Password cracking, mining, and GPUs

People imagine that sophisticated hacking requires sophisticated computers. The truth is that almost everything a hacker does can be done with a cheap notebook computer, or even a mobile phone.

The major exception is password cracking, and related crypto tasks like bitcoin mining and certificate forgery. In these cases, a minor investment in hardware can be warranted.

In particular, those who need to crack passwords (pen-testers, sysadmins, hackers) should buy a gaming graphics card in order to speed up cracking. Or, when buying notebooks for pen-testing, they should choose those with graphics processors.

GPU cracking for $250

ATI and nVidia have just shipped their spring refresh cards. Both now sell an essentially top-of-the-line card for $250 (either the ATI HD 4590 or the nVidia GTX 275). If you do password cracking for pentests, you might want to pick up a few of these cards.

Both would be an excellent card to buy for password cracking. Either would increase password cracking speed by around 10x. I prefer the nVidia card because the CUDA programming support is easier to work with, but I suspect the ATI card may be slightly faster for crunching numbers.

Note the way I say "top-of-the-line". For graphics, the more expensive GTX 285 is better than the GTX 275. However, both cards have the same number of "stream processors" at roughly the same clock speed. Therefore, both should crack passwords at the same speed. What makes the GTX 275 cheaper is the fact that it less backend graphics resources (fewer raster units, slower memory speed, narrower memory bandwidth, smaller frame buffer). We don't care about these other graphics resources -- all we care about is the number of "stream processors" and how fast they run.

Graphics cards are for cracking

I finally got around to testing Elcomsoft's WPA password cracking. If you'll remember, Elcomsoft announced last month that they could use the graphic card to crack WPA passwords 100 times faster than with a normal processor. I found it’s not 100 times faster, but the acceleration is significant enough that if you do WiFi pentesting, you should probably get a graphics card to speed this up.

I ran their software on a number of systems. A screen shot of the results are below:
The systems are:

• "Core2Duo-GT260" is a nVidia GT260 GPU, w/ Core 2 Duo 3.0-GHz
  
• "Core2Quad" is a Core 2 quad 2.4-GHz.
  
• "EEE901" is an an Intel Atom 1.6-GHz dual-threaded.
  
• "MacBookAir" is using the nVidia 9400m GPU, w/ Core 2 Duo 1.86-GHz
  
• "Pentium3-400MHz" is using Intel Pentium III 400MHz single core CPU

Using the nVidia GT260 graphics card, the system could test roughly 10-thousand password hashes-per-second. A cheap quad-core CPU can only do about 1-thousand password hashes-per-second. This is not the 100-fold speed-up promised, but it is an impressive 10-fold speed-up.

I tried out some other processors as well. Intel has shipped a new extremely-mobile processor (intended for cell-phones) called the "Atom". It has roughly a tenth the CPU power of the desktop processor.

A tested the MacBook Air. Its graphics accelerator is actually slower than the built-in processor. Its 9400m GPU only does 178 hashes-per-second, but the Core 2 Duo could do around 400 hashes-per-second.

Graphics cards work by having a lot of tiny/simple processors. Here is a breakdown of some typical processors:

In theory, the speed of the cracking software should correlate with the frequency multiplied by the number of cores. The card to get right now is probably the 9800 GX2. I just ordered one from Newegg for $274. It puts two chips together on a single card, which should make it faster (as well as cheaper) than the GT260. I spent another $200 to get a system to go around it.

Elcomsoft currently cannot handle different cards. Therefore, when cracking software on a MacBook Pro (which has a 9400m and a 9600m), you won’t be able to use both simultaneously.