|
Message-ID: <BLU0-SMTP657737892343937F76B397FD930@phx.gbl> Date: Sat, 1 Jun 2013 15:12:55 +0200 From: Frank Dittrich <frank_dittrich@...mail.com> To: john-users@...ts.openwall.com Subject: Frank's write-up for hashrunner 2013 I've been very busy lately, so that I was afraid I wouldn't be able to participate at all. At least I didn't have time for preparation. It was more than 24 hours into the contest until I found some time to participate, and even then I couldn't participate full-time. Hardware used: A single laptop with an Intel i3-2367M CPU @ 1.40GHz (dual core with hyperthreading), booted from a very slow USB-2 stick with a LUKS encrypted file system on it. I started reading the john-contest mails, and saw the discussion about Lukas finding the 12345678[1-9][0-9] bcrypt passwords. I found that the same passwords occurred among the raw-md4 cracks, and that there were other "base words" (leetified names of colors and other words) plus Az"[1-9][0-9]". So I first completed that pattern for the existing base words with raw-md4. Then I collected all the base words from raw-md4 and started to test these base words with rules Az"[1-9][0-9]" on the bcrypt hashes. Soon the first bcrypt passwords were cracked. Due to my weak hardware, I asked on the mailing list for help to complete the task on more powerful hardware. Lukas ran that on bull, and it resulted in several hundred new bcrypt cracks. Later on I identified the image #11 as a picture of the Eaglescliffe Chromium factory, but I don't think it helped us in cracking any hashes. (After the contest I managed to reduce the number of uncracked mscash hashes from 616 to 7.) Like many others, I tried to solve the #4 mystery. Because others had tried names of fruits and vegetables, I tried to use the output of strings 4.png as an input word list, but had no luck. When Lukas suggested to try more topic related words on bcrypt, I first experimented on raw-md4, and reported the "base words" that worked on the mailing list, so that Lukas could try them on bcrypt. After somebody cracked a bcrypt hash with 123qwe, I tried some keyboard patterns, but without luck. As it turned out, the real pattern instead was: raw-md5 passwords with lower case a and e, but all other letters upper case cracked bcrypt hashes when converted to lower case. When I ran out of ideas what else to try for bcrypt, Solar suggested that we try to crack more keccak hashes because of their value compared to the cost. That's when I fetched the latest bleeding revision (so far I always used unstable), applied obvious patterns (duplicate words, appending 1 or 2 digits, leetifying words with sa@...si1so0ss5st+Q) to base words that have been used to crack keccak hashes. Then I tried the same patterns with some larger word lists (rockyou, facebook names, all passwords found for other hash types). Alexander tried my suggested rule sa@...si1so0ss5st+Q (I found one more substitution, sz2, only after the contest) against some larger word lists and uploaded a pot file less than 15 minutes before deadline. The last 2 lines contained 2 raw-md5 passwords: M00nl1gh+69 and M00nl1gh+83. This allowed me to crack another 88 raw-md4 hashes and upload my final pot file 8 minutes before the deadline. Summary: I'd like to thank the organizers for such an interesting contest. We really worked as a team, helping each other in many ways. The most frustrating part probably was not being able to crack a single sha256crypt hash, despite trying hard. (Only after the contest we managed to find sha256crypt passwords.) I couldn't participate as much as I would have liked, had much less hardware resources than I wished I had. But despite that, I think my contribution was OK. Frank
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.