Weak or reused passwords are a common cause of security breaches but are something that it’s hard for administrators to police.
Intelligence-led security company FireEye is releasing a new password cracking tool to enable security professionals to test password effectiveness, develop improved methods to securely store passwords, and audit current password requirements.
The main program is installed on a server, but a further ‘worker’ component means GoCrack is able to distribute its processing across CPUs and GPUs on networked machines via a simple to use web-based interface to create, view, and manage tasks.
In order to protect sensitive password data, GoCrack includes an entitlement-based system which stops users from accessing task data unless they are the original creator or they grant additional users to the task. Modifications to a task, viewing of cracked passwords, downloading a task file, and other sensitive actions are all logged and available for auditing by administrators.
It uses the hashcat password recovery tool. Engine files (files used by the cracking engine) such as Dictionaries, Mangling Rules, and so on can be uploaded as ‘shared’, which allows other users to use them in tasks but doesn’t give them the ability to download or edit. This allows for sensitive dictionaries to be used without their contents being available to view. FireEye aims to build MySQL and other database support into future versions to allow for larger deployments and more configuration options.
The server component can run on any Linux server with Docker installed. Users with NVIDIA GPUs can use NVIDIA Docker to run the worker component in a container with full access to the GPUs.