SynerComm's marketing team likes to ask our pentesters for help with their messaging. Like all good hackers, we adapt, automate and improve. So, when we asked our team for some helpful marketing messages, Dylan R. responded within seconds with this.
Password security assessments are important because they help ensure that the passwords being used to protect sensitive information and systems are strong and secure.
Chat GPT - December 2022
In today's digital world, passwords are the primary means of authentication for many online accounts and systems. If a password is weak or easy to guess, it can be vulnerable to attack, allowing unauthorized access to sensitive information or systems. This can have serious consequences, such as data breaches, identity theft, and financial loss.
By conducting a password security assessment, organizations can identify and address any weaknesses in their password policies and practices. This includes identifying and correcting any weak or easily guessable passwords, enforcing password length and complexity requirements, and implementing password expiration and rotation policies.
Overall, password security assessments are a crucial component of an organization's overall security strategy, helping to ensure the confidentiality, integrity, and availability of sensitive information and systems.
Well stated Dylan (or should I say Chat GPT) !!!
A.I. is a powerful tool with endless potential uses. See how SynerComm is using A.I. to enhance our penetration testing and continuous attack surface management (CASM) solutions.
NVIDIA RTX 4090 Unboxing
In February 2017, I co-authored a blog detailing our build of an 8-GPU password cracker. Over the past 8 years, it’s had millions of views and thousands of comments. To all the concerned writers, nothing has melted down and we continue to run 2 nearly identical 8-GPU crackers today. Both are currently running 8 NVIDIA GTX 1080Ti cards.
We also got our hands on one of NVIDIA’s latest cards! We missed the October 12th launch by 9 days but finally found an overclocked Gigabyte GeForce RTX 4090 GAMING OC 24G for sale locally.
Our Goals:
Stay tuned for a future article on our monster RTX 4090 Kracken4 build!!
For our unscientific analysis, we used Hashcat’s NTLM (-m 1000) benchmark (-b) to test our 2 current model cards and the new RTX 4090. This included the NVIDIA GTX 1080Ti, NVIDIA RTX 3090, and NVIDIA RTX 4090.
| Device (as seen by Hashcat) | Hashcat NTLM Benchmark Speed |
|---|---|
| GeForce GTX 1080 Ti, 11039/11178 MB, 28MCU | 66.76 GH/s (28.03ms) |
| NVIDIA GeForce RTX 3090, 23680/24575 MB, 82MCU | 121.2 GH/s (22.55ms) |
| NVIDIA GeForce RTX 4090, 23010/24563 MB, 128MCU | 252.0 GH/s (16.74ms) |
-b and -m 1000 options (-O is applied automatically)When attempting to crack a single NTLM hash using an 8-character brute force crack, the actual average performance was closer to 225 GH/s. Without any tuning and using the latest NVIDIA driver for Windows, the RTX 4090 could brute any 8-character password in approximately 8 hours!
Our early testing shows that the NVIDIA RTX 4090 is a strong contender for high-performance password hash cracking. Despite running the RTX 4090 right out of the box without any tuning on a Windows 11 desktop computer, the cracking performance is amazing. When compared to our current cracking rigs with 8 GTX 1080Ti cards, a single RTX 4090 is roughly 48% as powerful. That makes the RTX 4090 almost 4x faster than the GTX 1080Ti. Stay tuned as we figure out how many 4090’s we can get our hands on and combine into a single cracking rig.
Interested in learning more about SynerComm's password cracking services? Check out this page!
I can remember it like it was yesterday... Casey, Hans, Jason, Scott, Sam, Bill and I were slowly destroying my hotel suite at Circle City Con while trying to win the 2015 CTF. (We took 2nd place and never got our GoPro prize... still sour, can you tell?) Amongst all the teams’ brilliant ideas that evening, was that we really needed a blog. A few hours later, #_shellntel was born.
Our intent was (and still is) to focus on pentesting, hacking and offensive security; we feared that some articles may be too edgy for some corporate/professional readers. Therefore, we separated our #_shellntel articles from other SynerComm blogs. Over the past 7 years, things have changed and today everyone loves pentester articles.
We are grateful for the loyal support of our #_shellntel readers throughout the years. Please continue to read about the latest IT news, tech trends, and cybersecurity threats on our new blog at www.synercomm.com/blog or link directly to our #_shellntel articles at www.synercomm.com/blog/tag/shellntel/. All of our existing content was moved, and all new articles will be published here going forward.
Thank you always,
Brian Judd, VP Information Assurance
SynerComm, Inc.
Warning: This blog contains purposeful marketing and gratuitous plugs for SynerComm’s CASM™ Subscription services. Seriously though, the following article will present the need for better external visibility and vulnerability management.
Whether you are vulnerability scanning to meet compliance requirements or doing it as part of good security practices, there is a universal need. At the time of this article, there are essentially three equally capable and qualified scanning solutions. They include products from Tenable, Rapid7 and Qualys. My point is that each of these scanning solutions, if configured correctly, should produce accurate and similar results. Therefore, as long as your scanning provider is using one of these three solutions, they should be able to detect vulnerabilities. SynerComm starts with a top scanner and then addresses all the gaps that your MSSP is missing.
Vulnerability scanning and analysis is a critical process within all information security programs. Scanners should find missing patches, dangerous configurations, default passwords, and hundreds of other weaknesses. Their technology is based on probing systems over networks and trying to determine if the system exhibits specific vulnerabilities. While the process itself isn’t complicated, many organizations choose to outsource it to a managed service provider. If you need a provider or already have one, it’s time to upgrade to Continuous Attack Surface Management (CASM™).
Vulnerability scanning MSSPs served their role well for many years but failed to keep up. They failed to keep with cloud migrations, failed to keep up with the rate of IT changes, and failed to provide tools that simplify and enable security for their subscribers.
If you’ve ever wondered what your systems and exposures look like to a cyber-criminal, just ask a pentester. SynerComm’s CASM® Engine was originally designed to provide accurate and timely reconnaissance information to our penetration testers. Access to this data and our ‘Findings-Based Reporting’ is available to all CASM® and Continuous Penetration Test subscribers.
Learn more about our Continuous Attack Surface Management and our industry-leading Continuous Penetration Test subscriptions.
| VS-MSSPs | SynerComm CASM® | |
|---|---|---|
| Scheduled Scanning of Known Assets | ✔️ | ✔️ |
| Ad-Hoc (Manual) Scanning | ✔️ | ✔️ |
| 24/7 Online Dashboard Reporting | ✔️ | ✔️ |
| Discovery of New Assets | ✔️ | |
| Elimination of False-Positives | ✔️ | |
| Validated Findings | ✔️ | |
| Risk-Based Customizable Alerts | ✔️ | |
| Access to Penetration Testers | ✔️ |
Coming from someone who can officially say that information security has given me a few gray hairs, I'm writing this article from the perspective of someone who's been around the block. With over 15 years in information security, I feel like I've seen it all. And while I can't claim to be a great penetration tester myself, I can say that I work with (and have worked with) some truly talented pentesters. I can also feel confident stating that I've read more pentest reports than most.
So, having this background… I get asked by businesses and defenders all the time, "What advice would you give?" and, "What lessons can be learned?"
Well, thanks for asking…. (insert deep breath here)
In fact, we've known that passwords are a weak form of authentication since the moment the first password-based authentication system was created. Passwords can be weak for several compounding reasons. Whether it be due to their limited length and complexity (keyspace) or the fact that they can be shared, guessed, written down, or reused, let's face it, they provide almost no security. Until we stop using passwords or ensure that every last account has a strong and unique password that can't be guessed or cracked, we accept significant risk.
(MFA) is not enabled or required for all remote access. While it is almost common place now to find MFA on VPNs, we still find roles, groups, and even URLs allowing MFA to be bypassed. Further, other types of remote access like Citrix and Remote Desktop, Outlook Web Access, and SSH are more overlooked. Remember that when passwords are weak (and they probably are), attackers will be quick to take advantage when MFA is not enforced.
Your mom said it, and now I will too. In SynerComm's reporting, we consider both #1 and #2 to be high-severity findings in our pentest reports. When combined, these result in a critical weakness. Password spraying allows an attacker to easily guess common passwords (think Summer19) and gain immediate access to email and internal networks.
Don't get me wrong, get your EternalBlue and Heartbleed patched, but don't think just because you're well patched that you are secure. Vulnerability scanning is important, but at its best, it discovers live systems, missing patches, default credentials, weak services, and other well-known vulnerabilities. What it doesn't tell you is that your systems may already include a roadmap to access anything and everything on your network.
Pentesters, just like modern attackers, typically don't rely on missing patches to traverse networks, gather privileges, and access protected data. No vulnerability scanner will warn you that all laptops share the same local administrator password or that a domain admin RDP'd into one of them to troubleshoot an issue (and left their cleartext password cached in memory).
Again, don't get me wrong, I am a big fan of solutions like Palo Alto and CrowdStrike. BUT, simply purchasing and deploying these solutions doesn't make your networks and systems more secure. Like any control, all security solutions must be configured, tuned, and VALIDATED.
Lesson #5: It isn't uncommon to find best of breed security controls running in "monitor only" or "log only" state. After all, the easiest way to start is to convert that old layer 3 ASA config and turn on the security features later. And let's not forget that ALL IT EMPLOYEES should always be whitelisted in these controls because we don't need that stuff in our way.
Contractual, industry, and especially regulatory compliance are all important, but don't let compliance get in the way of being secure. Information security programs should be designed to protect the confidentiality, integrity, availability, and usefulness of information; compliance should just be a benefit of good security.
Secure coding isn't a new concept, but the concept is (unfortunately) new still to many developers. Widely-used and commercial off the shelf (COTS) applications are heavily scrutinized, but your applications may be waiting for the right attacker to come along. A lesson worth sharing is that a breach can be far more costly than validating and potentially fixing issues before the attack.
If you've made it to this point, thank you for reading through. This often isn't what people expect to hear or even want to hear, but sometimes honesty can be blunt and surprising. My advice is always start with a solid foundation and then build on it. Use frameworks like the CIS Top 20 to provide a prioritized roadmap and don't get caught skipping ahead. Good security can be as simple as keeping to the basics.
Why? … Stop asking questions!
In February 2017, we took our first shot at upgrading our old open-frame 6 GPU cracker (NVIDIA 970). It served us well, but we needed to crack 8 and 9-character NTLM hashes within hours and not days. The 970s were not cutting it and cooling was always a challenge. Our original 8 GPU rig was designed to put our cooling issues to rest.
Speaking of cooling issues, we enjoyed reading all of the comments on our 2017 build. Everyone seemed convinced that we were about to melt down our data center. We thank everyone for their concern (and entertainment).
"the graphics cards are too close!"
"nonsense. GTX? LOL. No riser card? LOL good luck."
To address cooling, we specifically selected (at the time) NVIDIA 1080 Founders Edition cards due to their 'in the front and out the rear' centrifugal fan design. A couple months after our initial blog, we upgraded from NVIDIA 1080 to NVIDIA 1080 Ti cards. And admitedly, we later found that more memory was useful when cracking with large (>10GB) wordlists.
Shortly after building our original 8 GPU cracker, we took it to RSA and used it as part of a narrated live hacking demo. Our booth was a play on the Warlock’s command center where we hacked Evil Corp from the comfort of Ma’s Basement. (yeah, a bit unique for RSA…)
Kracken 3 - RSA Debut
Our 1st 8 GPU rig built in February 2017
You have a little flexibility here, but we’d strongly suggest the Tyan chassis and Founders Edition NVIDIA cards. The Tyan comes with the motherboard, power supplies (3x), and arrives all cabled up and ready to build. We went with a 4TB SSD to hold some very large wordlists but did not setup RAID with a 2nd drive (yet). Higher CPU speeds and memory mostly help with dictionary attacks; therefore a different build may be better suited for non-GPU cracking.
Tyan B7079F77CV10HR-N
2x Intel Xeon E5-2630 V4 Broadwell-EP 2.2 GHz (LGA 2011-3 85W)
Be sure to get V3 or V4 (V4 recommended to support DDR4 2400 RAM)! *We learned the hard way!
128GB (4 x 32GB) DDR4 2400 (PC4 19200) 288-Pin 1.2V ECC Registered DIMM
Samsung EVO 4TB 2.5” SSD
Ubuntu - 18.04 LTS server (x64)
hashcat - www.hashcat.net
hashview - www.hashview.io
Depends heavily on the current market price of GPUs. ($12K-$17K)
At least the software is all free! And who can put a price on cracking performance?
Despite being a hash munching monster and weighing nearly 100 lbs. when assembled, this build is easy enough for novice.
Tyan B7079F77CV10HR-N
Normally I like to install the CPU(s) first, but I ordered the wrong ones and had to install them 3 days later. Be sure to get V3 or V4 XEON E5 processors, V2 is cheaper but ‘it don’t fit’.
When installing the (included) Tyan heat-sinks, we added a little extra thermal paste even through the heat-sinks already have some on the bottom.
Install memory starting in Banks A and E (see diagram above). CPU 0 and CPU 1 each require matching memory. Memory Banks A-D are for CPU 0 and Memory Banks E-H are for CPU 1. We added 2x 32GB in Bank A and 2x 32GB in Bank E for a total of 128GB RAM.
Install hard drive for (Linux) operating system. We chose a 4TB SSD drive to ensure plenty of storage for large wordlists and optimum read/write performance. The chassis has 10 slots so feel free to go crazy with RAID and storage if you wish.
