Sunday, August 11, 2013

Crack Me If You Can 2013 - Street Challenge 3

The Crack My If Can Street Challenge #3 was a fairly straight-forward "extract hashes and start cracking" problem. The hashes were Salted SHA1 inside a Berkeley DB. You could certainly have played with getting db_dump to work but it's just faster to use strings.

Crack Me If You Can 2013 - Challenge 9: Part 1

I again had some fun this year playing KoreLogic's Crack Me If You Can password cracking contest at DEFCON 21. This year they separated teams between "Pros" and "Street" to make things a little more fair for individual users vs large groups. If you have any interest in password cracking then you can still download all the past 4 years of data and crack away! Huge thanks to the KoreLogic guys for putting on an excellent contest!

New to the contest this year, password hash files were grouped into companies with each company having their own password policy. The description of the policies were given as hints within the Challenge files which may have their own complex password requirements. It was truly inventive and really gave the contest a real-world feel to it.

Of course my biggest problem is that by playing the game you don't get to really attend DEFCON so I didn't spend a lot of time cracking. You can tell my submissions were pretty much few and far between when I was back in my hotel room:

Even so I came in third place mostly because I spent a little extra time on Challenge 9 because of the point value - 250,000 points!

As you can tell from the graph the scores for three of us (brad, I Cant Believe Its Not Butter, and me) jumped near the final few hours of the contest because of Challenge 9. Here's how I did it...