Password Cracking: What this Powerful Secureworks Tool Can Do for Your OrganizationWith 1.4 trillion password guesses per second, our password cracking machine challenges whether many passwords are truly secure. By: Nate Drier, Secureworks Adversary Group
The whole purpose of partnering with the Secureworks® Counter Threat Unit™ (CTU) is so that you can leverage the many types of unique expertise the CTU™ possesses. One such group within the CTU is the Secureworks Adversary Group (we call it "SwAG"). When you bring in the SwAG to start evaluating your defenses via methods like password cracking, you find out if your environment can really stand up to threat actors – and if not, exactly where you need to shore up your password security.
But the SwAG team couldn't fulfill that purpose for you if we were only kinda sorta good at what we do. When you engage with us, we subject your organization to some truly top-notch hacking. That's why you can have a high level of confidence that your security is strong where we tell you it's strong – and weak where we tell you it's weak.
In fact, we believe we're the best in the business for two reasons. First and foremost is our talent. Our consultants are skilled, experienced, creative and incredibly well-informed with the latest threat intelligence. We've also built a highly collaborative SwAG culture—so we bring our collective capabilities to bear on every engagement. Think about this for a minute: when you hire SwAG to conduct a remote engagement against your organization, you're not just getting the skills and experience of one person – you are getting access to our entire team at a moment's notice.
There's also a second reason why we're the best at what we do: We equip our world-class hackers with world-class tools. After all, the bad guys have invested a lot in the technology they use to attack you. We absolutely take the same approach.
Our tools include sophisticated command-and-control infrastructure (C2), our proprietary CredCloud platform (which contains data from historical breaches), and more. However, one recent advance which we're particularly proud of is our high-performance password cracking engine (PCE), which we affectionately call "Kraxx." Here's what it is—and why you should care.
Meet the Beast
The cluster on which we run our password cracking engine consists of four 4u servers that include both Xeon and EPYC processors, eight Nvidia 1080 TI GPUs (currently a big favorite among compute-intensive AI and cryptominers), 24 Nvidia GeForce 3090 GPUs (which feature 24GB of cutting-edge GDDR6x memory and, as the world's fastest graphics card, is a favorite of top-tier gamers), a terabyte of RAM and multiple terabytes of SSD. (Sorry if you haven't been able to buy one of these graphics cards for a while – we've been busy!)
And yes, Kraxx is every bit as intense as you'd expect from something with a name inspired by a mythical sea creature.
This tool can perform 1.4 trillion password guesses per second. Think about that. 1.4 trillion guesses per second is so fast that that it can brute force every possible password candidate between one and eight characters using any combination of uppercase, lowercase, digits and special characters in less than an hour. It can brute force passwords in the 9- to 12-character range too, when we complement its speed with a few basic rules, masks and dictionaries.
Secureworks' password cracking machine doesn't begin to break a sweat until it gets to passwords with 15+ characters. And even then, we can crack a decent share of them, given enough dwell time.
Our password-cracking monster is also a powerful tool for extracting passwords from user hashes, such as those we can get from NTDS dumps. Just last week, for example, our SwAG team managed to get domain admin rights from all nine of the nine clients we were penetration testing. We then used Impacket's Secretsdump to extract all the username/password hashes from those clients' domains and ran them through this password-devouring beast. It wasn't long before we'd run about one-third of those hashes and cracked nearly 600 passwords — which would have been more than enough to do some real damage if we weren't the good guys.
What's in it for you?
We love the password-obliterating adventures we go on with Kraxx. It empowers us to further differentiate our adversarial testing capabilities, and it saves us a lot of time. And to be honest, it's incredibly fun to use – and to dim the lights of a data center.
While all this mischievous hacker fun may sound entertaining, what's in it for you? Secureworks clients benefit from this beast we've built in three primary ways:
- It's ideal for revealing flaws in your password security. If you believe user passwords are sufficient to protect user accounts and associated applications, SwAG can use this tool to quickly prove you wrong. More to the point, by cracking your passwords, we can give you the documented proof you may need to convince upper management that multi-factor authentication is an absolute necessity. Which it is.
- It can help us recover your passwords after an incident. We've had engagements where clients have lost passwords to critical accounts as a result of an attack—as well as situations where they needed to open password-protected files left behind by an attacker. This advanced tool enables the Secureworks team to accomplish tasks like this with unprecedented ease and speed.
- It gives us insight into how people pick passwords — and how the way they pick them can compromise security. After hundreds of password cracking jobs, we've learned far more about what user passwords really look like. And it's not pretty. Lots of people fall into a common pattern involving the use of seasons, places and names. But you better believe the bad guys are gathering the same insight. So, the more we know, the better we can help you educate your users and set smart policies to optimize password strength.
Of all the benefits you can gain from this unusual technological beast, the most dramatic ones come from the long-term insight it provides on how adversaries behave. It doesn't just crack passwords. It provides the additional layers of defense that we use to continually strengthen our Secureworks Taegis™ security platform – the place where every lesson learned and victory earned becomes a part of how Taegis protects every Secureworks customer. When a threat uses a tactic similar to what it uses during SwAG engagements, Taegis knows to apply rules to prevent, detect and respond quickly to the threat. So not only is Kraxx kind of scary – it's also kind of the hero of the story when it comes to password security.
Building this machine wasn't easy. We faced cooling and power limitations, vendor hassles and even a GPU shortage. It also takes a lot of ongoing work to keep this crafty beast tuned and continually optimized to address our ever-shifting hacking requirements.
But the juice is well worth the squeeze. The tougher we can be on you the first time we test you, the stronger you'll be the second time. And by the time you get to your fourth or fifth round with SwAG, your risk mitigation will have dramatically improved — which means you'll be able to move on to the next stage of security maturity.
Ready to discover just how strong your organization's passwords really are? Contact us today to set up your visit with the SwAG – and unleash Kraxx for your own organization.