By 
Trustwave – a security services company- has released an open source project directed specifically at companies that would like to provide their security teams and red teams with password cracking as a service, the company confirmed today at the Black Hat Europe Conference.
Using the new CrackQ platform enterprises can perform regular testing on their own systems or provide red teams with a service to crack password hashes obtained from clients during a project, presenting organizations with password quality metrics and tool usage statistics. Written in Python and built on the Flask web application framework the platform is extensible and already provides a graphical library to create plots in the dashboard, says Dan Turner, Trustwave’s SpiderLabs main security consultant.
“The dashboard really helps to visualize the weaknesses there [in password selection],” he says. “A viable use case is a security team using it internally to check passwords, but it is primarily for offensive teams to use during an engagement.”
Passwords have always been a weak link to corporate security because they are chosen by users. A report by Virginia Tech found slightly more than half of users reuse passwords or use the same password variants. According to the report, 56% of passwords took just 10 guesses to break.
Trustwave finds similar numbers on a regular basis. More than half of the passwords taken from Windows Domain Controllers by the company’s red teams can typically be broken by password cracking tools like Hashcat, the program that power CrackQ, says Turner. The failure rate is often close to 70%.
Even with general best practices, such as implementing the complexity of passwords and timing out logon attempts, passwords remain a weak link in security of the system.
“The problem is that there are still a large body of insecure passwords within organizations, and it only takes one weak password for a network to be compromised,” he says.
There is no need to recreate the password cracker, Turner says. He wanted to fix the problem of breaking passwords as a team instead.
Designed as a client-server system with a front end in JavaScript and various authentication frameworks, CrackQ enables teams to access a password-cracking server running Hashcat built on GPU-accelerated hardware. The software can be extended very quickly since the platform is based on Python and the Flask Web-application framework.
“At the click of a button, CrackQ will generate a password analysis report from the results of a password-cracking job — a Windows Active Directory domain store. for example” Turner has also written about it in a blog post on the tool. “This includes information relating to timings and speed, but crucially insecure password choices and patterns within an organization.”
For example, the software will also determine a user’s possible nationality through the words used in their password or when specific geographic locations are mentioned in the passphrase.
CrackQ also incorporates Hashcat Brain, a feature which prohibits the password cracker from trying multiple times that same password but turns it off when it becomes a bottleneck that can be used for slower algorithms.
In an enterprise context, the platform will be beneficial for password cracking as it allows the security team to quickly create reports and spot weaknesses in choosing passwords, Turner says.
“For us, every penetration test with a significant password store compromise will include a detailed report analyzing weak areas in a password policy,” he says. “CrackQ will help to visualize that and perhaps help drive home the message about poor password choices.”
