Password cracking by the book is expensive, complicated and difficult to scale. Trying to crack passwords on laptops is comparatively slow and unhelpful. Investing in a rack of Nvidia graphics cards to do all the heavy lifting is so costly that the added value is nearly impossible to communicate.
Too many times, a single uncracked password is the only thing sitting between a penetration tester and a Domain Admin account during an engagement. Inefficient and costly password cracking doesn’t just keep white-hat hackers from doing their best work. It keeps their clients from completely understanding their threat model.
My colleague and I have set out to create a better solution using existing AWS offerings that drastically reduces costs, improves the quality of penetration testing and red team exercises and can be utilized with almost no barrier to entry. By removing the need to purchase hardware, time spent configuring and managing servers, and by distributing the workload across low-cost/high-power endpoints, we’ve found a way for security experts to crack passwords in a scalable, portable, cheap way without losing processing power.