05-28-2013, 08:34 PM
I'm going to quote some of the comments
@thorsheim
Yes, there are hins in real-life. Like company name, account owners fullname, department etc. But this would be data that is written on paper and can be accessed from a program. Think of it like a list of attributes you can bind to a hash. That would be ok since you can feed the cracker with this data. But the hints we'd in the contest was a picture, that's nothing I can feed a cracker with.
@plan2000
I really had a hard time understanding what you mean. It's because it does not match a password cracking contest. Such a thing is more suited to an AI contest, no?
@epixoip
Actually, I didn't see it (but other team member did) and I admit this is nice since it's what we see in real-life. We know passwords are shared across multiple systems. No complains here.
@K9
Yes, me too. What I forgot to say about it in my first post that I also didn't like it because it's boring to do the same pattern search algorithm (see epix's post) again and again.
@halfie
Due to the nature of the contest it is not hard to believe.
@hashrunner
That's the part I cared most less about
See my reply to @thorsheim I think my description wasn't clear enough.
See my reply to @mastercracker he actually made a good suggestion.
Don't dothat. It's not a CTF. I agree with you, do not shift the focus from hash cracking
Well. Why not have a contest with a hashlist of lets say 100 admin hashes only? That would be cool, too.
The more I think about it I think it would rock! There is no need to have 100000 hashes in every contest.
@mastercracker
We made the same experience in team hashcat. Even with hardware stacked, it doesn't matter much. I fully agree, there is no need to have any limitation in a password cracking contest. Once your team has 10 members there is no much of a difference to a team with twice the number of members.
What about a league system? That way single-persons or unexperienced once do not need to fear to play against the major teams. Maybe that would motivate more people to participate. It would also remove the need for a pattern focused contest since the major league will only be between the big teams. Just an Idea, not fully evolved.
Agree!
Agree!
Finally I want to add the following:
The most important section in my critic was "Organizers failed to rewrite the rules 1". I'm a bit disappointed that no one commented it. It's what brake the contest, even if we're looking at it as a pattern-matching contest. There was no big difference in the complexity of the pattern (even not sha256). Thus there's no reason to have a specific pattern given more points than the others. In case you'd continue to use pattern based contest you should at least equal the points, since weighting does not apply here.
--
atom
@thorsheim
Quote:"Since there are no such hints in the reality."
I agree with what you wrote, except that part Atom. In real life there is a *ton* of hints, very many of which has never been part of any password cracking contest.
Yes, there are hins in real-life. Like company name, account owners fullname, department etc. But this would be data that is written on paper and can be accessed from a program. Think of it like a list of attributes you can bind to a hash. That would be ok since you can feed the cracker with this data. But the hints we'd in the contest was a picture, that's nothing I can feed a cracker with.
@plan2000
Quote:Why not think about it like organisers in search of people being to reverse unknown logic (with limited hints) without the dependency on the tools to do the checking.
I really had a hard time understanding what you mean. It's because it does not match a password cracking contest. Such a thing is more suited to an AI contest, no?
@epixoip
Quote:My apologies if you noticed this, but it was actually much simpler than this. You know how the MD4 and bcrypt hashes were in the same file, and shared the same hint? Yeah, they shared the same passwords as well. So all you had to do after cracking all of the MD4 hashes was run your MD4 plains through the bcrypt hashes :/
Actually, I didn't see it (but other team member did) and I admit this is nice since it's what we see in real-life. We know passwords are shared across multiple systems. No complains here.
@K9
Quote:I don't like to search for pattern. This passwords are not realistic. I prefer more realistic passwords instead of the pattern search & brute game.
Yes, me too. What I forgot to say about it in my first post that I also didn't like it because it's boring to do the same pattern search algorithm (see epix's post) again and again.
@halfie
Quote:Hard to believe but at least 3 out of 10-12 guys were using laptops.
Due to the nature of the contest it is not hard to believe.
@hashrunner
Quote:For sure, we f***ed up the organizational part.
That's the part I cared most less about
Quote:The hints
See my reply to @thorsheim I think my description wasn't clear enough.
Quote:About teams
See my reply to @mastercracker he actually made a good suggestion.
Quote:We discussed adding non-obvious (khm, real life) ways of acquiring hashes, like sql injection...
Don't dothat. It's not a CTF. I agree with you, do not shift the focus from hash cracking
Quote:More, during pentest you don’t need to crack all the hashes you acquired.
Well. Why not have a contest with a hashlist of lets say 100 admin hashes only? That would be cool, too.
The more I think about it I think it would rock! There is no need to have 100000 hashes in every contest.
@mastercracker
Quote:Judging by the experience of the previous CMIYC contests, one of the thing that you realize is that even if you have lots of people and/or GPUs in your team, they have to be managed properly or you don't get any advantage from it.
We made the same experience in team hashcat. Even with hardware stacked, it doesn't matter much. I fully agree, there is no need to have any limitation in a password cracking contest. Once your team has 10 members there is no much of a difference to a team with twice the number of members.
What about a league system? That way single-persons or unexperienced once do not need to fear to play against the major teams. Maybe that would motivate more people to participate. It would also remove the need for a pattern focused contest since the major league will only be between the big teams. Just an Idea, not fully evolved.
Quote:One thing that I think was better than CMIYC is that you submit password with their respective hashes.
Agree!
Quote:As a suggestion for next year, adding bonuses point for the team that cracked the most hashes in each hash type
Agree!
Finally I want to add the following:
The most important section in my critic was "Organizers failed to rewrite the rules 1". I'm a bit disappointed that no one commented it. It's what brake the contest, even if we're looking at it as a pattern-matching contest. There was no big difference in the complexity of the pattern (even not sha256). Thus there's no reason to have a specific pattern given more points than the others. In case you'd continue to use pattern based contest you should at least equal the points, since weighting does not apply here.
--
atom