Crack Me If You Can contest at DEFCON 2012 got over just a few moments back.
Like last time, I participated from InsidePro. We ended up in the third place.
More statistics here: https://contest-2012.korelogic.com/stats.html
Congratulations to Hashcat and john-users :)
The start of the contest was not good for me. I was all set and ready for the contest to begin and then 5 minutes into the contest after Korelogic released the key to decrypt the PGP'ed tarball, there was a Network Outage in my area. How much can Luck Suck? Well, here is your answer.
At first, I thought it would be resolved within a few minutes. It did not. Then, a few hours? Well it did not. Time was running out and I tried all possible alternatives to connect to Internet so that I could participate in this contest, but nothing seemed to work. It was now, 5 hours into the contest and I was still without Internet Access. This was a mood spoiler indeed!!
After about, 8 hours I managed to find a stable alternative Internet Connection (which would not ditch me :D ).
This year I wanted to see how many hashes I can crack alone to know how many points I would have earned had I participated alone in the contest. I went through various hash types I cracked during the contest and after compiling the list, I am rather happy :D
For the majority of the contest, I focused on the heavy algorithms like MD5 (Unix), MD5 (APR), DCC2, OpenBSD and SHA-512 Unix and here is a brief overview of my statistics:
MD5 (APR) - 415
MD5 (Unix) - 349
DCC2 (Mscash2) - 17
DCC (Mscash) - 598
DES - 387
SHA-512 Crypt - 4
OpenBSD (Blowfish) - 2
and along with this the other easy algorithms like MD5, SHA1, NTLM, MD4 and so on.
Applying the Point Distribution to the above stats and adding approximately 2000 points to it for the easy algorithms which I cracked, the total comes to: 4,15,683 points. This is more than a quarter of the Maximum Total Password Crack points earned by one Team in the contest.
This looks quite good to me, considering I was around 8 hours late into the contest :D
I am happy for john-users, because in this contest they performed really well with the toughest algorithm hashes like SHA-512 Crypt, Blowfish, Sun-md5. This was also a good time for Solar Designer and other developers of JtR to test their OpenCL and CUDA Code Implementations in JtR. I am not sure, how many of these hashes were cracked actually by them on the GPU Platform.
What did I find interesting about this contest?
1. The password patterns were much more realistic than last year's contest. I believe the huge password leaks (LinkedIn/eHarmony/last.fm) right before the contest helped the organizers in coming up with a wide variety of password patterns.
2. The iteration counter (work) for the Blowfish hashes was increased from 5 to 8.
Last year, we had bcrypt hashes as, $2a$05$ (2^5 iterations).
However, this year, it was $2a$08$ (2^8 iterations).
3. The point distribution among the different hash types was good. However, the only hash type for which they need to reconsider the number of points given is DCC2.
Note: Even though this hash type can be accelerated by implementing the algorithm on GPU, there were minimum number of cracks for this particular hash type (excluding bcrypt) by any Team (with the maximum being 96)
Each DCC2 hash for 2000 points is a fair enough point allocation according to me. Though it appears that the point distribution has been done more according to the hash algorithm difficulty than the difficulty of the passwords specific to that hash algorithm.
What makes me curious in this contest?
1. There were certainly many aspects of this contest which made me curious. However, from the top of my head, I can recollect one specific password pattern. There were many hash types with difficulty level varying from easy to medium which had many digit passwords of lengths, 8,9,10,11 and 12. It is possible to crack these easily using a mask attack with oclhashcat-plus and a fast enough GPU.
However, I found these password patterns for the heavy algorithms like MD5 (Unix) and MD5 (APR) as well. While running certain rule attacks on the already found passwords, I discovered a couple of hashes for above algorithms with 10 digits in them.
For instance:
$apr1$IlZ3iLOl$WKJ5N0j5QzdmFb4fVIa/p/:8979570490 $apr1$FuHAQ3Dw$3oTO0YexLzL/FWbeuu12C1:3059872160
It makes me wonder, were they really expecting us to Bruteforce this hash type as well or was there some pattern in these passwords which we had to identify? It would be interesting to know more about this.
What were the passwords to the toughest algorithms like Blowfish, sun-md5 and SHA-512 (Unix)?
I guess we are all eager to know the answer to this question. The only passwords I was able to crack for these algorithms were all lowercase words or a simple rule applied to a lowercase word. For instance, 2 of them were:
$6$ad.V4U6/ru/mYEZp$AQza3gdhwEFu2JubVaBGZ2H4Rcqu7ijW.1NJ6RubEerKDdQ1ukC6/uzmjOjFUE.CQyDnqWpilk4jfO5.wVFjX/:@password
$6$xX1ZwbZCduQJ6bOG$K37gaEJAwJxcwGreloZtmePJBIS.89PNpD4im.obF5YcjdPa5uzuqr
Ws1LkdBmmgege0SOCe/sIhYq1u9Jvju0:jpassword
So, according to me, we were supposed to analyze the already cracked passwords and identify base words (such as "password" above) and apply simple rules to that like prefix and append a ?d,?l,?s.
What would have made this contest better for me?
A Good and Reliable Internet Connection! Making my way into the contest 8 hours late did not allow me to give sufficient time to analyzing passwords and patterns. I hope to have a backup connection, or rather multiple backup connections in future.
That's all for now. A more detailed writeup with various password patterns used in the contest and how to crack them later.
