|
Message-ID: <20110818131035.GA1182@openwall.com> Date: Thu, 18 Aug 2011 17:10:35 +0400 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: team john-users writeup for DEFCON 2011 "Crack Me If You Can" contest Hi, As many of you are aware, we participated in KoreLogic's "Crack Me If You Can" password cracking contest at DEFCON earlier this month, as team john-users. We ended up taking 3rd place overall (out of 22), and we're first for 5 out of 20 hash types. Additionally, we temporarily held 1st place during the contest at two times - at approx. 5 hours and 21-23 hours into the contest. Here are the statistics for all teams: http://contest.korelogic.com/stats.html including pretty graphs of teams' progress over time, and here are the per-hash crack numbers for our team in particular: http://contest.korelogic.com/stats_7D47E99A316E29D7.html Now to the writeup, to be re-published on the contest website: Preface. The contest was fun and challenging, it helped us test some experimental John the Ripper code and identify areas for further improvement. As of this writing (August 18, 2011), we already have experimental patches implementing MSCash2 in CUDA (thanks, ukasz) and implementing pkzip encryption cracking (thanks, JimF). We didn't have those prior to and during the contest... We'd like to thank KoreLogic for organizing the event. We would also like to thank all other teams who participated and made it tough for us to compete. ;-) Resources. Active members: 16 Names / nicks: Aleksey Cherepanov, bartavelle, Brad Tilley (team 16Crack), elijah, Frank Dittrich, groszek, guth, Isif, JimF, Matt Weir, RichRumble, samu, Sergey, smooge, Solar Designer, ukasz Additionally, Brandon Enright contributed four 8-core Amazon EC2 instances (32 cores total) and Michael Boman provided remote access to a quad-core machine. Software: John the Ripper (with various patches), custom scripts, 16Crack (used by Brad only), pdfcrack (no luck), fcrackzip (no extra cracks compared to trivial shell scripts around unzip), rarcrack and crark (no luck, but JtR cracked the password instead), ElcomSoft's password recovery tools (no additional cracks) Hardware: mostly 8-core servers (some of them also doing something else at the same time), but also all other kinds of machines (desktops, laptops, servers) ranging from dual-core to 12-core, Amazon EC2 instances mentioned above. 3 low-end to mid-range NVidia GPUs (used only on phpass hashes using john-1.7.8-allcuda-0.2 by ukasz), one ATI Radeon HD 5770 (used for real-world'ish testing of john-1.7.8-jumbo-5-opencl-1 rather than to make much progress in the contest). The number of CPU cores in use was growing slowly from 0 to approx. 300 by the end of contest (we did not prepare well, so some machines were put to use as late as 3 hours before contest end, and additionally some of the servers were inappropriate to use without someone watching after them), with the average estimated at around 150. Preparations. Two days before contest start, we restored our file exchange server (actually an OpenVZ container) from a backup dump from last year, and started creating accounts for some new team members. (The scripts used to process and submit cracked passwords had to be revised slightly for the new contest, but this was not known in detail before contest start, so this step was taken during the first hours of the contest.) With John the Ripper being our primary tool (almost the only password cracking tool we used, in fact), and with us having access to many more CPUs than GPUs, we needed a way to manage the many CPU cores efficiently. Thus, a customized contest-only edition of John the Ripper was made and some scripts were written (but only made usable for the 2nd day of the contest, unfortunately), which made it slightly easier for us to manage multiple multi-core machines. Other changes in the contest edition of John the Ripper included revised incremental mode and sse-intrinsics.S pre-compiled from .c using Intel's compiler (for optimal performance at MD5-based hashes). We also generated new .chr files from RockYou passwords, and uploaded some wordlists and some rulesets to our file server, including KoreLogic's ruleset from the 2010 contest revised to make more extensive use of the rule preprocessor in JtR and re-ordered for decreasing rule efficiency. We definitely could have prepared a lot better. Approach, observations, mistakes. Based on last year's experience and on password cracking experience in general, we expected to derive all sorts of patterns from cracked