Elcomsoft vs. Hashcat Part 2: Workflow, Distributed and Cloud Attacks

November 25th, 2020 by Oleg Afonin
Category: «Clouds», «GPU acceleration», «Tips & Tricks»

The user interface is a major advantage of Elcomsoft tools. Setting up attacks in Elcomsoft Distributed Password Recovery is simpler and more straightforward compared to the command-line tool. In this article, we’ll talk about the general workflow, the use and configuration of distributed and cloud attacks in both products.

We received lots of feedback after publishing the first article in the “Elcomsoft vs. Hashcat” series. We want to thank everyone who commented, and we addressed the comments and questions in a separate article.

Workflow: launching the attack

We have already noted that Hashcat is a command-line tool, while Elcomsoft Distributed Password Recovery is based on the GUI. You’d naturally expect some differences in the workflow, but there’s more to that than meets the eye. The two tools are very different from the get-go.

Hashcat only attacks hashes; hence the name. You cannot just point Hashcat to a ZIP file or a Word document. Instead, you must first run a separate third-party script to extract the hash from the file you’re about to attack. These scripts are not delivered with Hashcat, so you’ll have to look for them and obtain them separately. As an example, when attacking a Microsoft Office document, you must first process the original document with office2hashcat.py.

As you can see, the script is a Python script, which means you’ll have to install Python with a number of modules. On some systems, the pip module installer is not always installed with Python, so you’ll have to obtain and install that (note that the workflow is different for the different host operating systems).

Once you install Python, run the script and extract the hash, you’ll receive the hash string, e.g.

office$*2010*100000*128*16*a1688e8975694550a7a61b5

While “office$*2010” suggests that the hash belongs to a document saved in a certain Microsoft Office format, Hashcat won’t take it for granted. When running the attack, you’ll have to additionally specify the “-m 9500” parameter in the command line, which identifies the hash as an Office 2010 file. Why “9500”? Because RTFM.

Dealing exclusively with hashes has its pros and contras. The obvious drawback is the added complexity. If you have more than a single document (or maybe several thousand files in various formats), setting up the attack can take considerable time. Unless you name the files with hash data properly, you may get lost in which hash belongs to which file.

There is a positive side to hash-only recovery. You can keep the original files and their hashes on different computers or even in different networks. You can extract hashes in one lab and run the attack in another, or even send the hashes to a specialized password recovery service without the risk of leaking any personal or confidential information.

What about Elcomsoft Distributed Password Recovery? When originally released, we aimed for simplicity, allowing to simply open a file to launch the attack, end of story. Distributed Password Recovery is smart enough to analyze the file’s content, automatically detecting the correct file format even if the file was renamed or has no extension.

Since May 2020, we are optionally offering tighter control over personal information with attacks on encryption metadata. If you prefer, you can use the straightforward classic workflow, but you are no longer limited to that. You can also run the included Elcomsoft Hash Extractor tool to extract encryption metadata (a.k.a. hashes) from certain file formats such as password manager databases or the various office documents. For encrypted disks, you’d use Elcomsoft Forensic Disk Decryptor instead, which is also included.

Distributed computing

Just as the name suggests, Elcomsoft Distributed Password Recovery is designed to work on distributed networks from the get-go. Hashcat supports hashtopolis (previously known as hashtopussy), which is a separate project that works as a wrapper to enable distributed computing.

Enabling distributed computing with Hashcat requires installing a server module. The server is designed as a cross-platform module, yet the documentation is completely Linux-centric. In order to install the server module, you will have to ensure that all of the following components are installed and configured:

  • MySQL
  • Apache
  • PHP
  • Perl
  • Python

After installing these packages (either individually or as the lamp-server package), you can install hashtopolis. You must have a clear understanding of Linux administration to install and run hashtopolis. The server can be controlled via the Web interface.

You will also need an agent installed on each computer that will become parts of the distributed network. The agent is a ZIP file that contains an app written in Python. The distribution kit is assembled dynamically for each agent; the server’s IP address will be hard coded.

In order to run each agent, you’ll need the Python environment. As a result, agents are running in the user space. If you were using Windows (which is already unlikely at this point), you’ll have a problem if you want agents running as system services (i.e. without an authenticated user session). Needless to say, you must also install Hashcat on each computer that runs agents, and you have to make sure there are no unresolved issues with the drivers, OpenCL runtimes etc.

To sum it up, Hashcat can work in distributed networks, but rolling out the system is a pain. We found it’s easier to write our own tool instead.

Elcomsoft Distributed Password Recovery installs the server automatically. No configuration is required, but you can do some fine-tuning. Agents can be manually installed or deployed silently over the network through the Windows domain. Once installed, the agents are immediately ready to work with zero configuration required.

Cloud computing

Cloud computing in Hashcat is available through a separate, third-party wrapper called hashtopolis. If you managed to set up and configure hashtopolis on a local computer, you can probably do it in the cloud as well. There are no tools to simplify cloud deployment, so depending on your skills and experience configuring Hashcat to work with cloud instances may take longer than you had originally expected.

Elcomsoft Distributed Password Recovery supports two major cloud providers offering Windows virtual machines: Amazon and Microsoft Azure. We supply a ready-made, prepackaged image that can be deployed into Amazon cloud in several clicks. The agent running in the newly created instance is automatically provided with the server’s IP address.

Installing EDPR agents into Microsoft Azure is also automated. The supplied script will automatically install the latest version of the agent to any number of existing (grouped) instances. The only input required is your Microsoft Azure authentication credentials (the login and password). The installation process is completely transparent.


REFERENCES:

Elcomsoft Distributed Password Recovery

Build high-performance clusters for breaking passwords faster. Elcomsoft Distributed Password Recovery offers zero-overhead scalability and supports GPU acceleration for faster recovery. Serving forensic experts and government agencies, data recovery services and corporations, Elcomsoft Distributed Password Recovery is here to break the most complex passwords and strong encryption keys within realistic timeframes.

Elcomsoft Distributed Password Recovery official web page & downloads »