Thanks to the organizers, Korelogic, it was a good experience.
c0d3inj3cT
More statistics here: https://contest-2012.korelogic.com/stats.html
Congratulations to Hashcat and john-users :)
The start of the contest was not good for me. I was all set and ready for the contest to begin and then 5 minutes into the contest after Korelogic released the key to decrypt the PGP'ed tarball, there was a Network Outage in my area. How much can Luck Suck? Well, here is your answer.
At first, I thought it would be resolved within a few minutes. It did not. Then, a few hours? Well it did not. Time was running out and I tried all possible alternatives to connect to Internet so that I could participate in this contest, but nothing seemed to work. It was now, 5 hours into the contest and I was still without Internet Access. This was a mood spoiler indeed!!
After about, 8 hours I managed to find a stable alternative Internet Connection (which would not ditch me :D ).
This year I wanted to see how many hashes I can crack alone to know how many points I would have earned had I participated alone in the contest. I went through various hash types I cracked during the contest and after compiling the list, I am rather happy :D
For the majority of the contest, I focused on the heavy algorithms like MD5 (Unix), MD5 (APR), DCC2, OpenBSD and SHA-512 Unix and here is a brief overview of my statistics:
MD5 (APR) - 415
MD5 (Unix) - 349
DCC2 (Mscash2) - 17
DCC (Mscash) - 598
DES - 387
SHA-512 Crypt - 4
OpenBSD (Blowfish) - 2
and along with this the other easy algorithms like MD5, SHA1, NTLM, MD4 and so on.
Applying the Point Distribution to the above stats and adding approximately 2000 points to it for the easy algorithms which I cracked, the total comes to: 4,15,683 points. This is more than a quarter of the Maximum Total Password Crack points earned by one Team in the contest.
This looks quite good to me, considering I was around 8 hours late into the contest :D
I am happy for john-users, because in this contest they performed really well with the toughest algorithm hashes like SHA-512 Crypt, Blowfish, Sun-md5. This was also a good time for Solar Designer and other developers of JtR to test their OpenCL and CUDA Code Implementations in JtR. I am not sure, how many of these hashes were cracked actually by them on the GPU Platform.
What did I find interesting about this contest?
1. The password patterns were much more realistic than last year's contest. I believe the huge password leaks (LinkedIn/eHarmony/last.fm) right before the contest helped the organizers in coming up with a wide variety of password patterns.
2. The iteration counter (work) for the Blowfish hashes was increased from 5 to 8.
Last year, we had bcrypt hashes as, $2a$05$ (2^5 iterations).
However, this year, it was $2a$08$ (2^8 iterations).
3. The point distribution among the different hash types was good. However, the only hash type for which they need to reconsider the number of points given is DCC2.
Note: Even though this hash type can be accelerated by implementing the algorithm on GPU, there were minimum number of cracks for this particular hash type (excluding bcrypt) by any Team (with the maximum being 96)
Each DCC2 hash for 2000 points is a fair enough point allocation according to me. Though it appears that the point distribution has been done more according to the hash algorithm difficulty than the difficulty of the passwords specific to that hash algorithm.
What makes me curious in this contest?
1. There were certainly many aspects of this contest which made me curious. However, from the top of my head, I can recollect one specific password pattern. There were many hash types with difficulty level varying from easy to medium which had many digit passwords of lengths, 8,9,10,11 and 12. It is possible to crack these easily using a mask attack with oclhashcat-plus and a fast enough GPU.
However, I found these password patterns for the heavy algorithms like MD5 (Unix) and MD5 (APR) as well. While running certain rule attacks on the already found passwords, I discovered a couple of hashes for above algorithms with 10 digits in them.
For instance:
$apr1$IlZ3iLOl$WKJ5N0j5QzdmFb4fVIa/p/:8979570490 $apr1$FuHAQ3Dw$3oTO0YexLzL/FWbeuu12C1:3059872160
It makes me wonder, were they really expecting us to Bruteforce this hash type as well or was there some pattern in these passwords which we had to identify? It would be interesting to know more about this.
What were the passwords to the toughest algorithms like Blowfish, sun-md5 and SHA-512 (Unix)?
I guess we are all eager to know the answer to this question. The only passwords I was able to crack for these algorithms were all lowercase words or a simple rule applied to a lowercase word. For instance, 2 of them were:
$6$ad.V4U6/ru/mYEZp$AQza3gdhwEFu2JubVaBGZ2H4Rcqu7ijW.1NJ6RubEerKDdQ1ukC6/uzmjOjFUE.CQyDnqWpilk4jfO5.wVFjX/:@password
$6$xX1ZwbZCduQJ6bOG$K37gaEJAwJxcwGreloZtmePJBIS.89PNpD4im.obF5YcjdPa5uzuqr
Ws1LkdBmmgege0SOCe/sIhYq1u9Jvju0:jpassword
So, according to me, we were supposed to analyze the already cracked passwords and identify base words (such as "password" above) and apply simple rules to that like prefix and append a ?d,?l,?s.
What would have made this contest better for me?
A Good and Reliable Internet Connection! Making my way into the contest 8 hours late did not allow me to give sufficient time to analyzing passwords and patterns. I hope to have a backup connection, or rather multiple backup connections in future.
That's all for now. A more detailed writeup with various password patterns used in the contest and how to crack them later.
Thanks to the organizers, Korelogic, it was a good experience.
c0d3inj3cT