Tuesday, August 09, 2011

The contest is over

Korelogic's Crack Me If You Can contest at Defcon is officially over. Team Not Appearing At Defcon scored decently given it was just me, two machines and not a lot of focused time.

The top teams scores fully show that given enough resources and dedication today's password hashes can and will be broken. Congrats to the top four teams: Hashcat, InsideProjohn-users and bindshell-dot-nl. Reading your write-ups will be fun!

I had a few goals I wanted to achieve while participating in the contest. I knew I wouldn't score high or often due to outside commitments. I mostly wanted to:
  • Stretch out the environment we had built up for penetration tests
  • Try not to get sucked into trying for bigger scoring points and see how many overall hash types respond in the environment (failing sometimes to stick to this rule - damn competitive natures!)
  • Gain more experience with Hashcat's tools and closing some of my knowledge gaps with it
  • More real-world experience with using John The Ripper's modes.
Yes it would be possible to build your own password list, encrypt it and such but there's something about having a third party source. You have no clue what was used so you're starting out completely blind!
    Overall I felt the contest was a good representation of real-life password cracking experience with a few minor issues in my opinion:
    • In a real world penetration test you typically receive bundles of hashes at a time. Usually a few Windows systems with local administrator and one or two potentially useful accounts. Then as the days progress you start owning larger and larger systems with more and more passwords (mssql, oracle, windows servers, etc). I'm not really sure how they could incorporate that into a 48 hour contest but it would be cool.
    • Individuals are severely outclassed by teams, but that's entirely ok. The contest was designed as a team-based system. Obviously those who had the resources to work together and develop their own tools have a huge step-up. The top three teams represented three different cracking toolsets.
    • The mssql/mssql05 debacle was annoying but glad it was cleared up. The problem with mssql hashes is that they crack in both formats so you really need to know your source. I had achieved a high number of mssql05 hashes but when they didn't point score I switched to mssql, which was incorrect. Quite a bit of wasted CPU time.
    Some of the things I liked about the contest:
    • For those of us who are not hard-core shellcoders, this gave us something fun to play as part of Defcon instead of having our asses handed to us at CTF. The downside still is if you're at Defcon and you're in a contest you don't really get to enjoy Defcon. :)
    • The challenges were a nice touch - zip, pdf, rar and doc files with extra hashes in them to crack! I wasn't expecting them so I didn't spend too many cycles on them. Something to note for our environment...
    • A lot of hard work went into making this contest and from my vantage point it seemed to run pretty smoothly. Kudos to Korelogic!
    • Separating the hashes into their respective files was really helpful for writing scripts. Saved a bunch of time compared to the prior year's huge textfile of hashes.
    • The contest wasn't just about brute force strength, however having an arsenal of systems/people or an amazing GPU coder in your pocket helps. I heard that atom, the main coder for hashcat, wrote a GPU implementation of mscash2 in 8 hours. A serious leg up against everyone else given 16,000 points per DCC2 crack.
    • Wordlists helped but spotting patterns early on and adapting helped, as expected. A system I wasn't really able to exploit due to limited personal time.
    I look forward to the write-ups from the other teams. Big thanks to Solar Designer for making John The Ripper and the rest of the team that have been working to make tremendous improvements to it. It's been the tool-to-use for a number of years and continues to shine. Huge thanks to KoreLogic for their second year of designing and working the contest.

    I look forward to next year's contest and the overall report!

        No comments: