Trustwave’s global SpiderLabs team is known for its malware reverse-engineering projects, breach investigations, and the thousands of penetration tests it conducts to bolster the security of enterprises across the globe. But the established Trustwave SpiderLabs experts are also recognized for the open-source security projects they release throughout the year. Today, the team has released its latest creation.
Dubbed CrackQ, the tool enhances the experience around Hashcat, a popular password-cracking solution leveraged by Red Teams. To get a better sense of the benefits and iterations we can expect surrounding CrackQ, we caught up with its creator, Dan Turner, principal consultant at Trustwave SpiderLabs.
1. Can you give me a breakdown of what CrackQ is?
Dan Turner: CrackQ does a few things, but primarily it's a queuing system to manage password cracking for an offensive security team. So it's a wrapper around Hashcat, served by a web application for ease of use. Hashcat is the de facto password cracking tool that utilizes the power of graphical processing units (GPU) for high-speed password cracking. GPUs are coprocessor cards historically used for graphical processing like rendering games, but their use has since transcended into other areas such as password cracking, machine learning, and cryptocurrency mining.
To explain what password cracking is; when a password is saved to disk, best practices dictate that it should be saved as a cryptographically hashed string, referred to as a hash. This is a one-way process, so it can't be reversed, but the process can be replicated to check that a password provided by a user matches the hash.
Password cracking is the process of matching a plain-text password to a hash. This is done by guessing the password, but at an incredibly fast rate. We're talking hundreds of billions of guesses per second in many cases.
2. How does it differ from other similar tools currently available?
Dan Turner: Initially I just wanted something written in Python (the other tools are written in different languages) so I could easily add features as the team needed them, but I got a little carried away and it evolved from there.
It uses SAML2 for authentication which can be set up to use multi-factor authentication and can integrate with a single sign-on setup, so it's easier to manage users.
It will improve efficiency with the ability to remove duplicate hashes, move jobs around based on the completion time and other factors like how long it's been running, how many hashes have cracked, etc. It will include an automated option that will automatically choose efficient cracking techniques based on the type of password hash algorithm and a chosen period of time. It handles failures well and will automatically re-queue jobs if they fail due to a system error of some sort. Though it's been very stable in testing, so this has been quite a rare occurrence.
The reporting feature is pretty nice. This will take the results of a password cracking job, a Windows Active Directory domain store for example, and analyze the cracked passwords to produce a report. This will include information relating to timing and speed, but crucially insecure password choices and patterns within an organization, which can help to eradicate those “Changme123!” type of passwords that lurk in many networks. One interesting metric, which I'm quite proud of, is the geolocation chart showing the locations of common password choices. So for example, it will find passwords based on city locations, such as “Chicago2019!”, then highlight these as "heat-spots" on a global map.
There's much more to come with the reports as well, there's a ton of metrics I haven't had time to add yet.
3. Why release something like this when attackers could potentially leverage it?
Dan Turner: Great question, and a question that could be asked of any security tool released to the community. In my opinion, the benefits far outweigh the risks associated with releasing such tools. Generally speaking, security tools are responsibly released only when a patch has been provided by the vendor of the affected product. Releasing such tools forces vendors and administrators to remediate the vulnerabilities they present and they help security personnel to highlight the risks to executives.
More specifically, this tool presents nothing new as such, password cracking tools have been around for decades. Though this tool does make certain aspects of the process easier, it's not going to give attackers anything new to work with. Any skilled threat actor will already be using the techniques included within CrackQ. The real benefits are geared towards large teams who share resources and work to tight deadlines. It's designed to help with that and provide better insights to clients.
4. Are there plans to make iterations in the future?
Dan Turner: Yes! This is just an initial (alpha) release. In fact, some of the best features are yet to come, but it's at a point where I now feel like I can release it and hopefully receive some further support from the community to help grow the current feature set.
5. How does this help security in the long run?
Dan Turner: In the long run I think it will be quite valuable to our clients and the security community in general. For us, every penetration with a significant password store compromise will include a detailed report analyzing weak areas in password policy. I think it will help to visualize that and perhaps help drive home the message about poor password choices.
Marcos Colón is the content marketing manager at Trustwave and a former IT security reporter and editor.