Throughout my career in a Red Team, there have been a couple of key assets that changed the game for myself and my teammates. Now, I am not talking about 0-days or exploits. I am referring to pieces of equipment that have given us a competitive advantage within our industry.
Today, I will go over one such development at CBI, an on-prem hash cracking rig that we have proudly dubbed, “McCracken.” This blog post will review the process of laying out specs, acquiring parts and building out the rig.
Before the Red Team settled on the on-prem version of this rig, we tested out the cost and flexibility of hosting it within an Amazon AWS environment. But due to the cost over time and the lack of performance, we decided to build our own. As this was a team asset, we wanted to start with a sturdy base build to expand on later as we’re are able to demonstrate the value to the company.
Our approved budget for this base build was $5,000. This would allow us to spec out the rig in a way to allow for future expansion and upgrades.
As noted, this build was designed to be the base for future growth and expansion, so the parts were overkill in some areas.
* Critical Note: ASUS B250 Mining Expert MB is not compatible with Intel 8thand 9thgen CPU although they are the same pinning and socket. Requires 7thgen CPU.
I have to admit, it was like Christmas when the parts started rolling in. Although having them arrive during a billable traveling engagement was less than ideal, we couldn’t wait to get the build underway.
The hydra server style case and ASUS Mining board allowed for future expansion, with the case holding up the 13 cards and the boards have 19 PCI ports.
To keep the cost down on the build, but not sacrifice performance, we opted to purchase our cards refabricated from Zotac. This saved us a lot of money while still maintaining the factory warranties on the cards.
After some troubleshooting and identifying the lack of support for 8thand 9thgeneration Intel CPUs, we installed the CPU and Low profile CPU cooler.
The primary hard drive and secondary hard drives were mounted to the side of the case and within the hard drive, enclosure provided.
The two 1000-watt PSUs were installed and would provide ample power for the eight GPUs under full load.
Next came the cooling elements. We went with a “Push-Pull” setup to go along with the flow of the GPU’s fans. This auxiliary air flow allowed for fresh air to be pushed over the cards and hot exhaust air to be pulled from the case faster.
Thankfully this was not a show build, so cable management was not critical.
With the addressable LEDs, we were able to set them up to change with the load of the GPU.
*Future plans are to have them signal a successful crack with a blink or status color change.
After we installed all lower elements, we reinstalled the braces for the GPU mounts in the case and mounted the GPUs to them.
It was finally the moment of truth…the full power cycle. SUCCESS!
Unlike many other hash cracking rigs, we went with a Windows operating system for our base. The primary reason was due to driver compatibility and future updates with the ASUS Mining Expert Motherboard. The Mining Expert Motherboard has some key features within it that allow you to better balance the power load between the cards and the motherboard. The second reason for going with Windows was the ability to run applications like AI Suite and MSI Afterburner which allowed us to tune the memory and core clocks on the cards to overclock them for better performance, while at the same time monitoring current power usage and operating temperatures.
During testing and tuning, we identified a balance between performance and stability/life of the cards. While stress testing the rig over a 24 hour period, max temperatures only reached 70c. Keep in mind we have one Blower Edition Card, which is known to have less effective cooling capabilities as compared to the Founder Edition cards.
Hashmode: 0 – MD5
Speed.#*………: 121.5 GH/s
Hashmode: 2500 – WPA-EAPOL-PBKDF2 (Iterations: 4096)
Speed.#*………: 3201.1 kH/s
Hashmode: 1000 – NTLM
Speed.#*………: 197.8 GH/s
Hashmode: 3000 – LM
Speed.#*………: 117.6 GH/s
Hashmode: 5500 – NetNTLMv1 / NetNTLMv1+ESS
Speed.#*………: 119.1 GH/s
Hashmode: 5600 – NetNTLMv2
Speed.#*………: 10490.8 MH/s
Hashmode: 13100 – Kerberos 5 TGS-REP etype 23
Speed.#*………: 1917.6 MH/s
After we completed, tested, tuned and put the hash cracking rig into our environment, we instructed the Red Team on how to securely access it remotely and start utilizing it to crack hashes they captured. The hash cracking rig added value for the team almost immediately.
In the past, we could not effectively crack hashes like Kerberos 5 TGS from SPN ticketing attacks, but our new McCracken rig gives us the ability to run these hashes at a blistering speed. Using the horsepower of our rig has allowed us to crack hashes during engagements that in previous cases, may not have been possible. Overall this results in a stronger value derivative for our customers by being able to accomplish more, with less time.
The speed at which the McCracken rig aided our penetration testers’ ability to “pwn” their clients’ networks has made it well worth the research and investment. The new problem we are running into is making time to get everyone’s hashes cracked, as our pen testers are inundated with hashes from multiple engagements going on at the same time – a great problem to have!
Overall, I am very happy with the way the build turned out. We have built a solid structure on a tight budget to continue to expand this hash cracking rig as our team and portfolio expands.