Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

CrackQ: 5 Questions with the Password Cracker's Creator

Trustwave’s global SpiderLabs team is known for its malware reverse-engineering projects, breach investigations, and the thousands of penetration tests it conducts to bolster the security of enterprises across the globe. But the established Trustwave SpiderLabs experts are also recognized for the open-source security projects they release throughout the year. Today, the team has released its latest creation.

Dubbed CrackQ, the tool enhances the experience around Hashcat, a popular password-cracking solution leveraged by Red Teams. To get a better sense of the benefits and iterations we can expect surrounding CrackQ, we caught up with its creator, Dan Turner, principal consultant at Trustwave SpiderLabs.

1. Can you give me a breakdown of what CrackQ is?

Dan Turner: CrackQ does a few things, but primarily it's a queuing system to manage password cracking for an offensive security team. So it's a wrapper around Hashcat, served by a web application for ease of use. Hashcat is the de facto password cracking tool that utilizes the power of graphical processing units (GPU) for high-speed password cracking. GPUs are coprocessor cards historically used for graphical processing like rendering games, but their use has since transcended into other areas such as password cracking, machine learning, and cryptocurrency mining.

To explain what password cracking is; when a password is saved to disk, best practices dictate that it should be saved as a cryptographically hashed string, referred to as a hash. This is a one-way process, so it can't be reversed, but the process can be replicated to check that a password provided by a user matches the hash.

Password cracking is the process of matching a plain-text password to a hash. This is done by guessing the password, but at an incredibly fast rate. We're talking hundreds of billions of guesses per second in many cases.

2. How does it differ from other similar tools currently available?

Dan Turner: Initially I just wanted something written in Python (the other tools are written in different languages) so I could easily add features as the team needed them, but I got a little carried away and it evolved from there.

It uses SAML2 for authentication which can be set up to use multi-factor authentication and can integrate with a single sign-on setup, so it's easier to manage users.

It will improve efficiency with the ability to remove duplicate hashes, move jobs around based on the completion time and other factors like how long it's been running, how many hashes have cracked, etc. It will include an automated option that will automatically choose efficient cracking techniques based on the type of password hash algorithm and a chosen period of time. It handles failures well and will automatically re-queue jobs if they fail due to a system error of some sort. Though it's been very stable in testing, so this has been quite a rare occurrence.

The reporting feature is pretty nice. This will take the results of a password cracking job, a Windows Active Directory domain store for example, and analyze the cracked passwords to produce a report. This will include information relating to timing and speed, but crucially insecure password choices and patterns within an organization, which can help to eradicate those “Changme123!” type of passwords that lurk in many networks. One interesting metric, which I'm quite proud of, is the geolocation chart showing the locations of common password choices. So for example, it will find passwords based on city locations, such as “Chicago2019!”, then highlight these as "heat-spots" on a global map.

There's much more to come with the reports as well, there's a ton of metrics I haven't had time to add yet.

3. Why release something like this when attackers could potentially leverage it?

Dan Turner: Great question, and a question that could be asked of any security tool released to the community. In my opinion, the benefits far outweigh the risks associated with releasing such tools. Generally speaking, security tools are responsibly released only when a patch has been provided by the vendor of the affected product. Releasing such tools forces vendors and administrators to remediate the vulnerabilities they present and they help security personnel to highlight the risks to executives.

More specifically, this tool presents nothing new as such, password cracking tools have been around for decades. Though this tool does make certain aspects of the process easier, it's not going to give attackers anything new to work with. Any skilled threat actor will already be using the techniques included within CrackQ. The real benefits are geared towards large teams who share resources and work to tight deadlines. It's designed to help with that and provide better insights to clients.

4. Are there plans to make iterations in the future? 

Dan Turner: Yes! This is just an initial (alpha) release. In fact, some of the best features are yet to come, but it's at a point where I now feel like I can release it and hopefully receive some further support from the community to help grow the current feature set.

5. How does this help security in the long run?

Dan Turner: In the long run I think it will be quite valuable to our clients and the security community in general. For us, every penetration with a significant password store compromise will include a detailed report analyzing weak areas in password policy. I think it will help to visualize that and perhaps help drive home the message about poor password choices.

To get further information on CrackQ, read Dan’s full blog post on the tool here. Click here to learn more on how the elite Trustwave SpiderLabs team can help your organization.

Marcos Colón is the content marketing manager at Trustwave and a former IT security reporter and editor.

Latest Trustwave Blogs

Understanding Your Network's Security Posture: Vulnerability Scans, Penetration Tests, and Beyond

Organizations of all sizes need to be proactive in identifying and mitigating vulnerabilities in their networks. To help organizations better understand the value and process of a vulnerability scan,...

Read More

Email Security Must Remain a Priority in the Wake of the LabHost Takedown and BEC Operator’s Conviction

Two positive steps were taken last month to limit the damage caused by phishing and Business Email Compromise (BEC) attacks when a joint action by UK and EU law enforcement agencies compromised the...

Read More

Defining the Threat Created by the Convergence of IT and OT in Critical Infrastructure

Critical infrastructure facilities operated by the private and public sectors face a complex and continuously growing web of security threats that are compounded by the increasing convergence of...

Read More