Free GoCrack password cracking tool helps admins test password security

FireEye released a managed password cracking tool to help security professionals test password effectiveness, securely store passwords and audit password requirements.

Free GoCrack password cracking tool released to help admins test security
Thinkstock

It takes a mere .25 milliseconds to crack passwords such as “123456”, “qwerty” or “password” — examples of some of the worst, most common passwords used last year. Although password policies at enterprises may not allow those passwords, may require a minimum number of characters, disallow repeated characters and previous passwords, and require a password to be changed at set intervals, not all enterprises have the same password policy; weak or reused passwords can still be problematic.

How easily can users’ passwords be cracked? Better yet, how easily can the passwords admins are using be cracked?

To address those concerns as well as other scenarios, FireEye’s Innovation and Custom Engineering (ICE) team released the open-sourced password cracking tool GoCrack. The tool was designed to help red teams manage password cracking tasks across multiple GPU machines via an easy-to-use web interface.

In the words of FireEye, “Password cracking tools are an effective way for security professionals to test password effectiveness, develop improved methods to securely store passwords, and audit current password requirements. Some use cases for a password cracking tool can include cracking passwords on exfil archives, auditing password requirements in internal tools, and offensive/defensive operations.”

How the GoCrack password cracking tool works

The admin portion of GoCrack is meant to be deployed on a Linux server running Docker, or on MacOS, with a “worker” on every GPU/CPU  machine. The system will automatically distribute tasks across those GPU boxes. Nvidia GPU users can use Nvidia Docker to run the worker in a container with full access to the GPUs.

GoCrack has an entitlement-based system. Task data can be hidden from others unless they are the original creator, or they grant additional users to the task. Any modifications to a task, downloading of a task file or viewing of cracked passwords are logged for auditing by administrators.

According to FireEye’s Christopher Schmitt, “Engine files (files used by the cracking engine) such as Dictionaries, Mangling Rules, etc. can be uploaded as ‘Shared’, which allows other users to use them in task yet do not grant them the ability to download or edit. This allows for sensitive dictionaries to be used without enabling their contents to be viewed.”

No external database server is required as GoCrack uses hashcat v3.6 or higher. It also includes support for LDAP, as well as database-backed authentication. FireEye plans to add support for MySQL and Postgres data engines in the future, as well as the ability to edit files in the UI, better configure the hashcat engine and add automatic task expiration.

The password cracking tool GoCrack is like a gift for red teams to add to their arsenal for managing password cracking and recovery tasks. That’s not to say malicious actors won’t want this free gift as well to help crack passwords.

GoCrack is available on GitHub.

FireEye ended its blog post with a career plug by noting that its “small, highly trained, team of engineers” that make up ICE “is always looking for exceptional candidates interested in solving challenging problems quickly.”

Related:
SUBSCRIBE! Get the best of CSO delivered to your email inbox.