Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 02 Aug 2010 13:16:29 -0400
From: Brad Tilley <brad@...ystems.com>
To: john-users@...ts.openwall.com
Subject: Re: contest results

Solar Designer wrote:

"I'd appreciate more info on what each team has been using/doing -
hardware (and cost incurred, if any), software (free or previously
acquired, I suppose?), password cracking techniques, team management
(e.g., what separate roles?), how many team members (and how many of
them actually "active"), external contributions accepted (e.g., if
another team shared their passwords) and how much help they were (e.g.,
90% overlap with what the team already had), also info on stuff used by
those external contributors if known.  I am willing to provide this info
on our team."

--------------------------------------------

Hey Solar and JTR-users,

I did a small write-up here about methods, resources, etc that I used
with 16Crack (software I wrote to crack hashes). I also posted the
passwords I cracked:

http://16systems.com/16crack/defcon.php

Although we got creamed in the contest, it was very fun! One thing that
concerns me is that the passwords seemed very contrived, not real-world
in my experience. For example, there were no number only passwords and I
routinely see 5% or so of those (dates, phone numbers, etc.) in the
real-world. Also, the rock-you-75 list, which is usually pretty good,
only got about 50 of the contrived passwords.

All in all though, it was very fun and I hope they do it again next
year. My interest in password cracking revolves around multi-threaded
processing and patterns, but I learned a lot from watching the results
of others in this contrived contest.

JTR did very well... congrats,

P.S.

Probably of no matter, but I noticed that some of the NTLM hashes were
duplicates. 16Crack uses a boost::unordered_set container to store
hashes and when it checks for a match, it uses the set.count() function
which returns the number found... here are a few examples:

Hash	Password	Count
283F32D2CABEDFC6AC35FD569D6723CF	"?'&H,"	2
A51515715E000D59B7E6C783688126A3	"?Z26#"	2
A5775658A65770B7C91AF8C427D63D34	"'Y5@<"	2

There were several dozen more of these.

Also, I found some dupes across files, ldap_sha and NTLM, for example.
So I wonder how those were differentiated, or not at all. None of this
probably matters, just things I experienced.

Brad

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.