passwords and apply those to crack even more passwords. This is also what other well-performing teams did in these two contests. The password-protected .zip's were cracked with shell one-liners running "unzip -P" and reading passwords from a wordlist. Luckily, this worked. (The .zip support implemented in JtR -jumbo was limited to WinZip/AES, not supporting the older pkzip encryption.) Brad Tilley (team 16Crack) was the first to crack the "defcon" password for our team. The .rar was cracked with JtR, running password.lst with --rules for several hours on an 8-core machine. RichRumble did this. To derive patterns, "fast" hashes were attacked first - NT and raw MD5. In fact, due to us having more machines than people, two 8-core machines were running JtR in incremental mode (for lengths up to 11) against these hashes almost until the end of contest, even though this was not the best use of resources (by far), as far as points are concerned. The --external=DateTime mode was used on all saltless hashes when this pattern was noticed. Then more focused attacks were run with custom scripts against salted hashes (on just the date formats actually seen). Similarly, the "Mississippi" and "obsessiveness" patterns were noticed and tested against various hash types (wasting time when tested against the slowest hashes, as it turned out). Not all of our machines were fully online, and not all people were available at all times. This resulted in us having to give out large yet non-critical jobs to team members who expected to be offline for a while. For example, this might be why we performed so well at DES (even though we did not crack the DES hashes found in coredumps being unsure what they were), which was otherwise not an optimal use of resources considering the low points earned per DES-based crypt hash (although the 100k bonus compensated that somewhat). The mscash2 and bf hashes were successfully attacked almost exclusively with incremental mode. Late in the contest (too late), we also started locking it to specific letter-digit patterns that we saw in passwords cracked by that point. Unfortunately, we wasted lots of resources testing other patterns against these hashes - patterns seen in passwords for other hash types, but somehow not for these. It was weird (unrealistic) to find plenty of short passwords (4 to 6 characters long), yet not find any from RockYou's top 1000, nor username-derived. So we kept probing for other patterns, wordlist entries, etc. but found none, besides the trivial ones: $ fgrep '$DCC2$' john.pot | cut -f2- -d: | sed 's/[a-z]/l/g; s/[0-9]/d/g' | sort | uniq -c | sort -rn 148 llllll 64 lllllll 61 dd-dd-dd 55 dddddd 20 llllld 12 lllll 12 lllldd 4 llllldd 4 llll 3 lllllld 2 lllddd $ fgrep '$2a$' john.pot | cut -f2- -d: | sed 's/[a-z]/l/g; s/[0-9]/d/g' | sort | uniq -c | sort -rn 158 llllll 54 dddddd 51 lllllll 44 dd-dd-dd 17 lllldd 14 llllld 14 lllll 3 llll 2 lllddd As seen on phpass and bsdi hashes that we cracked, we presumably could also find passwords built upon "pennteller" and "hate", but perhaps not much else. (KoreLogic has not yet released the plaintexts as of this writing, and we did not spend further resources cracking the hashes after contest end, hence the uncertainty.) Although we did notice cracked passwords for these hashes starting with one of just a handful of letters (except for those starting with a digit, indeed), we did not use this knowledge in any way, thinking that it was an artifact of our use of incremental mode (which tries more likely characters before less likely ones). Thus, we did not manually restrict the search to just these starting letters, which was probably a mistake. We did generate new .chr files based on already cracked passwords, which would have achieved a similar effect, especially with our revised incremental mode, but we did so based on all cracked passwords (excluding only those that came from challenges), for all hash types, naively expecting patterns from other hash types to show up on the extra-slow hashes as well. And, of course, cracked passwords for all hash types combined started with all other letters as well. At the same time, we cracked many far more complicated passwords for other hash types, and even phrases of up to six words (mostly idioms found in wordlists as-is, though). Some very short passphrases were even found with the revised incremental mode (up to 3 words, length 11). We also used trivial Perl scripts to combine words from tiny wordlists into 2-, 3-, and 4-word "phrases". Note: this does not mean that passphrases are weak or a bad idea in general; it merely means that some of them contain well-known or predictable combinations of words, or too few too common words. It also means that some hash types should not be used for password hashing. With the resources we had, in the 48 hours of contest we would not be able to crack 3-word combinations generated by pwqgen with default settings and hashed with bcrypt (known as bf in this contest): http://www.openwall.com/passwdqc/ What we liked and didn't like. Overall, the contest was great, thanks to KoreLogic and all teams. We liked: - The scoring system. While last year's contest demonstrated that with equal value of each cracked password, slow and salted hashes are not worth attacking very hard, if at all, this year's has demonstrated that they can nevertheless be attacked if the passwords are sufficiently valuable. (However, contrary to what outside observers might think, it has not demonstrated that those stronger hashes are almost as vulnerable as the weaker ones, despite of the numbers of passwords cracked being comparable. This is the case only due to extremely weak passwords that a properly configured system should not allow to be set, or at least should warn the user about.) - The presence of passphrases. We missed those last year. - Additional challenges in the contest, yet not terribly important to the teams' overall scoring (otherwise this would not be a password hash cracking contest anymore). A concern, though, was that some of the challenges could require use of non-free and closed-source tools. Some things we found slightly disappointing were: - Weird weights for some of the hashes: no distinction between saltless and salted (semi-)fast hashes, mscash2 being valued too high (whereas it is actually a lot easier to attack than bf, considering its GPU-friendliness, albeit not by our CPU-focused team). For example, the weights could be: bf - 100000 mscash2 - 50000 phpass-md5 - 12000 md5-crypt - 10000 md5_gen(28) - 10000 bsdi - 5000 des - 700 md5_gen(12) - 700 md5_gen(16) - 700 mssql - 700 oracle11 - 700 phps - 700 ssha - 700 md5_gen(22) - 12 md5_gen(23) - 12 mysql-sha1 - 12 raw-sha512 - 12 raw-sha1 - 11 md5_gen(0) - 10 nt - 10 considering the speed of hash computation, number of different salts in contest hashes (for each hash type), and some special properties of these hashes (such as the length limit with des). The 60x to 70x gap between saltless and salted hashes proposed here is roughly sqrt(number of salts), which is consistent with the use of logarithmic scale by hash computation speed. - Passwords still not being very realistic (even though KoreLogic might not agree). Username-based passwords not seen on slow hashes. - No non-ASCII passwords, or maybe we failed to find them (despite of having wasted a little bit of time on trying to do so). OK, at least this is almost realistic - those passwords are in fact very rare. So we can't really expect to have both a non-negligible number of non-ASCII passwords, but realistic passwords overall. A neutral comment: - The bf and bsdi hashes could actually be even slower, to match real-world systems where these hashes are used. For example, bf is nowadays often used at $2a$08, not $2a$05, which it was in the contest (and which JtR uses for benchmarking for historical reasons). This would be 8 times slower. The default of 725 iterations for bsdi is in fact seen on some real-world systems, although reasonable settings are much higher. When phpass falls back to CRYPT_EXT_DES (the PHP name for this hash type), it uses these hashes at 65535 iterations (90 times slower than in the contest) when called with 8 for the $iteration_count_log2 parameter to the PasswordHash constructor, like its test program does and like some web apps that have integrated phpass do. Such changes could make the contest more realistic and would not make these hashes appear weaker than they actually are (in real-world uses). However, they could make it too hard to attack the hashes reasonably in just 48 hours, so this is not obviously a good change to make in the contest. If the change is made, then of course the weights would need to be adjusted accordingly (using a logarithmic scale). An alternative is to document the "cost" settings of variable-cost hashes used in the contest in some prominent place such that people do not draw erroneous conclusions about the hashes from the contest results. Thanks for reading this far (or did you just scroll down?) Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.