Cracking Passwords with Hashcat on Google Cloud Platform

Kacper Bąk
3 min readMar 23, 2023

In the past, breaking a password required a computer with a powerful power supply, multiple graphics cards, and lots of time. Today, breaking a password is possible for a small amount of money. With Google Cloud Platform (GCP), you can configure a machine to crack passwords for a fraction of the cost of buying the equipment.

To get started, visit console.cloud.google.com and create an instance of a virtual machine.

This virtual machine will be used to crack passwords. Depending on the complexity of the password, you can select the appropriate machine type with the required CPU and GPU resources.

Example configuration of a virtual instance

Once the machine is created, connect to it using SSH.

Once connected, you can use hashcat to crack a password hash. Suppose we have a password hash that we want to crack. To generate a hash from a password, use the following command:

echo -n '12345678901' | md5sum > hash.txt

This command generates an MD5 hash for the password ‘12345678901’ and saves it in the file hash.txt. The contents of the hash.txt file are as follows:

bfd81ee3ed27ad31c95ca75e21365973 -

The hash format in hash.txt seems to be a combination of the hash value and the plaintext password separated by a space. The hash value is bfd81ee3ed27ad31c95ca75e21365973 and the password is - (a single hyphen).

It’s important to note that in a real-world scenario, the password would not be known and the goal would be to use hashcat to crack the hash and determine the plaintext password. However, in this case, the password is already known and therefore, there is no need to use hashcat to crack it.

Before we even get to hash cracking, we need to start by formatting the hash correctly. We need to remove the password parameter and leave the hash itself.

bfd81ee3ed27ad31c95ca75e21365973

To crack this hash, I can use hashcat with the following command:

hashcat -m 0 hash.txt -a 3 ?d?d?d?d?d?d?d?d?d?d?d

This command will use a brute force attack with a mask of 11 digits (?d represents a digit) to crack the hash stored in the “hash.txt” file with the MD5 algorithm (-m 0).

Hashcat does brrrrrrrrrrrrrrrrrrrrrrrrrrr

Results:

bfd81ee3ed27ad31c95ca75e21365973:12345678901     

Session..........: hashcat
Status...........: Cracked
Hash.Name........: MD5
Hash.Target......: bfd81ee3ed27ad31c95ca75e21365973
Time.Started.....: Thu Mar 23 18:56:24 2023 (4 mins, 3 secs)
Time.Estimated...: Thu Mar 23 19:00:27 2023 (0 secs)
Guess.Mask.......: ?d?d?d?d?d?d?d?d?d?d?d [11]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 45023.9 kH/s (10.94ms) @ Accel:512 Loops:1000 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 11000320000/100000000000 (11.00%)
Rejected.........: 0/11000320000 (0.00%)
Restore.Point....: 10999808/100000000 (11.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1000 Iteration:0-1000
Candidates.#1....: 12388049450 -> 68871000010

Started: Thu Mar 23 18:56:21 2023
Stopped: Thu Mar 23 19:00:28 2023

The machine’s power determines how quickly the password can be cracked. For example, a machine with 10 Nvidia GTX 1080 Ti graphics cards costs $4.803/hr to run. This machine is capable of cracking passwords quickly and can reduce the cracking time from days to hours.

In conclusion, cracking passwords is now more accessible than ever before. With GCP and hashcat, you can easily set up a virtual machine to crack passwords quickly and efficiently. However, be aware that using these tools for illegal activities is a criminal offense, and it is essential to obtain consent from the owner of the password before attempting to crack it.

--

--