Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 20 Aug 2010 18:43:31 +0400
From: Solar Designer <>
Subject: Re: Consonant Vowel Patterns

Brad, Minga, Hank -

On Fri, Aug 20, 2010 at 09:09:19AM -0400, Brad Tilley wrote:
> Thank you for the information Alexander. After testing a few mangling
> patterns rather than CV patterns, I believe mangling is more efficient.
> 16crack found roughly 1,000 more hashes using mangling patterns than it
> did when using CV patterns. Also, it did so in only 40 hours (rather
> than 48) with a modestly sized dictionary. I posted a link to those
> hashes for comparison.

You could also see how many more hashes would be cracked by both
approaches combined - either on two machines (which you can simulate by
running the attacks sequentially - in fact, you already did) or sharing
the same machine (e.g., run one attack for 24 hours, then the other for
another 24 hours).  Maybe that number would be higher than either of the
two individual numbers even on a shared machine.  This would show that
multiple approaches need to be used.  You can also add JtR's incremental
mode to the mix and see how many new guesses that would provide (those
not obtained with your approaches), and vice versa (how many new guesses
your "CV approach" provides that JtR's incremental mode does not).

> Why did no other team post their cracked hashes?

CrackHeads did, and you did.

I'm afraid I did not save our (john-users) final pre-contest-end
submission, and cron jobs kept running for a while after the contest end
time (a few more submissions were made as well).

Besides, some entries on our cracked passwords list were actually wrong
and some were "special" (please see the writeup I posted for more info).

I think it'd be best for KoreLogic to release such info on all teams -
on the cracked passwords the contest organizers actually accepted and
how the points were assigned.  Maybe two text files per team: one with
cracked non-admin passwords, the other with cracked admin passwords.
Then the score will be trivial to double-check.

> Was it against the rules?

No, I think it was fine to publish anything.


P.S. BTW, your statement (on your website) that "competing teams used
hundreds or thousands of cloud computing CPUs ..." is not entirely
correct.  From what we know, it was at most between 100 and 200 CPU
cores (not CPUs).  Definitely not "thousands".

Also, JFYI, it was possible to get to over 8500 hashes cracked in 9
hours on approx. 6 CPU cores on average (I did that using 4 to 8 CPU
cores during the contest, before first merge with the results of others
on the team).  This 8500 figure includes LM hash halves as individual
hashes, though.  Thus, the number of full cracked passwords in that set
could be about 7500.  (It can't be much lower than that because the
total number of LM hashes was only about 2500.)  I don't mean to
downplay your results; I just want to point out that it's not all about
CPU power.  It's more about using multiple approaches, some strategy,
and a lot of one's own time to direct the attacks.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.