hashcat Forum

Full Version: PHDays Hashrunner challenge 2015 - Writeup
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2
As you may know, we won the contest.

Here is the writeup:

https://hashcat.net/events/hashrunner201...d_2015.pdf

Cheers!
dropdead
great write up!

question regarding scrypt. how did you guys get JTR to work since it is not natively supported?

also, did you guys happen to notice LM hash had a bunch of plains that appeared to look like encoded PHP? for example:

\U77F3\U67F1\U
\U6CE2\U6FE4\U
\U8B66\U5099\U
\U63D0\U723E\U
\U7600\U9752\U

or perhaps it was a dead end
thx, epixoip!
(05-21-2015, 03:40 AM)forumhero Wrote: [ -> ]LM hash had a bunch of plains that appeared to look like encoded PHP? for example:

\U77F3\U67F1\U

> Encoded PHP
kek
(05-21-2015, 06:05 AM)epixoip Wrote: [ -> ]JTR does have scrypt support...
https://github.com/magnumripper/JohnTheR...h?q=scrypt
I got the precompiled binaries from 1.8.0 jumbo1 (win64) and could not get it to work (can't load hashes). Do you have to change the hash format? What --format value do you use in the command line, scrypt?

Edit: I tried also the bleeding jumbo version 1.8.0.2 and had the same problem.
If you look at the plugin you will see the format it expects:

https://github.com/magnumripper/JohnTheR...t.c#L54-78

You can also look at prepare() in the same file as well.
(05-21-2015, 10:45 PM)epixoip Wrote: [ -> ]If you look at the plugin you will see the format it expects:

https://github.com/magnumripper/JohnTheR...t.c#L54-78

You can also look at prepare() in the same file as well.
Thanks for the help. I don't get it. I am in the bleeding jumbo version, I put one the hash that they provide in the link you gave me:
Code:
$ScryptKDF.pm$16384*8*1*VHRuaXZOZ05INWJs*JjrOzA8pdPhLvLh8sY64fLLaAjFUwYCXMmS16NXcn0A=
I use the following command line:
Code:
john.exe --format=scrypt --wordlist=dic4.txt hash.txt
JTR does not load the hash.
I had a similar issue. If you downloaded the Window pre-compiled binary then you are unlikely to be using the latest bleeding jumbo. Try this command below and check the results:

Code:
john --list=format-tests --format=scrypt

If the result from the last line looks similar to the output below then it is not the latest bleeding jumbo.

Code:
scrypt  10    SCRYPT:16384:8:1:VHRuaXZOZ05INWJs:JjrOzA8pdPhLvLh8sY64fLLaAjFUwY
CXMmS16NXcn0BhlHpZJ3J2jcozCDM7t+sfjkgQ894R+f+ldVWM5atlkA==      password
Congrats Team Hashcat, you really showed us all how it's meant to be done.

Our team write-up is also up

We had lots of fun!

http://cynosureprime.blogspot.com/
Pages: 1 2