The top teams scores fully show that given enough resources and dedication today's password hashes can and will be broken. Congrats to the top four teams: Hashcat, InsidePro, john-users and bindshell-dot-nl. Reading your write-ups will be fun!
I had a few goals I wanted to achieve while participating in the contest. I knew I wouldn't score high or often due to outside commitments. I mostly wanted to:
- Stretch out the environment we had built up for penetration tests
- Try not to get sucked into trying for bigger scoring points and see how many overall hash types respond in the environment (failing sometimes to stick to this rule - damn competitive natures!)
- Gain more experience with Hashcat's tools and closing some of my knowledge gaps with it
- More real-world experience with using John The Ripper's modes.
- In a real world penetration test you typically receive bundles of hashes at a time. Usually a few Windows systems with local administrator and one or two potentially useful accounts. Then as the days progress you start owning larger and larger systems with more and more passwords (mssql, oracle, windows servers, etc). I'm not really sure how they could incorporate that into a 48 hour contest but it would be cool.
- Individuals are severely outclassed by teams, but that's entirely ok. The contest was designed as a team-based system. Obviously those who had the resources to work together and develop their own tools have a huge step-up. The top three teams represented three different cracking toolsets.
- The mssql/mssql05 debacle was annoying but glad it was cleared up. The problem with mssql hashes is that they crack in both formats so you really need to know your source. I had achieved a high number of mssql05 hashes but when they didn't point score I switched to mssql, which was incorrect. Quite a bit of wasted CPU time.
- For those of us who are not hard-core shellcoders, this gave us something fun to play as part of Defcon instead of having our asses handed to us at CTF. The downside still is if you're at Defcon and you're in a contest you don't really get to enjoy Defcon. :)
- The challenges were a nice touch - zip, pdf, rar and doc files with extra hashes in them to crack! I wasn't expecting them so I didn't spend too many cycles on them. Something to note for our environment...
- A lot of hard work went into making this contest and from my vantage point it seemed to run pretty smoothly. Kudos to Korelogic!
- Separating the hashes into their respective files was really helpful for writing scripts. Saved a bunch of time compared to the prior year's huge textfile of hashes.
- The contest wasn't just about brute force strength, however having an arsenal of systems/people or an amazing GPU coder in your pocket helps. I heard that atom, the main coder for hashcat, wrote a GPU implementation of mscash2 in 8 hours. A serious leg up against everyone else given 16,000 points per DCC2 crack.
- Wordlists helped but spotting patterns early on and adapting helped, as expected. A system I wasn't really able to exploit due to limited personal time.
I look forward to next year's contest and the overall report!