How To Build A Hash Cracking Rig
In this article security researcher Sebastian Bicchi teaches us how to build a low-cost, but high quality cracking rig by repurposing a hardware crypto mining rig.
While I really don't care about BTC or Crypto-Currencies beside the technical underlying implementations and the math, I do care about their hardware. Because at the moment, the market is being flooded with different hardware Mining Rigs. If you can get your hands on such a rig and you are willing to invest some time into modifying it, you can build a low-cost but very efficient GPU Hash Cracker. I just spent four days installing and setting up mine, so in this article I will try to give you some tips so that you can avoid the mistakes that I made.
First, let's see what a good professional Rig cost and what it can do:
A good Rig is the Sagitta Brutalis https://sagitta.pw/hardware/gpu-compute-nodes/brutalis/.
Specs (base config):
- 8 x NVidia GTX1080TI
- 2x Intel Xeon E5-2620 v4, 2.1 GHz Eight-core
- 64 GB DDR4 RDIMM ECC
- 2x 512 GB SATA/600 SSD in RAID-1
With this configuration the price is about 22.000 $. For smaller Companies or indepent Red Teamers/Pen.Testers/Researchers this is not feasible.
Of course, the performance is great as well, for example:
MD5: 200 GH/s
SHA256: 23012.1 MH/s
WPA/WPA2: 3177.6 kH/s
NTLMv2: 13149.5 MH/s
Full Benchmark here: https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a270c40
So I searched the local "yard sale apps" (willhaben.at in my case) and found a Miner. Equipped with 8 RX580, 1250 € is a good deal, especially since it was professional made and seemed in very good condition.
But there is something with miners, you should keep in mind:
- The CPU is usually very weak. Expect a Celeron or Pentium. I was lucky, mine had an i3, which is sufficient for most cases.
- Boards with multiple PCIE Slots, such as the ASUS B250 Mining Expert usually have 1 PCIE x16 (via Northbridge) and 10+ PCIE x1 (via Southbridge). Riser Cards often degrade PCIE to Gen1 instead of Gen3 - I will come back to that later
- Memory usually is also very low. In my case it was equipped with 4 GB (and this is more than you can expect!). But the Guy who was selling it, sold me another 2x16 (=32GB) DDR4 Crucial for 200€. Lucky me.
- Low, slow storage (if any!): So I gathered a SSD - amazon sold them a few days ago for 60 € instead of 120. Another Luck shot.
So, all in all I paid (with some luck) roundabout 1500€. After the current Cracking Job, I will give a full Benchmark. Right now I'm cracking a WPA2-PMKID with roundabout 1700 KH/s. This is about 50%+ of the performance of the Sagitta Brutalis for less than 7% of its price. Very acceptable.
If you build your own
It took me a few days to get this one running (sometimes it's easier, sometimes it's harder). Here a few things:
If you can, go for NVidia
HashCats Support for NVidia is much better, especially with Linux (what would have been my favorite combination).
Sometimes you don't have the choice, like me in this case. I needed additional cracking power ASAP (Cloud is not an option!), so I just bought what was available. But if you have the time to wait, just wait for a NVidia Mining Rig.
Ask the Seller
Ask for the following things:
- How much operating hours has the Rig?
- Is there a special (mining) bios on the Video Cards? If so, do you have the original Bios? If the answer is "No", try to find the original Bios, for example here: https://www.techpowerup.com . If you can't find it, don't take it!
- Crypto is full of conman - don't trust them. Try the Rig (if possible) with a USB Boot Stick and put heavy load on it. See if something fails.
- What is the general impression? GPUs in Cryptocurrency Usage are often overclocked/underpowered/"tuned" - if so, Hash Cracking might fail
If you go for AMD, prepare for trouble
AMD is cheaper, but you should prepare to invest some time. There are reasons, why the Sagitta Brutalis is equipped like this, here are some things to consider with AMD:
- HashCat with Linux requires ROCm - The Radeon Open Computing Platform (https://rocm.github.io). ROCm itself requires PCI AtomicOps, which aren't available on PCIE connectors on all boards. Mostly only the primary PCIE Port is connected to the Norhtbridge and supports PCIE Gen3 with AtomicOps. If you installed linux and hashcat with rock-dkms, and only one card is working, check dmesg for the following output:
kfd kfd: skipped device 1002:67df, PCI rejects atomics
If you can see this - bad luck. Check the BIOS if you can adjust the compatibility of the PCIE Ports, but in most cases, you will to get windows.
- If you go for Windows, go for Windows 10. Seriously, don't try Win 7/8.1 if you have more than 4 GPUs.
- If you need to use Windows + AMD, here comes more trouble for you: HashCat does not work with the current driver, you need the old 17.11.4 version (Crimson), you can obtain it here: https://support.amd.com/en-us/kb-articles/Pages/Radeon-Software-Crimson-ReLive-Edition-17.11.4-Release-Notes.aspx
- The 17.11.4 driver itself causes troubles if Windows isn't update. A extreme lag is caused by some malfunction of the driver. Update Windows, but don't let Windows update the RADEON Driver!
- Ba default, the 17.11.4 is somehow installing a faulty VC redistributable Runtime. The faulty runtime will prevent the needed Windows Update. Repair the Runtime with the "Software Features" function and retry the update.
- Do Restore Points. A lot of them.
Flash the VBIOS
Especially if you run into BlueScreens or SegFaults like "THREAD_STUCK_IN_DRIVER", re-flash the original VBIOS on the Video Card.
You need the ATI/NVIDIA Flash Tool and the BIOS, which you can obtain here (most cases): https://www.techpowerup.com
Cloud?
Only if you have a just one hash or rarely usage. Otherwise Cloud is very expensive. For the Price of this Rig, you can get:
- Month of 2x2080TI from LeaderGPU
- Some days of very infeffecient (for that purpose) NVidia Tesla Cards at AWS.
Conclusion
If you are ready to invest some time, you can build a solid Cracking Rig for little money. But there is no guarantee, that everythign works out.
I will keep you posted with numbers, but all-in-all you can expect about the half performance of the already mentioned Sagitta Brutalis, if you have for example 8xRX580. The scaling is quite linear.
A last word: If you can't find the WPA/NTLM/... Hash in the first Week, you probaly find it never. I will make another tutorial howto generate effective Password Lists with OSINT and some standard Kali Tools.