_SPOT_PRICE"
DefaultValue: {"Ref":"AWS::NoValue"}
.ebextensions/01_setup.config

101. UNLIMITED POWER

102. AWS Services
• Spot Instances
• Elastic Beanstalk
• Lambda Functions
• API Gateway
• Simple Queue Service ( SQS )
• Simple Storage Service ( S3 )

103. Lambda Functions
• Trigger-based architecture
• Required to be stateless ( web scale )

104. API Gateway
• Fully managed API endpoints
• Magical load balancing, etc.
• *Timeouts after 29 seconds

105. AWS Services
• Spot Instances
• Elastic Beanstalk
• Lambda Functions
• API Gateway
• Simple Queue Service ( SQS )
• Simple Storage Service ( S3 )

106. Simple Queue Service
• Standard Queues
• *FIFO Queues

107. AWS Services
• Spot Instances
• Elastic Beanstalk
• Lambda Functions
• API Gateway
• Simple Queue Service ( SQS )
• Simple Storage Service ( S3 )

108. Hash Cat Pro-tips
• --keyspace != key space
• Values are specific to Hash
Cat ( --skip / --limit )

109. Disturbing Key Spaces
How do we jump to the n’th value?

110. Disturbing Key Spaces

111. Disturbing Key Spaces
• It’s actually a counting
problem
• Count in base ‘n’ ( n = length )

112. Serverless-ish GPU Clusters
Lambda
Function
Lambda
Function
Auto Scaling

113. Serverless-ish GPU Clusters
Lambda
Function
Lambda
Function
Auto Scaling
API Request

114. Serverless-ish GPU Clusters
Lambda
Function
Lambda
Function
Auto Scaling
API Response

115. Serverless-ish GPU Clusters
Lambda
Function
Lambda
Function
Auto Scaling
Polling Req/Resp

116. Serverless-ish GPU Clusters
Lambda
Function
Lambda
Function
Auto Scaling
Polling Req/Resp

117. Serverless-ish GPU Clusters
Lambda
Function
Lambda
Function
Auto Scaling
Polling Req/Resp

118. Serverless-ish GPU Clusters
Lambda
Function
Lambda
Function
Auto Scaling
Polling Req/Resp

119. Serverless-ish GPU Clusters
Lambda
Function
Lambda
Function
Auto Scaling
Polling Req/Resp

120. Serverless-ish GPU Clusters
Lambda
Function
Lambda
Function
Auto Scaling
Polling Req/Resp

121. Serverless-ish GPU Clusters
Lambda
Function
Lambda
Function
Auto Scaling

123. Coming Soon!
github.com/mandatoryprogrammer/
masscat

124. Untwister
F5 Edition

125. Untwister
• Multi-threaded ”seed
recovery” tool
• Brute-forces PRNG seeds
• Seed space varies per PRNG

126. The Depth Problem
• PRNGs instantiated once
• DoS bug ( XXE, etc. )
• Halting problem

127. Serverless-ish CPU Clusters
Lambda
Function
Lambda
Function
Auto Scaling

128. Coming Soon!
github.com/moloch--/untwister

129. How to Actually
Think About AWS

131. Any questions ?
Thanks!
Thanks to @0xkitty for the slide design!