With more devices connecting to the Internet every day, the amount of passwords stored online increases exponentially. Passwords are required to access sensitive data and systems, so they are constantly being targeted as attack vectors by malicious actors.
Hashcracking is the process of attempting to find the clear-text equivalent of a password stored in its hashed form. It is important from a defensive standpoint as well – conducting password audits allows organizations to ensure that password policies are being met. In the world of forensics, hash cracking tactics can be used to gain access to evidence that has been encrypted by suspects. Many professional hash crackers make use of powerful GPUs to speed up the cracking process because of the amount of parallel processing they can handle. In fact, most use clusters of GPUs to burn through key spaces at extremely high speeds. Our project focused on the tactic of meshing GPUs together to maximize processing power. We utilized up to 15 state-of-the-art research computers, each with Nvidia GTX 660Ti GPUs, which allowed us to analyze the various methods hash crackers use. We decided to focus on the open-source distribution tool called Hashtopus, combined with the popular tool oclHashcat to handle the actual attacks on the hashes. During this project, we were able to see, and quantify, just how weak certain kinds of passwords are. For example, if you created ANY 7 character password and used MD5 to hash it, we would be able to crack it in just over twenty minutes.
Our final report will be posted in the coming weeks and will document all of our methodologies, tests, results, and findings. In the meantime, here is a sneak-peak screenshot of the Hashtopus web interface during a brute-force test on a 6 character SHA-512 hash using 10 computers!