Tuesday, August 09, 2011

The contest is over

Korelogic's Crack Me If You Can contest at Defcon is officially over. Team Not Appearing At Defcon scored decently given it was just me, two machines and not a lot of focused time.

The top teams scores fully show that given enough resources and dedication today's password hashes can and will be broken. Congrats to the top four teams: Hashcat, InsideProjohn-users and bindshell-dot-nl. Reading your write-ups will be fun!

I had a few goals I wanted to achieve while participating in the contest. I knew I wouldn't score high or often due to outside commitments. I mostly wanted to:
  • Stretch out the environment we had built up for penetration tests
  • Try not to get sucked into trying for bigger scoring points and see how many overall hash types respond in the environment (failing sometimes to stick to this rule - damn competitive natures!)
  • Gain more experience with Hashcat's tools and closing some of my knowledge gaps with it
  • More real-world experience with using John The Ripper's modes.
Yes it would be possible to build your own password list, encrypt it and such but there's something about having a third party source. You have no clue what was used so you're starting out completely blind!
    Overall I felt the contest was a good representation of real-life password cracking experience with a few minor issues in my opinion:
    • In a real world penetration test you typically receive bundles of hashes at a time. Usually a few Windows systems with local administrator and one or two potentially useful accounts. Then as the days progress you start owning larger and larger systems with more and more passwords (mssql, oracle, windows servers, etc). I'm not really sure how they could incorporate that into a 48 hour contest but it would be cool.
    • Individuals are severely outclassed by teams, but that's entirely ok. The contest was designed as a team-based system. Obviously those who had the resources to work together and develop their own tools have a huge step-up. The top three teams represented three different cracking toolsets.
    • The mssql/mssql05 debacle was annoying but glad it was cleared up. The problem with mssql hashes is that they crack in both formats so you really need to know your source. I had achieved a high number of mssql05 hashes but when they didn't point score I switched to mssql, which was incorrect. Quite a bit of wasted CPU time.
    Some of the things I liked about the contest:
    • For those of us who are not hard-core shellcoders, this gave us something fun to play as part of Defcon instead of having our asses handed to us at CTF. The downside still is if you're at Defcon and you're in a contest you don't really get to enjoy Defcon. :)
    • The challenges were a nice touch - zip, pdf, rar and doc files with extra hashes in them to crack! I wasn't expecting them so I didn't spend too many cycles on them. Something to note for our environment...
    • A lot of hard work went into making this contest and from my vantage point it seemed to run pretty smoothly. Kudos to Korelogic!
    • Separating the hashes into their respective files was really helpful for writing scripts. Saved a bunch of time compared to the prior year's huge textfile of hashes.
    • The contest wasn't just about brute force strength, however having an arsenal of systems/people or an amazing GPU coder in your pocket helps. I heard that atom, the main coder for hashcat, wrote a GPU implementation of mscash2 in 8 hours. A serious leg up against everyone else given 16,000 points per DCC2 crack.
    • Wordlists helped but spotting patterns early on and adapting helped, as expected. A system I wasn't really able to exploit due to limited personal time.
    I look forward to the write-ups from the other teams. Big thanks to Solar Designer for making John The Ripper and the rest of the team that have been working to make tremendous improvements to it. It's been the tool-to-use for a number of years and continues to shine. Huge thanks to KoreLogic for their second year of designing and working the contest.

    I look forward to next year's contest and the overall report!

        Saturday, August 06, 2011

        Day 1 wrap-up, Crack me if you can

        Until I finalise my thoughts more this will probably be the last update for the contest. It's pretty clear that one person with a few small resources can't crack as fast as an army of people that may or may not have a mega-setup at their disposal.

        I don't think I scored too poorly given that I was an individual with two systems at my disposal. I've learned a lot and that will help in the long run.

        The contest this year includes some heavy point-setting password protected zip, rar and word documents. I'm sure they are some permutation of already cracked passwords, maybe I'll get to those later. There are too many things to do at once for this contest that you really need to put together a good team.

        My score so far?

        8019916094EC952A038CB3ECB4not appearing at defcon


        not appearing at defcon

        I really should have more single points up there but it's such a decision battle. Spend the cycles cracking some of the slower, higher point hashes or blast through the faster, lower point ones. Oh well, will pick up more cracking tomorrow if time permits, and it probably won't.

        Friday, August 05, 2011

        Holy crap, one against many

        The scores for this year's KoreLogic Crack Me If You Can contest are up and it appears that teams with multiple people and systems have a slight advantage....

        The top 4 teams:
        74766 8D65BF65887D65A9 Hashcat
        50155 CCDE2FAB9599C0A6 Insidepro team 2011
        45187 7D47E99A316E29D7 john-users
        24687 889DCCAD7B08FD12 bindshell-dot-nl

        Where am I in all of this?
        4447 EC952A038CB3ECB4

        That's about what I expected. I'm only one person with a small spattering of machines at my disposal. With 121,614 hashes to crack of 20 different hash types you have to be smart. Brute force will only get you so far and so far that's mostly what I've been doing: finding the commonality amongst the easy-to-crack so, time permitting, the bigger scoring hashes can be cracked.

        Honestly I only have a few hours of free time left so I'll probably pick a few high scoring hash types and let the permutation of the wordlist run for a bit.

        KoreLogic 2011 Crack Me If You Can

        Due to a lot of family-type things happening around the BlackHat/Defcon/CCC dates I have been unable to attend. Usually it's work that precludes the "having fun in 120 degree Las Vegas weather."

        Thankfully KoreLogic has given non-attendees the chance to play in their "Crack Me If You Can" game for Defcon! Hooray! 48 hours of unadulterated power consuming, hash generating, text file management, pgp encrypting and general usage of unused computing cycles!

        This year I decided to devote a few hours to this contest while the wife and baby sleep. I'll be writing some updates as I get some time on how things are going. It's now been a little over an hour since I started so here's where things stand.

        On Your Mark
        Pre-registration involved generating a PGP key (if you didn't already have one) and sending it off to KoreLogic's scoring server for verification. This was easy if you've spent any time doing encrypted communication exchanges.

        Get Set
        While I waited for the contest to start I made sure I had all my tools and systems ready. This would be the chance to help prove out the expenditure of NVidia GTX580 cards, high-end CPUs, RAID disk space, etc. Since I'm running in an even shorter timeframe (and smaller team size... of one!) early preparation was key.

        Tools I planned on using:

        • John the Ripper, latest jumbo patches and GPU patches if time and code permitted
        • The oclHashCat suite
        • Misc rainbowtables collected over the years
        • Misc wordlists collected over the years
        Molly wakes me up at 5:50am on Friday morning for her regular feeding... 20 minutes of extra sleep! I check my e-mail and am excited to see the encrypted contest e-mails in my inbox. A quick pgp decryption and the URLs to download are shown. Hooray!

        Oops, based on the CMIYC twitter feed they had generated some weak hashes. Use the two files instead of the first one. Ok!

        Down they come with wget.... Hmm, zip files. No problem! Take a peek with 'unzip -v' and the contents look pretty good. Time to get rolling...
        ~/korelogic-2011/test$ unzip ../2011-CrackMeIfYouCan_part1.zip  
        Archive:  ../2011-CrackMeIfYouCan_part1.zip
           creating: contest_tree/challenge1/
        [../2011-CrackMeIfYouCan_part1.zip] contest_tree/challenge1/challenge1.zip password: 
        Oh. Of course it's going to be password protected. But it's pretty easy to guess if you take a step back and think about it.

        Two hours in...
        4066 password hashes cracked, 123780 left
        A long way to go still... Right now I'm basically not caring about the scoring points and going after "low-hanging passwords" using a very large dictionary, JTR's stock rules and patience. Some high scoring hashes may be cracking, I don't really know right now.. Time to feed the baby again.