Cracking Hashes with NPK
Foreword
ACTIVECYBER has incorporated NPK into our arsenal of tools for penetration testing with clients, and we believe that sharing this with our ACTIVELabs library of resources would be beneficial to the community.
Password hashes are an essential part of many security assessments. Recovering plaintext passwords from these hashes can be crucial in a penetration test. However, hash cracking can be a challenging task for any penetration team as hashing is not reversible. The process involves making guesses about the original password, hashing them, and comparing the results with the available hash. Many tools like John the Ripper and Hashcat are available for cracking a variety of hash types, but the biggest challenge lies in the hardware.
High-performance hardware, including costly custom-built cracking rigs, is often used to speed up the cracking process. However, this option is not affordable for most people due to the high cost of equipment, electricity, and maintenance. To tackle this issue, an alternative solution called NPK has been developed. NPK is a distributed hashing platform that leverages the powerful GPU instances on cloud platforms like AWS to provide high hash cracking performance at an affordable price.
NPK compares the price and performance of different GPU instance generations available on AWS, allowing users to select the best option for their specific hash type. Spot instances are used to keep the campaign prices to a minimum. The cost of entry for NPK is much lower than that of an enthusiast or professional-grade hash cracking rig. Furthermore, NPK supports distributing campaigns across multiple instances to maximize bandwidth and reduce the time required to crack hashes.
In addition to being more affordable, NPK is designed to prevent instances from running longer than necessary to avoid unexpected charges. NPK is open-sourced and can be accessed on GitHub. It's a highly useful tool that offers many features to assist security researchers in their work.
Installation
When it comes to deploying the NPK project, setting up the necessary infrastructure can be a breeze. However, there are two requirements that are absolutely essential to keep in mind before beginning the installation process.
First, an AWS account is a must-have requirement. This can easily be obtained by visiting https://aws.amazon.com/ and signing up for an account. With an account in hand, you'll be able to move on to the next step.
The second requirement is reaching out to AWS's support team to request a GPU limit increase to a minimum of 4. It's important to keep in mind that if you fail to request this increase, the installation process will come to a halt and prompt you to complete this step before proceeding with the installation.
Once you've completed these two crucial requirements, you're ready to deploy NPK. The process itself is straightforward, and you can begin by logging into your AWS account and opening your cloudshell terminal. From there, simply enter the following command: “source <(curl https://npkproject.io/cloudshell_install.sh)”
With this command, you'll be able to initiate the installation process and be well on your way to using NPK. So let's go ahead and dive in – the process is easy, and the rewards are well worth the effort!
Congratulations on successfully deploying NPK to AWS! After deployment, you'll receive an email with your temporary username and password. Just a heads up, the email might end up in your spam folder, so be sure to check there if you can't find it in your inbox. When you log in for the first time, you'll need to create a new password before getting started with NPK's dashboard. Now the fun begins…
Usage
From the Dashboard you can start a campaign in two ways: by clicking on the "New Campaign" option on the left of any page or by clicking on the campaign icon on your dashboard. Both options will take you to the "New Campaign" configuration page.
Once you're on the "New Campaign" configuration page, your first step is to select the hash type, followed by the GPU Family. For this demonstration, we'll select the hash type NTLM, which has a value of 1000, and the fastest GPU, a Nvidia T4.
Next, you'll need to choose the region and instance size. Please note that the options available to you may vary depending on what your AWS account has been approved for. For our demonstration, our final selection is the "fastest" option with a Nvidia T4, US-East region, and an Xlarge instance size.
Now it's time to configure your campaign targets. You have two options for this: you can either paste the hashes directly or upload a file. It's important to note that each hash must be on its own line, and only the hash value should be included. For this demonstration we will use the hash value of: A4F49C406510BDCAB6824EE7C30FD852
Let’s move to “Attack Type” and enable it. Attack Type has two components: the dictionary or wordlist and the rules. While you can upload custom wordlists, we will be using the industry standard rockyou.txt. It's important to note that when you enable the Attack Type, you'll need to select a wordlist, but selecting a rule is optional. The wordlist is essentially a collection of words that NPK will use to generate potential password matches. If you'd like, you can also upload a customized wordlist that's tailored to your specific campaign. As for rules, these are sets of instructions that tell NPK how to manipulate the words in the wordlist to generate additional potential password matches. For this demonstration, we will be using “one rule” but feel free to experiment with them in your own campaigns.
For the purposes of this demonstration, we won't be covering masking or manual configurations, so we'll leave those options disabled for now.
Finally, it's time to set your resource allocation. For this campaign, we'll be using two instances for a one-hour duration. By setting these parameters, you'll receive an estimated cost of just 32 cents to run the campaign. Once you're ready, hit "execute," and you'll be taken to a confirmation screen. After that, you can launch your campaign and monitor its progress from your dashboard.
Once the campaign is complete, navigate to the file management section to locate your loot. This is where you'll find any passwords that NPK has successfully cracked during the campaign.
That wraps up this demonstration. We love NPK and think you will too!
