Webcast: Thrift Store Cracking Server: Popping Hashes Guide

(Image was generated by Stable Diffusion, and is not an accurate representation of our cracking server.)

In the realm of penetration testing, the inevitable task of collecting and cracking password hashes arises. Whether conducting web application testing, uncovering symmetric secrets for JSON Web Tokens (JWTs), or engaging in network penetration testing within an internal network, cracking passwords is an invaluable step in the process. Despite numerous resources offering recommendations for assembling a password cracking machine, there is a scarcity of comprehensive build guides for existing password cracking servers. Especially for those operating on a smaller budget, but trying to get the best bang for their buck.

Join Doug Bigalke and Alex Rodriguez as they delve into this topic and more during the Thrift Store Cracking Server: Popping Hashes Guide webcast.

Thrift Shopping with Performance in Mind

In 2021, with a budget of approximately $12,000, Doug and Alex strategically crafted two password cracking rigs focusing on optimizing performance as well as ensuring a cost-effective approach. One of the other key ideals that was incorporated in their planning was to accommodate for future GPU upgrades. Operating in a fully remote capacity, Alex prioritized the ability to manage servers from a distance, and urged hardware choices aligned with this goal. From a software perspective, they implemented a scarcely discussed technique, PCIe pass-through, but through benchmarks identified it was on par with most hardware configurations. They also were able to leverage Infrastructure as Code (IaC) using Ansible to ensure this process was repeatable.

Webcast Highlights

• Requirements Overview: Explore the real-world requirements and initial project objectives that shaped the journey.
• Hardware Insights: Dive into the thoughtful decision-making process behind the hardware selections.
• Software Techniques: Uncover the novel and performance-driven techniques employed, with a brief mention of repeatability through IaC.
• Day 2 Operations and Future Improvements: Delve into the ongoing maintenance, periodic challenges, and future enhancements.

Target Audience

While this isn't a comprehensive list, these are some of the people we had in mind when creating this presentation.

• Security Professionals (red team members from an offensive perspective, blue team members focused on password auditing)
• Hobbyists interested in building cracking rigs
• System Administrators handling ML/AI workloads
• Anyone seeking an understanding of the requirements for password cracking servers

Watch the full recording of Thrift Store Cracking Server: Popping Hashes Guide.

Related articles:

• Flipper Zero: A Hardware Hacking Multitool Webcast
• Hardware Hacking: Introduction to the UART Interface
• The Do's and Don'ts for Building a Strong Password