Positive Hack Days - Hash Runner (writeup)
Team “teardrop” aka Team Hashcat Phdays website

Members and Hardware (in no particular order)

Member Hardware
atom 1x hd6990
superjames 1 x i7 860 CPU
T0XlC 1 x Xeon E5504 + 1 x 5870
blaz commodore 64
K9 1x i5 2500K 1x hd6970
legion 1 x q6600 CPU

First of all we would like to congratulate Phd for another great competition and the opportunity to compete against the best password cracking teams worldwide.

How we organised

We were actually not organised. We found out about this challenge approximately 5 hours after it had begun.

At first, only 3-4 members of team Hashcat were able to participate because most of us were at work. Since the few of us who entered the competition could not be considered as the whole “hashcat” team, we registered as team “teardrop”. Later that day more members of team hashcat came to help and so we “became” team Hashcat.

When the rest of the team members joined us, we got a system set up pretty fast and started to work our way through the list at a steady pace. We managed to reach 13k points when team InsidePro was already at around 20k points. So we started to wonder what the problem was. Atom joined later that night and found out that the PHPass and DCC2 hashes required a special parser. He had to rewrite oclHashcat-plus to make it load the PHPass hashes which would give us 350 points each. At that point in time we started cracking hashes which were worth more points using GPU.

Some clarifications: Xanadrel has been a member of team Hashcat for a long time but he wanted to see how far he could get by playing solo first (quite far apparently!). He rejoined the team towards the end of the competition.

We also congratulate the InsidePro team for once again giving us a good run for our money!

Tools we used:

oclHashcat-plus custom build to crack saltless PHPass and DCC2
Hashcat-utils and Maskprocessor
John the Ripper
rcracki_mt for LM
PasswordsPro for GOST

Special notes about PHPass and DCC2

The PHPass hashes were not generated with the reference implementation in mind. It says that the salt-length has to be exact of length 8. The DCC2 salt was of length 0. This is also invalid since there can not a be a username of length 0.

For both cases that means oclHashcat-plus was not able to load it and required some rewrite. On the other hand this gave us the opportunity to do multi-hash cracking, since the salt was always the same. oclHashcat-plus supports this feature also for slow hashes like PHPass and DCC2.

Special notes about BFcrypt and DEScrypt

It looks like both these hashes required some rewrite too. Atom rewrote some John the Ripper code to make it load BFcrypt but still it was not able to crack them. It was the same story for the DEScrypt hashes. Maybe they were just very hard to crack.

Some of the rules we used with *Hashcat
• l$1$9$0$0 - lower, append dates(1990-2020), used in conjunction with the names.txt wordlist
• d - double words (ex. AsuraAsura)
• $! - append one special character to names (ex. nichelle?)
• ^! - prepend one special character to names (ex. ?nichelle)
• $!^! - append and prepend a special character
• sa@sc<se3si1so0ss$ - ‘leet’ify

Everyone has their own personal compilation. Some generic ones would be;


Teardrop (Team Hashcat)
Hey guys! Grats on winning. Can you provide a full list of hashes that you were challenged to crack, along with the passwords that you managed to retrieve?
In theory yes. I am wondering why the PHDays organisators did not release them. Maybe there are some restrictions to be checked?
they said they will release them after teh writeups. i guess we will have to wait.

By the way, what is the commodore 64 doing there? Big Grin
It makes you ask what it's doing there.
Playing chiptunes!
Finally, all the writeups, rules, stats and plaintexts were released: