What's that? CrackMeIfYouCan on DEFCON is one of the most popular hash cracking contests in the wild. Best teams in the world compete on a 48h challenge to crack as many hashes as possible. The are 2 classes of competitiors -
Street. We played under
AlphaPwners team in
Street category, and finished on 5th place. Last year, we got the 4th position.
We were cracking the contest hashes using
hashcat and it's distributed brother -
hashtopolis. Few file-hashes were also cracked by
Our setup included:
2x RTX5000 @ Paperspace 1x RTX3090 2x K80 @ Azure 1x RTX3080 1x RTX3080Ti Mobile 1x RX5600 Mobile 1x RTX3050 Mobile 1x GTX960 1x GTX1660Ti 1x GTX1050Ti 1x GTX750Ti
All of the hash sets this year (except yescrypt) were cheap, fast, unsalted (or fixed-salt) hash types; the primary challenge wasn't cracking the password hashes, it was cracking the encrypted containers bundling them up in order to get to the hashes.
If you've ever been on a pentest and harvested dozens of PASSWORDS.XLS and AccountInfo.zip off of users desktops, you know the value of cracking a variety of encrypted artifacts in a hurry. Various encrypted container file types were used, each containing hashes using a different weak cipher, of plaintexts that used one or more unique combination of source material (wordlist) and mutation rule(s).
Each class of competitors got a different set of encrypted files. Cracking the password to the file revealed hundreds of hashes to crack for contest points. The encrypted files on
Street category were:
The table below showes the hashes type to crack
|Bundle||List||Hash Type||Points Each||Count||Total Points||Cracked|
The container files were cracked using
john. First, the container-hash to crack was extracted using proper
_2john tool such as
zip2john and then passed to
The hashes were cracked using standard dictionaries like
password.lst and/or using the filename as password hint.
Example: the filename
1991whattimeisit refered to a What Time Is It? song by Spin Doctors from 1991 and the file password (answer) was directly in the lyrics -
Four-thirty. Other passwords were connected to
Swordfish movies, books and internet articles. The hints were also useful to determine on which resource a hashlist inside was based on.
When you get over 40000 hashes to crack, you have to start somewhere. Our classic start while working on new hashlist is to use a few popular, mostly small dictionaries with popular ruleset + some simple bruteforces. This technique doesen't win the contest of course, but it helps you figure out what's going on.
The classic start dictionaries are:
rockyou.txt rockyou2021.7z weakpass_3 Top1pt6M and Top2Billion form Probable Wordlists facebook-firstnames.dic.gz facebook-lastnames.dic.gz final-en-wikipedia.dic.gz JOHN.dict.KeyboardCombinations.txt Crackstation dictionaries zxcvbn.txt hashesorg2019 passphrases.txt packetstorm.txt (combine)
And the rules are:
OneRuleToRuleTheAll T0XICv1 pantagrule.private.v5.popular pantagrule.private.v5.hybrid pantagrule.private.v5.one ProbWL-547-rule-probable-v2.rule dive.rule passphrase-rule1.rule passphrase-rule2.rule squid1m.rule
aaaaand one more thing. Get yourself an English dictionary. Even a simple dictionary + rules can work wonders. More cracking tips with this method are described at the end, as Tip #0.
After classic start it was already obvious, that the hashlist was based on
Wargames movie script. The title and file hint were also referring to this movie. Using Wargame movie script as ditctionary + some rules and tricks (more below) almost 2300 hashes were easily cracked. We did not further invesigate this hashlist, because of low value (only 1p per hash).
Case similar to
RAW-MD5, however only very late in the contest we realized that this could be based on some movie. Most of the cracks here were using
rockyou + Tip#1 (below).
We didn't realize that this hashlist was based on
Swordfish movie, despite the file hint and cracked passwords. Probably this was the mistake that pushed us to 5th position. Many hashes were cracked using classic start and appending number
22 at the end.
The Cuckoo's Eggbook
Case again similar to
RAW-MD5 - when classic start cracked a
NSAHoncho password, a quick google search revealed a book on google books - https://books.google.com/books?id=9B1RfCAar2cC . Then, the case was similar: download the book, make a dictionary, win. Next, please.
The Shockwave Riderbook
Almost the same thing as
MSSQL05 - however the password, that got us to google books was something related with the word
Freeman. Tip#2 was very useful here.
This was even easier - classic start revealed that these were some leaked password with
2022 added at the end. Quick rule, and 100% cracks were here under 15 minutes.
We don't know what happened here. We used classic start, some bruteforcing and an English dictionary. We don't know what was the base for this hashlist.
After the competition we got a hint that these hashlists were related to the article https://gizmodo.com/stop-the-steal-hacker-homecoming-queen-charged-as-ad-1846822348 (which btw, helped us with the container file password - oh, the irony) and https://github.com/jbarke/textfiles.com/blob/master/textfiles.com/groups/CDC/cdcindex.txt We didn't realize it back then, but we cracked many hashes anyway.
SHA-384 had only a few password-formats. Knowing the base-word, hundeds of hashes were easily cracked using a mask of
?1 was a digit, and
@ sign. Most of the times it was a word plus one, two or zero
@ signs plus a few numbers at the end. Tip #0 helped us a lot here.
SHA-512 was cracked mostly with using the Tip #0 with English words + rockyou and using some
Tip #0 - The best password-cracking dictionary for this year contest? The English dictionary. Download English ditionaries from the web, combine them, remove duplicates. Make copies, where all words are uppercase, and capital case. Combine into one dictionary. Then, you can use it with rules, and in
1hashcat combinator mode, combining many words with each other. You can make advanced versions, where each word is prepended with a number or make a dictionary which consists of 2 English words combined - with different casing and special chars appended/prepended/between. Works like a charm. Want more? Look here: https://github.com/travco/rephraser
Tip #1 - Leave your weakest machine running in an infinite already cracked-cracking loop. You can complete this task in many ways.
You can manually write a bash script, that will dump already cracked passwords and pass them as a wordlist input in hashcat. Then, add some popular rules (probably
pantagone), some auto-generated ones with
-g 1000000and try to append and prepend the
-i ?a?a?amask before and after the cracked hash.
Or you can use
--loopbackoption in hashcat.
--loopback: re-use the plains/passwords that did crack a hash, e.g. apply some rules - after the first run - to the modified and matching plains. This kind of looping will only stop if no more plains match. https://hashcat.net/wiki/doku.php?id=frequently_asked_questions
If there are some similar passwords to these, that you have already cracked - you got this.
Tip #2 - Look at passphrase cracking techniques here - https://github.com/initstring/passphrase-wordlist
Here are some screens from our hashtopolis server: