Skip to content

Instantly share code, notes, and snippets.

Last active August 24, 2023 14:24
Show Gist options
  • Save 7MinSec/0709b30653008df864b886b750bc42ce to your computer and use it in GitHub Desktop.
Save 7MinSec/0709b30653008df864b886b750bc42ce to your computer and use it in GitHub Desktop.
Password cracking in the cloud

Update 8/24/23:

I now do password cracking in the cloud using a suped up AWS rig. More details here.

This document is under construction, but is intended to get you up and running quickly with cracking hashes in the cloud using the Paperspace service.

Resources used for this article:

Setting up a cracking box using Paperspace

Get your Linux VM up and running

From Paperspace, choose the Ubuntu server option that has:

  • 8 CPU
  • 30 GB RAM
  • 50 GB HD
  • Quadro P6000 card

Note that when you spin this up it's SSHable from anywhere in the world so you might want to lock it down with an ACL. I also elected to pay the extra buck a month for a static IP.

Run this script to get the core updates and tools installed:

sudo dpkg --remove-architecture i386   
sudo apt-get update
sudo apt-get upgrade -y
sudo apt install ocl-icd-libopencl1 git build-essential -y
sudo git clone /opt/hashcat
cd /opt/hashcat
sudo git submodule update --init
sudo make
sudo git clone /opt/hashcat-utils
cd /opt/hashcat-utils/src
sudo make
sudo cp *.bin ../bin
cd /tmp
# For the next command go to the NVidia site and ensure you're downloading the latest Linux drivers
sudo wget
sudo chmod +x ./
sudo ./
  • Accept the agreement
  • At the error about "nvidia-installer was forced to guess" error hit OK.
  • At the error about "unable to find suitable" hit OK.
  • At the "Would you like "nvidia-xconfig utility to..." hit YES
  • At the "Your x configuration file has been successfully updated" hit OK

Then check out your Hashcat benchmarks:

sudo hashcat -b to see all benchmarks

sudo hashcat -b -m 1000 to see just, for example, NTLM hash crack rate.

Install hate_crack

sudo git clone /opt/hatecrack

Get some wordlists

sudo mkdir /opt/wordlists
cd /opt/wordlists
# Get the popular wordlists from Daniel Miessler
sudo git clone /opt/wordlists/
cd /opt/wordlists
# Get the "human only" list of passwords from
sudo wget
sudo gunzip crackstation-human-only.txt.gz
sudo rm crackstation-human-only.txt.gz
sudo mv crackstation-human-only.txt /opt/wordlists/Passwords

Note: I've had issues getting Crackstation wordlists to import correctly (see later in this article), so during my last crack box build in June, 2020, I skip these.

# Get the base password list from
sudo wget
sudo gunzip crackstation.txt.gz
sudo rm crackstation.txt.gz
sudo mv crackstation.txt /opt/wordlists/Passwords

Note: in Dec of 2019 I built a cracking box from scratch, and found the crackstation lists would not parse properly when fed through the (a little further down this tutorial). If you find that the case, just delete those two text files before running the wordlist optimizer

# Get rockyou.txt ready to rock
cd /opt/wordlists/Passwords/Leaked-Databases
sudo tar xvzf rockyou.txt.tar.gz
sudo mv rockyou.txt ..
rm rock*.gz

# Get latest Pwned Passwords list from
Go to the "leaks" area, search for "pwned" and you should find various versions of the Pwned Passwords database to download in plain text
# Get the breachcompliation database
Download it via Magnet/Torrent here:

Note: in June, 2020 I had issues getting this file, and if you look at the gist you'll see others are as well. I didn't spend too much time troubleshooting. Just moved on.

# Consolidate all downloaded wordlists into one "master" text file
cd /opt/wordlists
sudo ls -rt -d -1 $PWD/Passwords/*.txt > $PWD/Passwords/wordlists.txt

Note: on my last build of a cracking box, the running of (a little further down this tutorial) would yield an out of memory error. I got around this by running the optimizer once with all wordlists except the breachcompliation database, then once again with just the breachcompliation database.

**Note 2: during my last crack box build in June, 2020, I kept my wordlist pretty simple. My wordlists.txt looks like this:


Open the hatecrack config.json and adjust hcatPath, hcatBin, hcatWordlists and hcatOptimizedWordlists paths. Also adjust the .app extensions to be .bin:

  "hcatPath": "/opt/hashcat",
  "hcatBin": "hashcat",
  "hcatTuning": "--force --remove",
  "hcatWordlists": "/opt/wordlists/Passwords/",
  "hcatOptimizedWordlists": "/opt/wordlists/optimized",
  "hcatDictionaryWordlist": ["/opt/wordlists/Passwords/rockyou.txt"],
  "hcatCombinationWordlist": ["/opt/wordlists/Passwords/rockyou.txt","/opt/wordlists/Passwords/rockyou.txt"],
  "hcatHybridlist": ["/opt/wordlists/Passwords/rockyou.txt"],
  "hcatMiddleCombinatorMasks": ["2","4"," ","-","_","+",",",".","&"],
  "hcatMiddleBaseList": "/opt/wordlists/Passwords/rockyou.txt",
  "hcatThoroughCombinatorMasks": ["0","1","2","3","4","5","6","7","8","9"," ","-","_","+",",","!","#","$","\"","%","&","'","(",")","*",",",".","/",":",";","<","=",">","?","@","[","\\","]","^","`","{","|","}","~"],
  "hcatThoroughBaseList": "/opt/wordlists/Passwords/rockyou.txt",
  "hcatGoodMeasureBaseList": "/opt/wordlists/Passwords/rockyou.txt",
  "hcatRules": ["best64.rule","d3ad0ne.rule", "T0XlC.rule", "dive.rule"],
  "hcatPrinceBaseList": "/opt/wordlists/Passwords/rockyou.txt",
  "pipalPath": "/path/to/pipal"

Open and change the splitlen/rli extensions to be .bin:

splitlen_bin = "/opt/hashcat-utils/bin/splitlen.bin"
rli_bin = "/opt/hashcat-utils/bin/rli.bin"

Now create some optimized word lists:

sudo mkdir /opt/wordlists/optimized
sudo python3 /opt/hatecrack/ /opt/wordlists/Passwords/wordlists.txt /opt/wordlists/optimized

Note: last time I ran this I had to run it with python3.

Run hatecrack!

Here's an example where I crack a text file full of NTLM hashes:

sudo python /opt/hatecrack/hatecrack /crackme/big-bucket-of-hashes.txt 1000

Follow the rest of the hatecrack read me, and have fun!

Reassemble AD -> user password mappings

If you've followed my gist on dumping a backup of AD hashes and then cracked a list of just hashes, you may want the ability to come back in later and reconnect the relationship between hash and user. Thanks to my pal hackern0v1c3, he created a perfect tool for the job here. Oh, and if you need to take the output of a dump from something like and turn it into something hash_combiner can chew on, try this:

cat secrets_dump.txt |cut -d'\' -f2 | cut -d':' -f1,4 > secrets_dump_reformated.txt


Capturing/cracking WPA handshakes

First capture the handshake. Then convert the .cap to hccapx format with:

/opt/hashcat-utils/bin/cap2hccapx.bin NAME-OF-YOUR.cap NAME-OF-YOUR.hccapx

Then see this page to see all the different ways you can attack the handshake (dictionary, brute-force, etc.). One example of a dictionary attack is:

hashcat.exe -m 2500 NAME-OF-YOUR.hccapx rockyou.txt

Or if using hatecrack:

/opt/hatecrack/ /NAME-OF-YOUR.hccapx 2500

Monitoring your crack jobs

I found that this script is really helpful for monitoring changes to the hashcat.pot file and then triggering an action of your choice.

For example, you could save the mikedmullin script as and then have a command like this: /opt/hashcat/hashcat.pot /scripts/

The would contain the commands you'd want to have run once a change to the hashcat.pot file was detected.

Copy link

yg-ht commented Nov 11, 2020

Hey, I forked your Gist and made a minor update to deal with blacklisting Nouveau drivers and thought you might be interested in incorporating it into yours
Thanks for your work on this!

Copy link

7MinSec commented Dec 12, 2020

Sorry this took me foreeeeeeever to respond but nice work - I know some folks I'm going to point to your gist. Have a great weekend!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment