Full Report
A $30,000 AI GPU doesn't outperform consumer GPUs at password cracking. Specops explains why attackers don't need exotic hardware to break weak passwords. [...]
Analysis Summary
# Tool/Technique: GPU-Accelerated Password Cracking
## Overview
Password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system in a hashed format. Attackers utilize high-performance hardware—primarily Graphics Processing Units (GPUs)—to automate and accelerate the brute-forcing of these hashes. This specific analysis compares high-end AI enterprise accelerators (Nvidia H200, AMD MI300X) against consumer-grade hardware (Nvidia RTX 5090) to determine their efficacy in cryptographic attacks.
## Technical Details
- **Type:** Technique / Tool (Hashcat)
- **Platform:** Windows, Linux, macOS (Cross-platform)
- **Capabilities:** High-speed cryptographic hashing, brute-force, dictionary attacks, and rule-based attacks.
- **First Seen:** Hashcat was initially released in 2009; GPU acceleration has been a standard attacker technique for over a decade.
## MITRE ATT&CK Mapping
- **[TA0006 - Credential Access]**
- **[T1110 - Brute Force]**
- **[T1110.002 - Password Cracking]**
- **[TA0007 - Discovery]**
- **[T1083 - File and Directory Discovery]** (often used to locate shadow files or NTDS.dit)
## Functionality
### Core Capabilities
- **Massive Parallelization:** Leverages thousands of GPU cores to perform simultaneous hash calculations.
- **Multi-Algorithm Support:** Capability to crack various hash types including MD5, NTLM, SHA-256, SHA-512, and bcrypt.
- **Benchmarking:** Built-in tools to measure hashes-per-second (H/s, MH/s, GH/s) for specific hardware.
### Advanced Features
- **Salting Handling:** Ability to process salted hashes, though this significantly slows down the cracking rate (e.g., bcrypt).
- **Distributed Cracking:** The ability to link multiple GPUs or rigs together to increase the total Hashrate.
- **Rule-based Engines:** Applying permutations to common passwords to bypass simple complexity requirements.
## Indicators of Compromise
*Note: Indicators for password cracking are typically found on the victim's server (data exfiltration) or by witnessing the presence of cracking tools on a compromised host.*
- **File Names:** `hashcat.exe`, `hashcat64.bin`, `john.exe` (John the Ripper).
- **Behavioral Indicators:**
- Presence of `NTDS.dit` or `SYSTEM` registry hives in unusual staging locations.
- Sustained 100% GPU utilization on non-rendering/non-AI production servers.
- Use of `vssadmin` or `ntdsutil` to create volume shadow copies for credential dumping.
## Associated Threat Actors
- Most sophisticated APT groups and ransomware operators use these techniques, including but not limited to:
- **Lapsus$**
- **FIN7**
- **LockBit** affiliates (for internal lateral movement)
## Detection Methods
- **Behavioral Detection:** Monitor for unauthorized attempts to access the Local Security Authority Subsystem Service (LSASS) or the extraction of the Active Directory database (`NTDS.dit`).
- **Audit Logs:** Monitor Event ID 4625 (Failed Logons) for high-frequency attempts, though offline cracking produces no logs on the victim's machine once the hashes are stolen.
- **EDR Alerts:** Detection of known cracking tool strings or the execution of tools like Impacket or Mimikatz used to harvest the hashes initially.
## Mitigation Strategies
- **Algorithm Upgrading:** Move away from fast hashes (MD5, NTLM) toward memory-hard, slow algorithms like Argon2 or bcrypt with high work factors.
- **Password Length:** Enforce long passphrases (15+ characters). The article notes length is the most effective defense against raw GPU power.
- **Multi-Factor Authentication (MFA):** Renders cracked passwords insufficient for gaining initial or lateral access.
- **Credential Protection:** Utilize features like Windows Defender Credential Guard to prevent the initial theft of hashes.
## Related Tools/Techniques
- **Hashcat:** The primary tool mentioned for GPU-based cracking.
- **John the Ripper:** A versatile tool for password cracking.
- **Mimikatz:** Used to extract hashes (NTLM) from memory for later cracking.
- **Impacket (secretsdump):** Commonly used to dump hashes remotely from domain controllers.