Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Introducing Password Cracking Manager: CrackQ

Today we are releasing CrackQ, a queuing system to manage password cracking that I've been working on for about a year. It is primarily for offensive security teams during red teaming and pentesting engagements. It's an intuitive interface for Hashcat served by a REST API and a JavaScript front-end web application for ease of use.

 

CrackQ login page
Yes it has a logo!

 

To clarify, Hashcat is a password cracking tool which utilizes the power of GPUs (Graphical Processing Units) for high-speed password cracking. In simple terms, password cracking is the process of matching a plain-text password to a cryptographic hash of that password. This is done by guessing the password, but at an incredibly fast rate. We're talking hundreds of billions of guesses per second in many cases.

 

CrackQ dashboard

 

How does CrackQ differ from similar tools?

I've been managing internal password cracking rigs at Trustwave for a number of years and in various different incarnations, though I've never been happy with the efficiency of whichever process or application we have used to this end. Initially, I just wanted something written in Python, so I could easily add features as and when the team needed them, and it evolved from there.

CrackQ interfaces with Hashcat directly via the libhashcat library rather than using shell commands for execution. It uses the under-appreciated PyHashcat C bindings for this, which allows access to the library from Python. Aside from this, it's the only tool that uses SAML2 authentication, allowing you to offload credential management to an identity provider (Active Directory, Azure, etc.) and also to use Multi-Factor Authentication. The alternative option is LDAP authentication, which can be used with your own LDAP service, or for demo purposes, I have included an OpenLDAP docker container within the 4 docker containers provided as part of the application. This was a big issue for me, having to manage users in a team of around a hundred testers can be quite cumbersome.

There are attributes that CrackQ has that other tools don’t, and the converse is also true. For example, it currently is not able to work as a distributed system, rather it's a client-server setup. This is mainly because distributed cracking is not what we needed at this time, but it's an API so this could be added quite easily in the future if I decide to go down that road.

There is a multitude of useful features planned for future releases, but I will focus on what is currently supported here. One of the benefits of using Python is that we can call on the power of the Python data science and analytics libraries. The password analysis reporting feature demonstrates this and, even though it's still at a very early stage in the development process, the results are quite interesting.

I've created an analysis library that I'm calling Pypal, in a hat-tip to the command-line password analysis tool Pipal. It uses many of the same metrics used there and in other tools, but it also looks at some additional angles, and the results are rendered in a more visually appealing way.

At the click of a button, CrackQ will generate a password analysis report from the results of a password cracking job, a Windows Active Directory domain store for example. This includes information relating to timings and speed, but crucially insecure password choices and patterns within an organization. Hopefully, this will help to eradicate those Winter123! passwords that still lurk in many networks.

 

Chart showing passwords based on country names

 

One metric that is quite interesting, is the geolocation chart showing the locations of common password choices. For example, CrackQ will find passwords based on city locations, such as Chicago2019!, then highlight these as 'heat-spots' on a global map. It's just a nice visual for our clients and anyone else that chooses to use it.

 

Geolocation chart showing passwords based on cities
The image above shows the spread of passwords based on city names, taken from a leaked password/hash database belonging to a company based in Sweden

 

Feature List

  • Hashcat Brain integration – CrackQ will engage the Hashcat brain automatically when it is efficient to do so
  • Automated re-queuing on job failure, if the job fails due to system error it will be re-queued unless it fails > n times
  • Easily deployable Docker images can also be used for cloud integration (takes 30 minutes to install on an EC2 instance)
  • LDAP & SAML2 support with MFA
  • CLI Python client or JS GUI
  • Built-in password analysis/reports
  • Job/Queue graphing & statistics
  • Move/prioritize jobs
  • REST API
  • Multi-user support
  • Mask files support
  • Pre-configured Markov stats

Note the Hashcat Brain is a feature within Hashcat that prevents retrying the same password guess repeatedly during different runs against the same hash(es), thus improving efficiency for slower algorithms. However, the brain becomes the bottleneck when cracking at higher speeds. It has a bottleneck of around 500kH/s so CrackQ will check the speed for the selected algorithm and engage the brain when it’s effective to do so. In the case of high-speed algorithms, it’s slower and inefficient to use the brain.

Conclusion

CrackQ is in its initial (alpha) release. Some of the best features are yet to come, but it's at a point where I can release it to help improve password cracking efficiency for security teams and hopefully receive further support from the community to help grow the current feature set.

In the long run I think it will be quite valuable to our clients and the security community in general. For us, every penetration test with a significant password store compromise will include a detailed report analyzing weak areas in a password policy. CrackQ will help to visualize that and perhaps help drive home the message about poor password choices.

I will cover more technical details around the libraries, services, and docker infrastructure in a later post which might be of interest to anyone looking to get involved with the project.

For anyone looking to get an insight into password security within their organization, feel free to reach out and make use of our password analysis service where we can offer all of this and more.

CrackQ is available here:

https://github.com/f0cker/crackq

References

Pipal: https://github.com/digininja/pipal
Pypal: https://github.com/f0cker/pypal
Hashcat: https://github.com/hashcat/hashcat
PyHashcat: https://github.com/Rich5/pyhashcat (original)
PyHashcat: https://github.com/f0cker/pyhashcat (current fork)

Latest SpiderLabs Blogs

Using AWS Secrets Manager and Lambda Function to Store, Rotate and Secure Keys

When working with Amazon Web Services (AWS), we often find that various AWS services need to store and manage secrets. AWS Secrets Manager is the go-to solution for this. It's a centralized service...

Read More

Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01

The Trustwave SpiderLabs Threat Intelligence team's ongoing study into how threat actors use Facebook for malicious activity has uncovered a new version of the SYS01 stealer. This stealer is designed...

Read More

Tips for Optimizing Your Security Operations Framework

Building an effective Security Operations framework that provides the right balance of people, processes, and technologies can take years.

Read More