Introducing Password Cracking Manager: CrackQ
Today we are releasing CrackQ, a queuing system to manage password cracking that I've been working on for about a year. It is primarily for offensive security teams during red teaming and pentesting engagements. It's an intuitive interface for Hashcat served by a REST API and a JavaScript front-end web application for ease of use.
To clarify, Hashcat is a password cracking tool which utilizes the power of GPUs (Graphical Processing Units) for high-speed password cracking. In simple terms, password cracking is the process of matching a plain-text password to a cryptographic hash of that password. This is done by guessing the password, but at an incredibly fast rate. We're talking hundreds of billions of guesses per second in many cases.
How does CrackQ differ from similar tools?
I've been managing internal password cracking rigs at Trustwave for a number of years and in various different incarnations, though I've never been happy with the efficiency of whichever process or application we have used to this end. Initially, I just wanted something written in Python, so I could easily add features as and when the team needed them, and it evolved from there.
CrackQ interfaces with Hashcat directly via the libhashcat library rather than using shell commands for execution. It uses the under-appreciated PyHashcat C bindings for this, which allows access to the library from Python. Aside from this, it's the only tool that uses SAML2 authentication, allowing you to offload credential management to an identity provider (Active Directory, Azure, etc.) and also to use Multi-Factor Authentication. The alternative option is LDAP authentication, which can be used with your own LDAP service, or for demo purposes, I have included an OpenLDAP docker container within the 4 docker containers provided as part of the application. This was a big issue for me, having to manage users in a team of around a hundred testers can be quite cumbersome.
There are attributes that CrackQ has that other tools don’t, and the converse is also true. For example, it currently is not able to work as a distributed system, rather it's a client-server setup. This is mainly because distributed cracking is not what we needed at this time, but it's an API so this could be added quite easily in the future if I decide to go down that road.
There is a multitude of useful features planned for future releases, but I will focus on what is currently supported here. One of the benefits of using Python is that we can call on the power of the Python data science and analytics libraries. The password analysis reporting feature demonstrates this and, even though it's still at a very early stage in the development process, the results are quite interesting.
I've created an analysis library that I'm calling Pypal, in a hat-tip to the command-line password analysis tool Pipal. It uses many of the same metrics used there and in other tools, but it also looks at some additional angles, and the results are rendered in a more visually appealing way.
At the click of a button, CrackQ will generate a password analysis report from the results of a password cracking job, a Windows Active Directory domain store for example. This includes information relating to timings and speed, but crucially insecure password choices and patterns within an organization. Hopefully, this will help to eradicate those Winter123! passwords that still lurk in many networks.
One metric that is quite interesting, is the geolocation chart showing the locations of common password choices. For example, CrackQ will find passwords based on city locations, such as Chicago2019!, then highlight these as 'heat-spots' on a global map. It's just a nice visual for our clients and anyone else that chooses to use it.
Feature List
- Hashcat Brain integration – CrackQ will engage the Hashcat brain automatically when it is efficient to do so
- Automated re-queuing on job failure, if the job fails due to system error it will be re-queued unless it fails > n times
- Easily deployable Docker images can also be used for cloud integration (takes 30 minutes to install on an EC2 instance)
- LDAP & SAML2 support with MFA
- CLI Python client or JS GUI
- Built-in password analysis/reports
- Job/Queue graphing & statistics
- Move/prioritize jobs
- REST API
- Multi-user support
- Mask files support
- Pre-configured Markov stats
Note the Hashcat Brain is a feature within Hashcat that prevents retrying the same password guess repeatedly during different runs against the same hash(es), thus improving efficiency for slower algorithms. However, the brain becomes the bottleneck when cracking at higher speeds. It has a bottleneck of around 500kH/s so CrackQ will check the speed for the selected algorithm and engage the brain when it’s effective to do so. In the case of high-speed algorithms, it’s slower and inefficient to use the brain.
Conclusion
CrackQ is in its initial (alpha) release. Some of the best features are yet to come, but it's at a point where I can release it to help improve password cracking efficiency for security teams and hopefully receive further support from the community to help grow the current feature set.
In the long run I think it will be quite valuable to our clients and the security community in general. For us, every penetration test with a significant password store compromise will include a detailed report analyzing weak areas in a password policy. CrackQ will help to visualize that and perhaps help drive home the message about poor password choices.
I will cover more technical details around the libraries, services, and docker infrastructure in a later post which might be of interest to anyone looking to get involved with the project.
For anyone looking to get an insight into password security within their organization, feel free to reach out and make use of our password analysis service where we can offer all of this and more.
CrackQ is available here:
https://github.com/f0cker/crackq
References
Pipal: https://github.com/digininja/pipal
Pypal: https://github.com/f0cker/pypal
Hashcat: https://github.com/hashcat/hashcat
PyHashcat: https://github.com/Rich5/pyhashcat (original)
PyHashcat: https://github.com/f0cker/pyhashcat (current fork)