25-GPU cluster cracks every standard Windows password in <6 hours

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Heath
    Confirmed User
    • Sep 2008
    • 491

    #1

    25-GPU cluster cracks every standard Windows password in <6 hours

    arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/

    A password-cracking expert has unveiled a computer cluster that can cycle through as many as 350 billion guesses per second. It's an almost unprecedented speed that can try every possible Windows passcode in the typical enterprise in less than six hours.

    The five-server system uses a relatively new package of virtualization software that harnesses the power of 25 AMD Radeon graphics cards. It achieves the 350 billion-guess-per-second speed when cracking password hashes generated by the NTLM cryptographic algorithm that Microsoft has included in every version of Windows since Server 2003. As a result, it can try an astounding 958 combinations in just 5.5 hours, enough to brute force every possible eight-character password containing upper- and lower-case letters, digits, and symbols. Such password policies are common in many enterprise settings. The same passwords protected by Microsoft's LM algorithm?which many organizations enable for compatibility with older Windows versions?will fall in just six minutes.

    The Linux-based GPU cluster runs the Virtual OpenCL cluster platform, which allows the graphics cards to function as if they were running on a single desktop computer. ocl-Hashcat Plus, a freely available password-cracking suite optimized for GPU computing, runs on top, allowing the machine to tackle at least 44 other algorithms at near-unprecedented speeds. In addition to brute-force attacks, the cluster can bring that speed to cracks that use a variety of other techniques, including dictionary attacks containing millions of words.

    "What this cluster means is, we can do all the things we normally would with Hashcat, just at a greatly accelerated rate," Jeremi Gosney, the founder and CEO of Stricture Consulting Group, wrote in an e-mail to Ars. "We can attack hashes approximately four times faster than we could previously."

    Gosney unveiled the machine last week at the Passwords^12 conference in Oslo, Norway. He previously used a computer equipped with four AMD Radeon HD6990 graphics cards that could make about 88 billion guesses per second against NTLM hashes. As Ars previously reported in a feature headlined "Why passwords have never been weaker?and crackers have never been stronger," Gosney used the machine to crack 90 percent of the 6.5 million password hashes belonging to users of LinkedIn. In addition to the power of his hardware, his attack was aided by a 500 million-strong word list and a variety of advanced programming rules.

    Using the new cluster, the same attack would move about four times faster. That's because the machine is able to make about 63 billion guesses against SHA1, the algorithm used to hash the LinkedIn passwords, versus the 15.5 billion guesses his previous hardware was capable of. The cluster can try 180 billion combinations per second against the widely used MD5 algorithm, which is also about a four-fold improvement over his older system.

    The speeds apply to so-called offline cracks, in which password lists are retrieved by hackers who exploit vulnerabilities on website or network servers. The passwords are typically stored using one-way cryptographic hash functions, which generate a unique string of characters for each unique string of plaintext. In theory, hashes can't be mathematically reversed. The only way to crack them is to run guesses through the same cryptographic function. When the output of a particular guess matches a hash in a compromised list, the corresponding password has been cracked.
    Full Article : rstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/
    Email - popuplace [at] yahoo [dot] com
  • NatalieK
    Natalie K
    • Apr 2010
    • 19825

    #2
    Sounds like a piece of art
    My official site / Custom vids / Make money links / First time girls
    Email: [email protected] - "Converting traffic into income since 2005"

    Comment

    • PR_Dave
      Confirmed User
      • Jul 2003
      • 2792

      #3
      Would be good for video encoding

      Comment

      • bronco67
        Too lazy to set a custom title
        • Dec 2006
        • 29026

        #4
        So....why? Isn't there something more productive to do with all that computing power?

        Comment

        • Why
          MFBA
          • Mar 2003
          • 7230

          #5
          Originally posted by PR_Dave
          Would be good for video encoding
          it would be fast, but poor quality. GPU encoding results in lesser quality then CPU encoding, due to the way they are built.

          the difference in quality is actually noticeable to the naked eye.

          Comment

          • Why
            MFBA
            • Mar 2003
            • 7230

            #6
            and this is why hashes are bad. ;)

            the computing power that is around today, all passwords are worthless.

            Comment

            • Rochard
              Jägermeister Test Pilot
              • Dec 2001
              • 75733

              #7
              So it can do 350 billion guesses per second... But my computer can only done one request every five seconds. So there goes that idea.
              Herschel Savage
              Brooklyn, NY

              Comment

              • Ayla_SquareTurtle
                Confirmed User
                • Sep 2005
                • 3550

                #8
                Originally posted by Rochard
                So it can do 350 billion guesses per second... But my computer can only done one request every five seconds. So there goes that idea.
                They use vulnerabilities in the OS to directly access the encrypted password file on your machine. Your machine doesn't have to be able to process the requests at that speed.
                gone. long gone.

                aylasquareturtle .."a"t".. gmail dawt com

                Comment

                • JP-pornshooter
                  Confirmed User
                  • Sep 2006
                  • 4007

                  #9
                  doesnt most password protected application shut off after a few tries?
                  perhaps not software applications as much as "websites"?
                  "Obscenity is whatever gives the Judge an erection." -- Author Unknown

                  Comment

                  • Ayla_SquareTurtle
                    Confirmed User
                    • Sep 2005
                    • 3550

                    #10
                    Originally posted by JP-pornshooter
                    doesnt most password protected application shut off after a few tries?
                    perhaps not software applications as much as "websites"?
                    Yes, but this is for cracking Windows which it does using the method I briefly explained above.
                    gone. long gone.

                    aylasquareturtle .."a"t".. gmail dawt com

                    Comment

                    • Robbie
                      Leaner, Meaner, Faster
                      • Aug 2002
                      • 20960

                      #11
                      Originally posted by Why
                      it would be fast, but poor quality. GPU encoding results in lesser quality then CPU encoding, due to the way they are built.

                      the difference in quality is actually noticeable to the naked eye.
                      You're dead wrong. GPU is better quality when rendering video.

                      You need to do some research. Why do you think that I and everyone else is using CUDA technology to render video using video cards with big GPU's?
                      -Robbie
                      ClaudiaMarie.Com

                      Comment

                      • Robbie
                        Leaner, Meaner, Faster
                        • Aug 2002
                        • 20960

                        #12
                        "GPU does a better job and is virtually identical to the master."

                        http://www.shawnlam.ca/2011/adobe-cs...-acceleration/
                        -Robbie
                        ClaudiaMarie.Com

                        Comment

                        • JP-pornshooter
                          Confirmed User
                          • Sep 2006
                          • 4007

                          #13
                          Originally posted by Ayla_SquareTurtle
                          Yes, but this is for cracking Windows which it does using the method I briefly explained above.
                          speaking of cracking, i have a couple wifi networks i like to test some cracking techniques on.. any suggestions?
                          strictly for testing purposes only.
                          "Obscenity is whatever gives the Judge an erection." -- Author Unknown

                          Comment

                          • GFED
                            Confirmed User
                            • May 2002
                            • 8121

                            #14
                            Originally posted by JP-pornshooter
                            speaking of cracking, i have a couple wifi networks i like to test some cracking techniques on.. any suggestions?
                            strictly for testing purposes only.
                            Backtrack + Reaver
                            https://www.flow.page/savethechildren

                            Comment

                            Working...