Release McCracken! Building a Hash Cracking Rig at CBI

By Reid Brosko, Red Team Manager at CBI

Throughout my career in a Red Team, there have been a couple of key assets that changed the game for myself and my teammates. Now, I am not talking about 0-days or exploits. I am referring to pieces of equipment that have given us a competitive advantage within our industry.

Today, I will go over one such development at CBI, an on-prem hash cracking rig that we have proudly dubbed, “McCracken.” This blog post will review the process of laying out specs, acquiring parts and building out the rig.

Red Team Critical Asset

Before the Red Team settled on the on-prem version of this rig, we tested out the cost and flexibility of hosting it within an Amazon AWS environment. But due to the cost over time and the lack of performance, we decided to build our own. As this was a team asset, we wanted to start with a sturdy base build to expand on later as we’re are able to demonstrate the value to the company.

Our approved budget for this base build was $5,000. This would allow us to spec out the rig in a way to allow for future expansion and upgrades.

The Core Notes

As noted, this build was designed to be the base for future growth and expansion, so the parts were overkill in some areas.

  • Case: Hydra VI Ultra Wide 6U Case for 13 GPU Mining Rendering AI Servers, Triple PSU Ready
  • Motherboard: ASUS B250 MINING EXPERT LGA1151 DDR4 HDMI B250 ATX Motherboard
  • CPU: Intel Core i5-7500 LGA 1151 7th Gen Core Desktop Processor *
  • CPU Fan: Cooler Master MAM-G1CN-924PC-R1 MasterAir G100M RGB Low Profile CPU Air Cooler Copper Heat Column Technology Ring and Fan
    Memory: Corsair Vengeance LPX 32GB (2x16GB) DDR4 2400 (PC4-19200) C16 for DDR4 Systems
  • PSU: 2x Seasonic Prime 1000 Titanium SSR-1000TR 1000W 80+ Titanium ATX12V & EPS12V Full Modular
  • GPU: 7x Nvidia GeForce GTX 1080 Founders Edition & 1x Nvidia GeForce GTX 1080 Blower Edition
  • OS HD: Samsung SSD 860 EVO 250GB 2.5 Inch SATA III Internal SSD
    Secondary HD: SanDisk Ultra 3D NAND 2TB Internal SSD – SATA III
    Risers: MintCell PCIe 6-Pin 16x to 1x Powered Riser Adapter Card w/ 60cm USB 3.0 Extension Cable & 6-Pin PCI-E to SATA Power Cable
  • Front Cooling Fans: 7x upHere 5V 120mm Silent Intelligent Control 5V Addressable RGB Fan
  • Rear Exhaust Fans: 7x Noctua NF-P12 redux-1700 PWM, High-Performance Cooling Fan

* Critical Note: ASUS B250 Mining Expert MB is not compatible with Intel 8thand 9thgen CPU although they are the same pinning and socket. Requires 7thgen CPU.

The Build

I have to admit, it was like Christmas when the parts started rolling in. Although having them arrive during a billable traveling engagement was less than ideal, we couldn’t wait to get the build underway.

The hydra server style case and ASUS Mining board allowed for future expansion, with the case holding up the 13 cards and the boards have 19 PCI ports.

To keep the cost down on the build, but not sacrifice performance, we opted to purchase our cards refabricated from Zotac. This saved us a lot of money while still maintaining the factory warranties on the cards.

After some troubleshooting and identifying the lack of support for 8thand 9thgeneration Intel CPUs, we installed the CPU and Low profile CPU cooler.

The primary hard drive and secondary hard drives were mounted to the side of the case and within the hard drive, enclosure provided.

The two 1000-watt PSUs were installed and would provide ample power for the eight GPUs under full load.

Next came the cooling elements. We went with a “Push-Pull” setup to go along with the flow of the GPU’s fans. This auxiliary air flow allowed for fresh air to be pushed over the cards and hot exhaust air to be pulled from the case faster.

Thankfully this was not a show build, so cable management was not critical.

With the addressable LEDs, we were able to set them up to change with the load of the GPU.

*Future plans are to have them signal a successful crack with a blink or status color change.

After we installed all lower elements, we reinstalled the braces for the GPU mounts in the case and mounted the GPUs to them.

It was finally the moment of truth…the full power cycle. SUCCESS!

The Setup

Unlike many other hash cracking rigs, we went with a Windows operating system for our base. The primary reason was due to driver compatibility and future updates with the ASUS Mining Expert Motherboard. The Mining Expert Motherboard has some key features within it that allow you to better balance the power load between the cards and the motherboard. The second reason for going with Windows was the ability to run applications like AI Suite and MSI Afterburner which allowed us to tune the memory and core clocks on the cards to overclock them for better performance, while at the same time monitoring current power usage and operating temperatures.

During testing and tuning, we identified a balance between performance and stability/life of the cards. While stress testing the rig over a 24 hour period, max temperatures only reached 70c. Keep in mind we have one Blower Edition Card, which is known to have less effective cooling capabilities as compared to the Founder Edition cards. 

Benchmark Numbers

  • Hashmode: 0 – MD5
  • Speed.#*………:  121.5 GH/s
  • Hashmode: 2500 – WPA-EAPOL-PBKDF2 (Iterations: 4096)
  • Speed.#*………: 3201.1 kH/s
  • Hashmode: 1000 – NTLM
  • Speed.#*………:  197.8 GH/s
  • Hashmode: 3000 – LM
  • Speed.#*………:  117.6 GH/s
  • Hashmode: 5500 – NetNTLMv1 / NetNTLMv1+ESS
  • Speed.#*………:  119.1 GH/s
  • Hashmode: 5600 – NetNTLMv2
  • Speed.#*………: 10490.8 MH/s
  • Hashmode: 13100 – Kerberos 5 TGS-REP etype 23
  • Speed.#*………: 1917.6 MH/s

Conclusion

After we completed, tested, tuned and put the hash cracking rig into our environment, we instructed the Red Team on how to securely access it remotely and start utilizing it to crack hashes they captured. The hash cracking rig added value for the team almost immediately. 

In the past, we could not effectively crack hashes like Kerberos 5 TGS from SPN ticketing attacks, but our new McCracken rig gives us the ability to run these hashes at a blistering speed. Using the horsepower of our rig has allowed us to crack hashes during engagements that in previous cases may not have been possible. Overall, this results in a stronger value derivative for our customers by accomplishing more with less time. 

The speed at which the McCracken rig aided our penetration testers’ ability to “pwn” their clients’ networks has made it well worth the research and investment. The new problem we are running into is making time to get everyone’s hashes cracked, as our pen testers are inundated with hashes from multiple engagements going on at the same time – a great problem to have!

Overall, I am very happy with the way the build turned out. We have built a solid structure on a tight budget to continue to expand this hash cracking rig as our team and portfolio expands.