Prep all 8 GPU cards by installing the included Tyan GPU mounting brackets. They are probably not required, but they ensure a good seat.
Install GPU cards. Each NVIDIA 1080 Ti requires 2 power connections per card. The regular 1080 cards only require 1 if you decide not to go the ‘Ti’ route. Again, Tyan includes all necessary power cables with the chassis.
Connect or insert OS installation media. I hate dealing with issues related to booting and burning ISOs written to USB flash; so we went with a DVD install (USB attached drive).
Connect all 3 power cords to the chassis and connect the other end of each cord to a dedicated 15A or 20A circuit. While cracking, the first 2 power supplies draw 700-900W with a less on the 3rd. They do like dedicated circuits though, it is easy to trip breakers if anything else is sharing the circuit.
Everyone has their own preferred operating system and configuration, so we’ve decided not to go telling you how to do your thing. If you are new to installing and using a Linux operating system, we did include a complete walk-through in our post: How to build a 8 GPU password cracker.
The basic software build steps are as follows:
Install your preferred Linux OS. We chose Ubuntu 18.04 LTS (64 bit - server). Fully update and upgrade.
Prepare for updated NVIDIA drivers:
2a. Blacklist the generic NVIDIA Nouveau driver
sudo bash -c "echo blacklist nouveau > /etc/modprobe.d/blacklist-nvidia-nouveau.conf" sudo bash -c "echo options nouveau modeset=0 >> /etc/modprobe.d/blacklist-nvidia-nouveau.conf" sudo update-initramfs -u sudo reboot
2b. Add 32-bit headers
sudo dpkg --add-architecture i386 sudo apt-get update sudo apt-get install build-essential libc6:i386
2c. Download, unzip and install the latest NVIDIA driver from http://www.nvidia.com/Download/index.aspx
sudo ./NVIDIA*.run sudo reboot
3. Download and install hashcat from https://hashcat.net/hashcat/
4. (Optional) Download and install hashview from http://www.hashview.io/
Go ahead, run a benchmark with hashcat to make sure everything works!
./hashcat-5.0.0/hashcat64.bin -m 1000 -b
@njoyzrd
About six years ago, social engineering penetration tests became the norm for the A-Team. In many of these tests, our team would attempt as many as 10-20 unique exploits against various applications and operating system functions. This often included exploits against Flash, Java, Adobe Reader, MS Office and IE. While one or two exploit attempts may have succeeded, the majority would fail. When it came time to present our report to the client, it would inevitably focus on the successful compromises and their associated vulnerabilities. In almost every case, our clients would ask about the attacks that failed and what control(s) prevented them.
Consider the following... I email you an infected PDF file with embedded Java script that, if you are running a vulnerable version of Adobe Reader, will provide me a command and control shell. If I get a shell back, I know that the recipient received the attachment, they that opened it, that their system had vulnerable software, and that all of their controls (including security awareness) failed to prevent the infection. However, if I never got a shell, it would be difficult or impossible to determine why the attack failed. It could be that an email gateway (cloud or on premise) blocked the attachment, antivirus software on the Exchange server could have caught it, antivirus on the desktop, end-user security awareness, etc. It's also likely that the end-users’ system was patched for the vulnerability I was trying to exploit. Or, the recipient may have opened the infected document and successfully exploited their system. In this case, egress filters like web gateways, firewalls, and proxies could also have prevented the command and control communications. In any of these cases, I have little or no evidence as to why my attack failed.
It was this problem that lead to a unique and valuable solution: Why not use penetration testing software and exploits to validate controls rather than to just exploit vulnerabilities? We started by just re-sending the same exploits that we attempted during our social engineering penetration tests, but instead of attacking the workstations of unsuspecting end-users, we sent the exploits to our client's IT security staff. Then, while receiving emails with infected attachments and while clicking links to browser-based exploits, our clients would monitor their controls to determine which control successfully prevented each attack. This quickly evolved into much larger groups of exploits and a systematic approach to validating the effectiveness of the technical controls that protect end-user systems.
Today, we refer to this process as a Rapid Hybrid Pentest. Using commercial penetration testing software, like Metasploit and Core Impact, we generate 25-30 unique exploits. The exploits target all of the most common software and include both web-based and email-based attacks. In general, we try to match the exploits up with the vulnerabilities currently being exploited by malware in the wild. We deliver all of the links to our clients and have them click on them one-by-one as they monitor their controls to determine which get caught and which slip through. Within a couple hours, we are able to determine which controls work, which are misconfigured, and which don't work at all. While we've developed this into both a professional service as well as a self-service web application, the process is simple and can be done by anyone with a copy of Metasploit.