SHA-1 Password Hashes Cracked Using Amazon EC2 GPU Cloud


It’s not the first time someone has pulled this off, back in November 2009 we wrote about Using Cloud Computing To Crack Passwords – Amazon’s EC2.

Add that with a story way back from 2007 – Graphics Cards – The Next Big Thing for Password Cracking? – and you’ve got yourself an interesting combo with the new offering from Amazon, distributed GPU-based resources.

Put those two stories together in true hacker style and you end up with a guy who used GPU instances on the Amazon EC2 platform to crack SHA-1 password hashes.

A German security enthusiast has used rented computing resources to crack a secure hashing algorithm (SHA-1) password.

Thomas Roth used a GPU-based rentable computer resource to run a brute force attack to crack SHA1 hashes. Encryption experts warned for at least five years SHA-1 could no longer be considered secure so what’s noteworthy about Roth’s project is not what he did or the approach he used, which was essentially based on trying every possible combination until he found a hit, but the technology he used.

What used to be the stuff of distributed computing projects with worldwide participants that took many months to bear fruit can now be done by a lone individuals in minutes and using rentable resources that cost the same price as a morning coffee to carry out the trick. Roth’s proof-of-concept exercise cost just $2. This was the amount needed to hire a bank of powerful graphics processing units to carry out the required number-crunching using the Cuda-Multiforcer.

SHA-1 was of course cracked way back in 2005, and widely reported on in 2007 – and whilst being phased out it is still used in many applications.

But then this attack isn’t really using any flaws in the algorithm – it’s just straight up hash cracking it.

The tool he used was CUDA-Multiforcer – GPU Powered High Performance Multihash Brute Forcer.


SHA-1, although it is in the process of being phased out, still forms a component of various widely-used security applications, including Secure Sockets Layer, Transport Layer Security and S/MIME protocols. Roth claims to have cracked all the hashes from a 160-bit SHA-1 hash with a password of between 1 and 6 characters in around 49 minutes. The process would create a rainbow table, allowing short and therefore automatically insecure passwords to be matched to their hash. It wouldn’t work for longer length passwords. Even so, the bigger point that rentable computing resources might be used for password hacking still stands.

Security watchers warn that the development opens up the possibility of cybercrooks using pay-as-you-go cloud computing-based parallel processing environment for their own nefarious purposes.

Chris Burchett, CTO and co-founder of the data security firm Credant, said: “It’s easy to start up a 100-node cracking cluster with just a few clicks, but if you extend the parallel processing environment by just a few factors, it becomes possible to crack passwords of most types in a relatively short timeframe.”

Cybercriminals might use stolen payment card credentials to fund their cloud cracking escapades “which means they will not be bothered about the cost involved,” he added.

Around 12 months ago, another white-hat hacker, Moxie Marlinspike, created an online Wi-Fi password-cracking service called WPAcracker.com. The $17-a-time service is able to crack a Wi-Fi password in around 20 minutes, compared to the 120 hours a dual-core PC might take to carry out the same job.

Although there’s nothing really new here, it’s still an interesting implementation of some already known techniques. As cloud/distributed computing becomes even cheaper, I’d guess we’ll be seeing more similar attacks in the future.

The original post (which precise details on how to set everything up) can be found on the blog of Thomas Roth here:

Cracking Passwords In The Cloud: Amazon’s New EC2 GPU Instances

Source: The Register

Posted in: Password Cracking, Secure Coding


Latest Posts:


dSploit APK Download - Hacking & Security Toolkit For Android dSploit APK Download – Hacking & Security Toolkit For Android
dSploit APK Download is a Hacking & Security Toolkit For Android which can conduct network analysis and penetration testing activities.
Scallion - GPU Based Onion Hash Generator Scallion – GPU Based Onion Hash Generator
Scallion is a GPU-driven Onion Hash Generator written in C#, it lets you create vanity GPG keys and .onion addresses (for Tor's hidden services).
WiFi-Dumper - Dump WiFi Profiles and Cleartext Passwords WiFi-Dumper – Dump WiFi Profiles and Cleartext Passwords
WiFi-Dumper is an open-source Python-based tool to dump WiFi profiles and cleartext passwords of the connected access points on a Windows machine.
truffleHog - Search Git for High Entropy Strings with Commit History truffleHog – Search Git for High Entropy Strings with Commit History
truffleHog is a Python-based tool to search Git for high entropy strings, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.
AIEngine - AI-driven Network Intrusion Detection System AIEngine – AI-driven Network Intrusion Detection System
AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go AI-driven Network Intrusion Detection System engine with many capabilities.
Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.


One Response to SHA-1 Password Hashes Cracked Using Amazon EC2 GPU Cloud

  1. Simon November 25, 2010 at 9:34 am #

    SHA-1 is not cracked, it’s weakened, but _no one_ have found a SHA-1 collision yet.