Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CALd0CS2cOFzC8b68p6wyrBMtwSMxkDiBRGMgJ_-cVkTk0U6mjw@mail.gmail.com>
Date: Mon, 25 May 2015 10:36:47 +0200
From: Rafael Carnicer Torres <rafaelcarnicer@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: team john-users write-up for PHDays Hash Runner 2015 contest

Good work team! Congratulations!
I wait participate in the next one!
Regards
El 25/05/2015 06:10, "Aleksey Cherepanov" <lyosha@...nwall.com> escribió:

> Team john-users participated in PHDays Hash Runner 2015 contest. We've
> got the second place quite close to the first. We even led during a
> short period of time in the middle of the contest.
>
> Team        Cracked percent of total points
> hashcat        28.19%
> john-users     27.69%
> InsidePro      24.40%
> CynoSure_Prime 21.22%
> ktxrunner       1.09%
>
> A pretty graph:
> https://hashrunner.phdays.com/scoreboard_graph/
>
>
> Software used: John the Ripper bleeding-jumbo[1] (with various
> patches), custom scripts to handle hashes during the contest,
> wikigen[2] to scrap Wikipedia pages (used by csec only)
>
> [1] https://github.com/magnumripper/JohnTheRipper/
> [2] https://github.com/zombiesam/wikigen
>
>
> Hardware: ~100 CPU cores, ~10 GPUs, 1 Xeon Phi, 2 FPGAs used on average
> during the 72-hour period.
>
> We did not load our hardware most of the time so it is an inaccurate
> estimation of average usage of hardware.
>
>
> Members:
> Agnieszka Bielec aka Eternal
> Aleksey Cherepanov
> Bill E. Ghote
> ch3root
> csec
> Dhiru Kholia
> elijah[w&p]
> Frank
> hydrajump
> jvoisin
> kai
> Katja Malvoni
> lei
> magnum
> math07
> Matt Weir
> metiger
> Nugget
> Sayantan Datta
> sftp
> Solar Designer
> trebla
> ukasz
>
> We had 23 members (including 10 new members). But only some of them
> were able to dedicate 3 full days to the contest, so 8 most active
> members brought 95% of our cracks.
>
>
> The contest was a lot of fun (and a lot of coding this time). We tried
> some recently added code, found some bugs and even published new code
> during the contest and right after the contest. So the contest
> improved our main tool - John the Ripper.
>
> Below, there is a short write up of our adventures during 3 crazy days
> of the contest.
>
> Before the contest we already had POMELO format implemented by Eternal
> as part of Google Summer of Code 2015 that Openwall participates in.
> Also Eternal implemented another PHC Finalist: Parallel. So we had
> regular and OpenCL versions, but we did not meet Parallel hashes
> during the contest. I implemented --show=types option before the
> contest to handle hashes this time. Also it is useful for Johnny the
> GUI for John the Ripper.
>
> I made an awful start: I picked 3.txt and extracted LMs and raw-md5
> hashes for the team. I made a lot of mistakes: wrong regexps, not all
> LMs were extracted, 3.txt contained other types of hashes too... Such
> poor start forced Solar Designer to take the coordination.
>
> We were not able to setup our upload script for quite long. Though at
> the end, we had automatic uploads, thanks to ch3root!
>
> The team worked hard. There were a lot of active members and they
> helped each other so cracking went well. Passwords with unicode chars
> and even control chars (like escape char in one LM) were found.
> Dolphins turned out to be easy and we cracked all of them. We got
> bonus hashes for 2, 3, 6, 7, 8 and 9 tasks. GOST 2012 and lineage
> hashes were very fast and had high prices so we attacked them quite
> much.
>
> We used the two FPGAs on bcrypt only, and ended up wasting them since
> we never figured out what SHA family function or the like and with
> what encoding and possibly an HMAC key the contest organizers might
> have been supplying as input to bcrypt. We tested many possibilities
> with lists of common passwords and with lists of previously cracked
> passwords (from other hash types in the contest), but with no luck.
> This distracted two of our team members from other participation in
> the contest quite a bit.
>
> 3 days of the contest allowed us to work on the coding challenges
> quite comfortably:
>
> - pomelo: turned out to hash pointers. Eternal investigated it. We
>   reported that to orgs and did not try to crack them.
>
> - pufferfish: turned out to be hashes of empty password. Eternal,
>   Dhiru Kholia and then I checked them and reported to orgs. Orgs
>   fixed that and we cracked 1 hash.
>
> - GOST-34.11-2012 (stribog): it was implemented by Dhiru Kholia early
>   in the contest.
>
> - lotus8.1 and pbkdf2-hmac-md5 were implemented by Dhiru Kholia during
>   the contest and pushed into bleeding-jumbo branch on github.
>
> - dolphin/scrypt: 15 hashes (of 226) were rejected by john, ch3root
>   fixed that patching john.
>
> - lineage: it is a plain sha512crypt with salts generated from
>   passwords (using custom la_encrypt()), so they are not really salted
>   and full computation is not needed to reject most of wrong
>   candidates, I implemented a format for john.
>
> - wonderful: Dhiru Kholia implemented a format for john for these
>   tricky hashes with a lot of types including md5($p,$s), md5($s,$p),
>   md5(md5($p),$s) and a lot of other combinations involving 4 hashing
>   algorithms. Some types involved custom code in php. The code
>   contained a mistake: hashes of the type with DO_XOR flag and not
>   with HMAC flag accept any password and any salt. Only one conclusion
>   may be made: don't use your own custom hashing algorithm in php,
>   such hashes may be very weak! You may use phpass hashing library.
>
> - hashcoin: there are hashes with passwords like p1 for hash1, p1p2
>   for hash2, p1p2p3 for hash3 (where p1, p2, p3 were chosen randomly
>   from a set of ~1G elements), such chaining mimics block chains in
>   crypto coins. I implemented a "miner" in C and we got 1400+
>   hashcoins at speed ~3 hashes / minute. While I made the miner quite
>   early (more than 24 hours before the end), I failed to run it long
>   enough because I intended to optimize it to crack all hashcoins.
>   Just running it all the time would be enough for the first place
>   with a decent gap, so I think it is my personal fault that we are
>   only the second.
>
> Thanks to organizers for such great contest!
>
> Thanks to other teams for the tough competition!
>
> Thanks to all john-users members for participation!
>
> --
> Regards,
> Aleksey Cherepanov
>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.