Penetration Testing in the Cloud

Penetration Testing in the Cloud

Public Cloud TCO

One of the original positive TCO use cases for public cloud was ephemeral workloads. Traditional, full OS VM workloads tend to be more expensive over time to run in the public cloud than to run on-premises. Ephemeral workloads, serverless workloads, or container workloads tend to be less expensive to run in the public cloud than on-premises.

One example of such an ephemeral workload is GPU-based penetration testing, especially password cracking. Password cracking is a heavy math operation and having access to as many GPUs as possible can reduce the time to success from weeks or days to hours.


I am a big fan of AI/ML/DL and have recently been experimenting with RL (Reinforcement Learning) using the pwnagotchi open source project. 

"Pwnagotchi is an A2C-based “AI” powered by bettercap and running on a Raspberry Pi Zero W that learns from its surrounding WiFi environment in order to maximize the crackable WPA key material it captures" 

In a nutshell, pwnagotchi performs some tricks to capture WPA WiFi handshakes. These handshakes are not the WiFi passwords but can be tested with sets of passwords for a match. This is a fascinating article on WiFi handshakes.

Cracking WPA Passwords

So how does one crack a WiFi password? One uses the hashcat tool.

"hashcat is the world's fastest and most advanced password recovery utility, supporting five unique modes of attack for over 200 highly-optimized hashing algorithms. hashcat currently supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and macOS, and has facilities to help enable distributed password cracking."

This pwnagotchi page explains the tools and procedures needed to (attempt to) match a WiFI password with a WiFi handshake. In short:

  • Convert the handshakes captured be the pwnagotchi from .cap files to .hccapx files that can be processed by hashcat. The program cap2hccapx.bin is used for this conversion.
  • Decide which type of password attack you will try. There are multiple options for dictionary and brute force attacks. In general, dictionary attacks are much faster as there are fewer permutations to try (The recommended password dictionary only has 14,344,391 entries). Password dictionaries can be found here. Brute force attacks must process exponentially more permutations plus, in most cases, you must know the exact length of the password.  These are the hashcat attack options:
    • Brute-Force attack
    • Combinator attack
    • Dictionary attack
    • Hybrid attack
    • Mask attack
    • Rule-based attack
    • Toggle-Case attack
  • Run the crack. If you are lucky (dictionary hit) or wait long enough (days, weeks, years), you will get a result like this:
    • 123456abc789:01a23456bcde:SSID_NAME:weakpassword
    • Congratulations. "weakpassword" is the password for SSID "SSID_NAME".

Speed to Crack Passwords

The length of time it takes to crack a password is directly related to the speed and number of GPUs at your disposal. My on-premises option is an NVIDIA Jetson AGX Xavier Developer Kit. The Xavier has 512 GPU cores, is only 4.1"x4.1" and can run on a little as 10 Watts. My cloud option is an AWS p2.16xlarge instance with 16 NVIDIA K80s with 4,992 GPU cores each for a total of 79,872 GPU cores. The Xavier is small, powerful, and handy. The p2.16xlarge is a monster. 

Here is a speed example of each GPU option using brute force to crack a 9 digit numeric password (low complexity):

  • Command: hashcat -m 2500 -a3 SSID_NAME.hccapx ?d?d?d?d?d?d?d?d?d
  • Xavier Time to Completion: 6 hours, 24 mins (aka 384 minutes)
  • AWS Time to Completion: 16 mins, 26 secs. 23X faster.

    Here is a speed example of each GPU option using brute force to crack a 9 digit mixed numeric/lower-case alpha password (medium complexity):

    • Command: hashcat -m 2500 -a3 SSID_NAME.hccapx ?h?h?h?h?h?h?h?h?h
    • Xavier Time to Completion: 18 days, 13 hours (aka 445 hours)
    • AWS Time to Completion: 17 hours, 55 mins 25X faster

    Cost Comparison

    Obviously, the cloud option wins the speed race. Which deployment option you choose depends upon how complex the password you are trying to crack is, how long you are willing to wait, and how much you are willing to spend for that result.

    Regarding how much you are willing to spend, here are a few cost baselines:
    • On-Premises 
      • NVIDIA Jetson AGX Xavier Developer Kit: $699
      • (1) NVDIA DGX-1 with 8 GPUs total: ~$150,000 (includes 3 years support)
      • (2) NVDIA DGX-1 with 16 GPUs total: ~$300,000 (includes 3 years support)
    • Cloud
      • AWS p2.16xlarge with 16 GPUs: $14.40/hour + storage + network costs.
        • 24 hours: $346+
        • 1 month: $10,512+
        • 1 year: $126,144+
        • 3 years: $378,432+
    Here are the cost details of running a job on AWS to show the additional costs beyond the $14.40/hour:


    As with most designs in IT, the answer is "it depends".  If you have a simple GPU-based task, or have plenty of time, run the job on a relatively inexpensive on-premises solution. If you have an extremely complex GPU-based task, or do not have the time to wait, and/or cost is not a concern, rent an AWS p2.16xlarge instance. Just remember to shut down the instance when you are done using it.

    I hope you have found this post educational. I welcome your feedback.


    Dan Sheldon said…
    Fantastic write-up of your illegal activities Dennis!
    Dennis Faucher said…
    Educational purposes only.🙂