Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Services
Capture
Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

twi-cloud-lock-color-svg
Managed Security Services

Expand your team’s capabilities and strengthen your security posture

twi-briefcase-color-svg
Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

twi-dashboard-color-svg
Penetration Testing

Subscription- or project-based testing, delivered by global experts

twi-database-color-svg
Database Security

Get ahead of database risk, protect data and exceed compliance requirements

twi-email-color-svg
Email Security & Management

Catch email threats others miss with layered security & maximum control

twi-managed-portal-color
Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Introducing Password Cracking Manager: CrackQ

Today we are releasing CrackQ, a queuing system to manage password cracking that I've been working on for about a year. It is primarily for offensive security teams during red teaming and pentesting engagements. It's an intuitive interface for Hashcat served by a REST API and a JavaScript front-end web application for ease of use.

 

CrackQ login page
Yes it has a logo!

 

To clarify, Hashcat is a password cracking tool which utilizes the power of GPUs (Graphical Processing Units) for high-speed password cracking. In simple terms, password cracking is the process of matching a plain-text password to a cryptographic hash of that password. This is done by guessing the password, but at an incredibly fast rate. We're talking hundreds of billions of guesses per second in many cases.

 

CrackQ dashboard

 

How does CrackQ differ from similar tools?

I've been managing internal password cracking rigs at Trustwave for a number of years and in various different incarnations, though I've never been happy with the efficiency of whichever process or application we have used to this end. Initially, I just wanted something written in Python, so I could easily add features as and when the team needed them, and it evolved from there.

CrackQ interfaces with Hashcat directly via the libhashcat library rather than using shell commands for execution. It uses the under-appreciated PyHashcat C bindings for this, which allows access to the library from Python. Aside from this, it's the only tool that uses SAML2 authentication, allowing you to offload credential management to an identity provider (Active Directory, Azure, etc.) and also to use Multi-Factor Authentication. The alternative option is LDAP authentication, which can be used with your own LDAP service, or for demo purposes, I have included an OpenLDAP docker container within the 4 docker containers provided as part of the application. This was a big issue for me, having to manage users in a team of around a hundred testers can be quite cumbersome.

There are attributes that CrackQ has that other tools don’t, and the converse is also true. For example, it currently is not able to work as a distributed system, rather it's a client-server setup. This is mainly because distributed cracking is not what we needed at this time, but it's an API so this could be added quite easily in the future if I decide to go down that road.

There is a multitude of useful features planned for future releases, but I will focus on what is currently supported here. One of the benefits of using Python is that we can call on the power of the Python data science and analytics libraries. The password analysis reporting feature demonstrates this and, even though it's still at a very early stage in the development process, the results are quite interesting.

I've created an analysis library that I'm calling Pypal, in a hat-tip to the command-line password analysis tool Pipal. It uses many of the same metrics used there and in other tools, but it also looks at some additional angles, and the results are rendered in a more visually appealing way.

At the click of a button, CrackQ will generate a password analysis report from the results of a password cracking job, a Windows Active Directory domain store for example. This includes information relating to timings and speed, but crucially insecure password choices and patterns within an organization. Hopefully, this will help to eradicate those Winter123! passwords that still lurk in many networks.

 

Chart showing passwords based on country names

 

One metric that is quite interesting, is the geolocation chart showing the locations of common password choices. For example, CrackQ will find passwords based on city locations, such as Chicago2019!, then highlight these as 'heat-spots' on a global map. It's just a nice visual for our clients and anyone else that chooses to use it.

 

Geolocation chart showing passwords based on cities
The image above shows the spread of passwords based on city names, taken from a leaked password/hash database belonging to a company based in Sweden

 

Feature List

  • Hashcat Brain integration – CrackQ will engage the Hashcat brain automatically when it is efficient to do so
  • Automated re-queuing on job failure, if the job fails due to system error it will be re-queued unless it fails > n times
  • Easily deployable Docker images can also be used for cloud integration (takes 30 minutes to install on an EC2 instance)
  • LDAP & SAML2 support with MFA
  • CLI Python client or JS GUI
  • Built-in password analysis/reports
  • Job/Queue graphing & statistics
  • Move/prioritize jobs
  • REST API
  • Multi-user support
  • Mask files support
  • Pre-configured Markov stats

Note the Hashcat Brain is a feature within Hashcat that prevents retrying the same password guess repeatedly during different runs against the same hash(es), thus improving efficiency for slower algorithms. However, the brain becomes the bottleneck when cracking at higher speeds. It has a bottleneck of around 500kH/s so CrackQ will check the speed for the selected algorithm and engage the brain when it’s effective to do so. In the case of high-speed algorithms, it’s slower and inefficient to use the brain.

Conclusion

CrackQ is in its initial (alpha) release. Some of the best features are yet to come, but it's at a point where I can release it to help improve password cracking efficiency for security teams and hopefully receive further support from the community to help grow the current feature set.

In the long run I think it will be quite valuable to our clients and the security community in general. For us, every penetration test with a significant password store compromise will include a detailed report analyzing weak areas in a password policy. CrackQ will help to visualize that and perhaps help drive home the message about poor password choices.

I will cover more technical details around the libraries, services, and docker infrastructure in a later post which might be of interest to anyone looking to get involved with the project.

For anyone looking to get an insight into password security within their organization, feel free to reach out and make use of our password analysis service where we can offer all of this and more.

CrackQ is available here:

https://github.com/f0cker/crackq

References

Pipal: https://github.com/digininja/pipal
Pypal: https://github.com/f0cker/pypal
Hashcat: https://github.com/hashcat/hashcat
PyHashcat: https://github.com/Rich5/pyhashcat (original)
PyHashcat: https://github.com/f0cker/pyhashcat (current fork)

Latest SpiderLabs Blogs

The 2023 Retail Services Sector Threat Landscape: A Trustwave Threat Intelligence Briefing

The annual holiday shopping season is poised for a surge in spending, a fact well-known to retailers, consumers, and cybercriminals alike. The latter group, however, is poised to exploit any...

Read More

Pwning Electroencephalogram (EEG) Medical Devices by Default

Overall Analysis of Vulnerability Identification – Default Credentials Leading to Remote Code Execution During internal network testing, a document was discovered titled the “XL Security Site...

Read More

Hidden Data Exfiltration Using Time, Literally

I was looking at my watch last week and my attention was moved towards the seconds over at the right of the watch face, incrementing nicely along as you’d expect. Now, I don’t know if I’d just spent...

Read More