Wednesday, August 22, 2012

Pentesters: Amazon EC2 or GPUs for password cracking?

Q: Should pentesters use Amazon EC2 to crack passwords? A: Probably not.

Amazon’s “cloud computing” seems perfect for pentesters for cracking passwords for three reasons.

(1) Accounting. Pentesters can simply stick the Amazon EC2 costs onto the bill they charge customers. If they use their own hardware, they have to figure out how to amortize the cost a cross many customers.
(2) Usage pattern. Pentesters only need the compute power the day they are cracking passwords, at which point they need a lot of hardware. That’s only a few days a year, the hardware will remain unused the rest of the time. This fits Amazon’s usage model of paying only for the compute power that use.
(3) Sheer power. In theory, a pentester can apply all the idle power of Amazon’s computers to the problem, which could expand to 100,000 machines. That’s an impressive amount of compute power.

This is all very impressive, but there is the problem of cost. Amazon is really built for things like websites, not “integer computation”. Thus, while so much of the Amazon model fits the password cracking model, this one difference defeats it.

Consider employing Amazon instances equivalent to 1000 desktops. This costs $1/hour per instance, or $1000/hour. The same password cracking power can be had with 25 GPUs costing $430 each, or $12000 total.

That means after only 12 hours of password cracking, owning your own GPU becomes more cost efficient than using Amazon EC2 instances.

Amazon also provides GPU instances, but the situation doesn’t change much. Amazon uses older Tesla GPUs, whose hardware cost is 10 times that of the latest gaming GPU, but perform a tenth as fast for password cracking. (They are optimized for floating point, not integer calculations). That’s a 100 to 1 cost difference working against you.

So the upshot is this: for pentesters, buying a new GPU for the job and throwing it away at the end will crack more passwords than the equivalent money spent on Amazon EC2 instances.

Also, as I’ve mentioned elsewhere, the exponential nature of brute-force cracking defeats the idea of simply throwing more hardware at the problem. What cracks passwords is having a solid word list and good rules for mutating those words, not massive hardware. The marginal benefit of some hardware (like buying a GPU) is clearly worth it, but the marginal benefit of even more hardware is rarely worth the trouble.

Thus, as a pentester, you should have a desktop with one or two of the latest GPUs, but you shouldn’t worry much past that point.

Update: An alternative is something like, which is priced better to do what you want. This is especially true when calculating your own labor: managing your own cracking jobs will take an hour of your time, which you bill to customers. Using a cloud-cracking service means launching the cracking job, then playing Angry Birds for an hour.


guly said...

not speakin about rainbowtables/wordlists: you also have to pay for terabytes of storage, even if it's cents, and upload bandwidth.

Steven Alexander said...

Rainbow tables aren't all they are cracked up to be. They don't work with salts, are less effective than brute force for a large number of accounts, and aren't as flexible as word lists + rules/mutations.

TBone said...

Wouldn't it make more sense to use AWS Elastic Mapreduce instead of raw EC2 instances? EC2 instances aren't really designed for this kind of work, and you don't need entire virtual hosts anyway.

Alex said...

To be fair, a cluster of 26 cluster GPU Spot instance (52 GPU tesla total) will cost around 300$ per day plus network traffic

lol hipsters said...

Amazon EC2 is more expensive for pretty much everything so this is not surprising.

Anonymous said...

If you're doing a lot of this (ie continuous) then at some point your power bill will start showing.