With one "extracurricular" project winding up, I figured it was time to start the next one, and playing with the new crop of GPUs for hash and password cracking seems like a fun way to go. At first glance, using specialized hardware like a GPU would mean that you'd be working in a physical machine, that using a VM is not in the cards. Not so, it's actually pretty easy to make it fly in a VM, with a bit of planning. For me, it also means that I don't need to find a spot for a new server. First of all, you'll need a short list of "must haves":
For folks like me that are on a budget, there are two main choices in GPUs - NVIDIA and AMD.
While both of these cards perform great for graphics, the AMD has and edge in crypto work - it seems to have better integer computing support, so tools like Hashcat or John the Ripper tend to run quicker. So, once all the prerequisites are in place, we're ready to go. 1/ First, install your card. 2/ Next, over to ESXi, we'll need to enable Device Passthrough (Vt-d) for our new device. You'll find this in Server Settings / Advanced / Edit. Select the new card (which also selects the PCIe slot that it's in), and save. You'll need to reboot the server after this done.
3/ Next, over to our VM. We'll go to the "Edit Settings / Add Hardware" screen, and add this new PCI device. Once this is done, vMotion and HA will no longer be possible for this VM, since it's tied to a specific PCIe slot in the server. Even a cold migrate (migration with the VM powered off) will involve some jumping through hoops - removing the card, migrating then re-adding the card after the migrate (you'll of course need identical hardware on the destination server once the migration is complete)
Just for fun, I installed the identical setup on a similar but PHYSICAL machine (3.5 GHz i7 quard core, as poosed to the 3.3 Ghz XEON quad in my ESXi server). You can see from the table below that the throughput on hash calculations are very close, with the i7 setup a bit slower. It's in situations like this where you'll see the features in "server class" processors make a difference - things like larger CPU cache for instance. My ESXi server was running my kid's Minecraft server (with him and all his friends on it), plus we were streaming video off of another VM running DLNA services for our TV, and hashcat in the VM is still is consistently faster than the physical host running a workstation CPU of similar specs. The numbers for both the physical and virtual and physical servers are shown below. From this, we can draw a few critical conclusions:
=============== |
Rob VandenBrink 579 Posts ISC Handler Sep 5th 2013 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Thread locked Subscribe |
Sep 5th 2013 8 years ago |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
I don't remember where I read it, but PBKDF2 is also great because it's very slow compared to the MD5/SHA1/2/3 family. The hashcat guys tested it and it was running in the thousands per second (not millions or billions).
Unfortunately there's no way to use this algorithm where we need it most, afaik: Windows AD or openldap. |
Chris 12 Posts |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Quote |
Sep 7th 2013 8 years ago |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
I have two observations.
1. I&A needs to become more modular, again *nix in general sets a good example with the pam structure. Windows AD could vastly benefit here. Openldap theoretically could adapt faster. 2. If GPUs are being leveraged by cracking practitioners to leap ahead of secured authentication storage, then why are GPUs not used to enhance secure authentication storage? Time to start some R&D. How large of a key/salt can I use without impacting operations? Storage is cheap, GPU cycles are cheap, why not? |
G.Scott H. 48 Posts |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Quote |
Sep 7th 2013 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!