As a pentester, I often gain access to a Windows domain controller and dump the hashes. I can use pass-the-hash to login to other Windows machines with those credentials but if I want to login to web services or databases as those users, I need to crack the passwords. Typically, I would break out JtR, Ophcrack, rcracki_mt, or Hashcat. With Ophcrack or rcracki_mt, it can take anywhere from 30 minutes to many hours to crack all of the passwords, depending on the number of hashes in the file. In addition, you have to store Gigs worth of data files. With JtR or Hashcat, you have a similar wait time and you have to maintain extensive word lists and mangling rules. In addition, most of the passwords you test will not meet the Windows complexity requirements, which are common in large organizations. is different. It uses a database to store pre-computed hashes based on the most common base words and password mangling rules and all of the passwords meet the Windows complexity requirements. The initial database was built from public password breaches such as, rockyou, and facebook. As users upload new password hashes, the database will be updated with new base words and password mangling rules, becoming more efficient over time.

The value of comes from the time/effectiveness trade off. You can spend hours cracking 100% of passwords or you can crack 10-20% of the passwords immediately. Over the course of the year, the time and money you save will completely pay for the service.

Please checkout the site for more details and feel free to provide constructive feedback.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s