Join Trustwave at the 2023 Gartner Security & Risk Management Summit in London, September 26-28. Learn More

Request a Demo

Join Trustwave at the 2023 Gartner Security & Risk Management Summit in London, September 26-28. Learn More

Request a Demo
Services
Capture
Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

twi-cloud-lock-color-svg
Managed Security Services

Expand your team’s capabilities and strengthen your security posture

twi-briefcase-color-svg
Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

twi-dashboard-color-svg
Penetration Testing

Subscription- or project-based testing, delivered by global experts

twi-database-color-svg
Database Security

Get ahead of database risk, protect data and exceed compliance requirements

twi-email-color-svg
Email Security & Management

Catch email threats others miss with layered security & maximum control

twi-managed-portal-color
Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

View All Trustwave Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
A focus on threat detection and response
Awards and Accolades
Recognition by analysts and media outlets
Trustwave SpiderLabs Team
Researchers, ethical hackers and responders
Trustwave Fusion Platform
Unprecedented security visibility and control
SpiderLabs Fusion Center
Our cybersecurity command center
Security Operations Centers
Distributed worldwide defense nodes
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP

Introducing Password Cracking Manager: CrackQ

Daniel Turner Dec 4, 2019

Contents

SpiderLabs Radio January 11, 2013 w/ Space Rogue

Windows CryptoAPI Spoofing Vulnerability - CVE-2020-0601

How I Cracked a Keylogger and Ended Up in Someone's Inbox

Today we are releasing CrackQ, a queuing system to manage password cracking that I've been working on for about a year. It is primarily for offensive security teams during red teaming and pentesting engagements. It's an intuitive interface for Hashcat served by a REST API and a JavaScript front-end web application for ease of use.

 

CrackQ login page
Yes it has a logo!

 

To clarify, Hashcat is a password cracking tool which utilizes the power of GPUs (Graphical Processing Units) for high-speed password cracking. In simple terms, password cracking is the process of matching a plain-text password to a cryptographic hash of that password. This is done by guessing the password, but at an incredibly fast rate. We're talking hundreds of billions of guesses per second in many cases.

 

CrackQ dashboard

 

How does CrackQ differ from similar tools?

I've been managing internal password cracking rigs at Trustwave for a number of years and in various different incarnations, though I've never been happy with the efficiency of whichever process or application we have used to this end. Initially, I just wanted something written in Python, so I could easily add features as and when the team needed them, and it evolved from there.

CrackQ interfaces with Hashcat directly via the libhashcat library rather than using shell commands for execution. It uses the under-appreciated PyHashcat C bindings for this, which allows access to the library from Python. Aside from this, it's the only tool that uses SAML2 authentication, allowing you to offload credential management to an identity provider (Active Directory, Azure, etc.) and also to use Multi-Factor Authentication. The alternative option is LDAP authentication, which can be used with your own LDAP service, or for demo purposes, I have included an OpenLDAP docker container within the 4 docker containers provided as part of the application. This was a big issue for me, having to manage users in a team of around a hundred testers can be quite cumbersome.

There are attributes that CrackQ has that other tools don’t, and the converse is also true. For example, it currently is not able to work as a distributed system, rather it's a client-server setup. This is mainly because distributed cracking is not what we needed at this time, but it's an API so this could be added quite easily in the future if I decide to go down that road.

There is a multitude of useful features planned for future releases, but I will focus on what is currently supported here. One of the benefits of using Python is that we can call on the power of the Python data science and analytics libraries. The password analysis reporting feature demonstrates this and, even though it's still at a very early stage in the development process, the results are quite interesting.

I've created an analysis library that I'm calling Pypal, in a hat-tip to the command-line password analysis tool Pipal. It uses many of the same metrics used there and in other tools, but it also looks at some additional angles, and the results are rendered in a more visually appealing way.

At the click of a button, CrackQ will generate a password analysis report from the results of a password cracking job, a Windows Active Directory domain store for example. This includes information relating to timings and speed, but crucially insecure password choices and patterns within an organization. Hopefully, this will help to eradicate those Winter123! passwords that still lurk in many networks.

 

Chart showing passwords based on country names

 

One metric that is quite interesting, is the geolocation chart showing the locations of common password choices. For example, CrackQ will find passwords based on city locations, such as Chicago2019!, then highlight these as 'heat-spots' on a global map. It's just a nice visual for our clients and anyone else that chooses to use it.

 

Geolocation chart showing passwords based on cities
The image above shows the spread of passwords based on city names, taken from a leaked password/hash database belonging to a company based in Sweden

 

Feature List

  • Hashcat Brain integration – CrackQ will engage the Hashcat brain automatically when it is efficient to do so
  • Automated re-queuing on job failure, if the job fails due to system error it will be re-queued unless it fails > n times
  • Easily deployable Docker images can also be used for cloud integration (takes 30 minutes to install on an EC2 instance)
  • LDAP & SAML2 support with MFA
  • CLI Python client or JS GUI
  • Built-in password analysis/reports
  • Job/Queue graphing & statistics
  • Move/prioritize jobs
  • REST API
  • Multi-user support
  • Mask files support
  • Pre-configured Markov stats

Note the Hashcat Brain is a feature within Hashcat that prevents retrying the same password guess repeatedly during different runs against the same hash(es), thus improving efficiency for slower algorithms. However, the brain becomes the bottleneck when cracking at higher speeds. It has a bottleneck of around 500kH/s so CrackQ will check the speed for the selected algorithm and engage the brain when it’s effective to do so. In the case of high-speed algorithms, it’s slower and inefficient to use the brain.

Conclusion

CrackQ is in its initial (alpha) release. Some of the best features are yet to come, but it's at a point where I can release it to help improve password cracking efficiency for security teams and hopefully receive further support from the community to help grow the current feature set.

In the long run I think it will be quite valuable to our clients and the security community in general. For us, every penetration test with a significant password store compromise will include a detailed report analyzing weak areas in a password policy. CrackQ will help to visualize that and perhaps help drive home the message about poor password choices.

I will cover more technical details around the libraries, services, and docker infrastructure in a later post which might be of interest to anyone looking to get involved with the project.

For anyone looking to get an insight into password security within their organization, feel free to reach out and make use of our password analysis service where we can offer all of this and more.

CrackQ is available here:

https://github.com/f0cker/crackq

References

Pipal: https://github.com/digininja/pipal
Pypal: https://github.com/f0cker/pypal
Hashcat: https://github.com/hashcat/hashcat
PyHashcat: https://github.com/Rich5/pyhashcat (original)
PyHashcat: https://github.com/f0cker/pyhashcat (current fork)

SpiderLabs Radio January 11, 2013 w/ Space Rogue

Windows CryptoAPI Spoofing Vulnerability - CVE-2020-0601

How I Cracked a Keylogger and Ended Up in Someone's Inbox
Previous

Time Windows for Penetration Testing
Next

CVE-2019-1429: (Another) Microsoft Internet Explorer 0-Day