PHD hashrunner 2013
#1
Hey Guys!

In the last days I was asked couple of times what my opinion on the PHD contest was. It's my personal opinion and may not show the opinion of all team hashcat members.

In my opinion the contest wasn't a real password cracking contest and I'm not saying this because we did not win.

One have to know, there is one major problem in password cracking contests:

Password cracking depends on hardware, like it or not.

To deal with this problem the organizers decided to allow unlimited teamsizes.

That was a clever move of the organizers. Each team now had a good chance to collect the required hardware power by adding members.

But this time the organizers tried to solve the problem with a different approach: It was by not using real-life passwords but instead they created password "pattern". Such patterns have been seen in the past as well but this contest was all about it.

Let me try to explain:

Once a single password was cracked because it hits a words from your dictionary one can try to figure out the pattern that was used to generate it.

If it's the correct pattern one can generate the missing candidates and will crack all the hashes based on that pattern.

Take the bcrypt's for example. Once we found out that the pattern were like:
  • Indigo -> 1nd1g0?d?d
  • Orange -> 0r@ng3?d?d
  • Blue -> Blu3?d?d

It's easy to crack all the hashes. That's the reason why the teams were able 100% of all the hashes.

So here's my critic on that:

Organizers lost the focus on the reason why password cracking contests have been made initially

The organizers, usually IT-security companies, wanted to improve their cracking techniques they use in a pentest. They have to find a way to deal with a problem that "breaking" hashes is theoretically not solveable except using brute-force techniques (which takes to long).

The only reason why we're able to crack passwords at such high rates is that most of them are of very simple or medium entropy. Humans do make bad passwords and hashcat is designed to exploit this very efficiently.

When the organizers choose to not use Real-Life passwords they took away one of hashcats key strengths.

Password pattern do not mirror a real-life situation in a pentest

In real-life situation you do not crack 100% of an unknown list. Especially not if it is salted, highly-iterated or use bcrypt or sha512crypt.

A password cracking contest can therefore not base on pattern-finding. Make it a pattern-finding contest then.

Organizers failed to rewrite the rules 1

The idea to give differnt amount of points for different algorithms goes back to CMIYC where the organizers realized that it takes more time to crack bcrypt than to crack MD5. In this case it's correct. The factor is time.

However, it doesn't matter if the pattern you figured out is hashed with bcrypt or md5 since the time it takes to verify does not differ a lot. Therefore there is no sense in giving different points to different algorithms.

Organizers failed to rewrite the rules 2

The number of unlimited team-members bases on the approach to solve the hardware problem. Since this contest was designed so that there is no hardware problem there is no sense in having unlimited membersize, but they still allowed it.

Organizer failed to solve the problem they wanted to solve with their system

So they tried to workaround the teamsize and hardware resource problem by using pattern.

But take a look at the result. There are the 3 teams that are always in the top 3. Nothing changed!

Organizers failed to organize

The contest started officially at 09:00 pm. But guess what, there was no hashlist.

An hour later I was wonder what is going on. So I was searching for #hashrunner on twitter and then found a tweet from a guy who was giving an ip address where the hashlists are.

The crazy thing was they actually were there while on the main contest page there was no info about it (and there is still not).

The upload system had to be fixed, the upload server was often down. That just shows that it hasn't been tested well before going into the contest.

I had the feeling it was rewritten couple of times during the contest as this one shows: http://twitter.com/repdet/status/337821155689893888

When the contest ends, there was no final message from the organizers. They just let all the teams sit in the dark.

There have been "normal" passwords in the contest as well

It wasn't just generated passwords. But then cracking the real passwords had no effect in the point rating. The algorithma that give the required points to win a contest all based on pattern.

There should be no hints

Since there are no such hints in the reality.

My conclusion is the following

I do not like the fact that password cracking contests depend on hardware. But there is no sense in avoiding this.

Find a better way to deal with it but do not lose the focus why we're doing this.

--
atom
#2
"Since there are no such hints in the reality."

I agree with what you wrote, except that part Atom. In real life there is a *ton* of hints, very many of which has never been part of any password cracking contest.

Personally I would *love* to see a password cracking contest where one or more targets was assumed secret/classified information, where we start out with a "stolen" disk image, perhaps protected by FDE. To make things simpler, there wouldn't be much inside; a Windows 7 installation, but we would have to retrieve OS hashes and crack them. Now our "target user" has password protected 7zip. pdf, word, excel & powerpoint files in various versions stored in there, as well as user/pass for a webmail service, perhaps some wlans etc.

Cracking those will take us further on to a protected wlan, maybe a vpn service, and the ultimate goal: "secret documents" about the swedish government putting too much salt into their export meatballs.

The entire path will be filled with hints; a fake identity, maybe many, could be created, where pictures, names, school, education, sex, work position etc would all be hints about the passwords.

Perhaps not exactly a password cracking contest as we know them, but still.... imho very interesting thing to try out.

Hm... maybe I should create one such myself. :-)
#3
(05-27-2013, 12:34 PM)atom Wrote: Password pattern do not mirror a real-life situation in a pentest

In real-life situation you do not crack 100% of an unknown list. Especially not if it is salted, highly-iterated or use bcrypt or sha512crypt.


True, but as someone on the receiving end of security advice from pentesters and security consultants, I often hear that users will choose passwords that follow common patterns.
So even if you won't crack everything with a single pattern, you should be able to cover a lot by finding a few patterns.
Specifically, I'm thinking of the claims that users will form their passwords according to whatever policy is enforced on them (ie. the classic example Password01, with capital first, and digits at the end.).
#4
I think I saw this somewhere, but I love the idea. Everyone submits a password list/generation info for 1M, 1G, 1T, 1P, or whatever. Then when a major password breach happens you test those passwords against those released hashes. Whoever cracks the most wins. My take on this is everyone submit hashes (MD5, SHA1, and SHA256) of their password lists. The submitters check their password list against the hashes and they submit how many hashes they cracked. The "winner" needs to submit their password list or a way to easily generate those passwords and an explanation. If they can't/won't the next highest cracked needs to and so on.

The problems:
  • Someone could hack into a large website and crack a lot of hashes. Then submit their list (or hashes of their list). Wait a little and release the hacked website's hashes or favorable subset. Then obviously win.
  • Multiple large sites get hacked but the contest runners consult with a team to determine which one is the most favorable to them.
  • No large website get hacked or hashes are not released.

Disclaimer: This helps me a lot because I want to come up with a list of passwords around a couple trillion. So that I can make a lossy hash table with them.
#5
Did JTR team posted anywhere spec's of hardware they used in this contest? Also seems some next steps should be oclhashcat-* distribution system or something and you will not need many members but will have some bigger resources from people who could 'donate' hw time for favorite team.
#6
(05-27-2013, 12:34 PM)atom Wrote: Organizers lost the focus on the reason why password cracking contests have been made initially

The organizers, usually IT-security companies, wanted to improve their cracking techniques they use in a pentest. They have to find a way to deal with a problem that "breaking" hashes is theoretically not solveable except using brute-force techniques (which takes to long).

The only reason why we're able to crack passwords at such high rates is that most of them are of very simple or medium entropy. Humans do make bad passwords and hashcat is designed to exploit this very efficiently.

When the organizers choose to not use Real-Life passwords they took away one of hashcats key strengths.

Why not think about it like organisers in search of people being to reverse unknown logic (with limited hints) without the dependency on the tools to do the checking. I guess not like some headhunting action, but just to bring something new in the battle of those menioned 3 teams and make it less hardware dependent, but who knows, maybe there'll be news about new department in Positive in some time Smile
#7
Like atom and I discussed on IRC: you know a contest is ill-designed when a solo participant who does not even have the time to devote to doing the contest can come in fourth place using a single system, working on one algorithm at a time, doing most of the attacks on CPU.

(05-27-2013, 02:00 PM)Itinsecurity Wrote:
(05-27-2013, 12:34 PM)atom Wrote: Password pattern do not mirror a real-life situation in a pentest
In real-life situation you do not crack 100% of an unknown list. Especially not if it is salted, highly-iterated or use bcrypt or sha512crypt.

True, but as someone on the receiving end of security advice from pentesters and security consultants, I often hear that users will choose passwords that follow common patterns.
So even if you won't crack everything with a single pattern, you should be able to cover a lot by finding a few patterns.
Specifically, I'm thinking of the claims that users will form their passwords according to whatever policy is enforced on them (ie. the classic example Password01, with capital first, and digits at the end.).

Yes, but it was not like this though. It was very obvious that the passwords were generated explicitly for the contest, and had very little reflection on real life. The contest became about who could reverse engineer the exact list & rules they used to generate the passwords, and very little to do with password cracking. As an example, here's the formula I used:

1. Select an algorithm
2. Kick off some generic attacks
3. Come back 2-3 hours later and analyze cracked passwords for patterns
4. Google to find the exact list that they used to generate the passwords
5. Write rules / run hybrid attacks against the Googled wordlist, crack 95-100% of the list
6. Go back to step 1

So you can see how there was very little reflection on reality.

(05-27-2013, 12:34 PM)atom Wrote: Take the bcrypt's for example. Once we found out that the pattern were like:
  • Indigo -> 1nd1g0?d?d
  • Orange -> 0r@ng3?d?d
  • Blue -> Blu3?d?d
It's easy to crack all the hashes. That's the reason why the teams were able 100% of all the hashes.

My apologies if you noticed this, but it was actually much simpler than this. You know how the MD4 and bcrypt hashes were in the same file, and shared the same hint? Yeah, they shared the same passwords as well. So all you had to do after cracking all of the MD4 hashes was run your MD4 plains through the bcrypt hashes :/
#8
Guys, could I download the hashlist somewhere ? Just for fun.
#9
(05-27-2013, 12:34 PM)atom Wrote: But this time the organizers tried to solve the problem with a different approach: It was by not using real-life passwords but instead they created password "pattern". Such patterns have been seen in the past as well but this contest was all about it.
I don't like to search for pattern. This passwords are not realistic. I prefer more realistic passwords instead of the pattern search & brute game.

(05-27-2013, 12:34 PM)atom Wrote: Organizers failed to organize
This is true. It took them so long to announce times/date. The site looks like a 5 min project. It looks like they didn't really care about hashrunner contest. If you compared it to others (for example cmiyc) you will see they put much more time in the contest than phd/hashrunner does. The site is up months before the contest starts and it looks like they put more time and effort in the password creation. I hope they will hold the contest again next year and put more time in it.
#10
(05-27-2013, 03:07 PM)KT819GM Wrote: Did JTR team posted anywhere spec's of hardware they used in this contest? Also seems some next steps should be oclhashcat-* distribution system or something and you will not need many members but will have some bigger resources from people who could 'donate' hw time for favorite team.

Hard to believe but at least 3 out of 10-12 guys were using laptops. One of them had a "crap" 1.40GHz dual-core laptop booted from a slow USB stick Wink. Still he was able to find tons of patterns and crack toughest hashes.

john-users team will post more details in a short while.